Well, I confirmed that lists.speakeasy.net (running Majordomo) would
indeed also echo the original message back with command
responses...and it does.
So I rang them up, hoping to convince them that my server was no more
vulnerable to this type of attack than their own is. The first guy I
spoke to apparently started to feel like this was going over his
head, so he passed me on to a techie type, and I went through it all
again. I was feeling relatively self-confident about it, but frankly,
after talking with him extensively, I'm not feeling so cocky anymore.
He was perfectly willing to acknowledge that even Majordomo will echo
the commands back -- and he understands perfectly the situation --
but his argument is that, given the state of SPAM and the internet in
2007, it's no longer sufficient to simply shrug and say that nothing
can be done about this.
It reminded me of EIMS, about a year ago, when dictionary attacks
started sprouting up. Logging into a POP3 server, of course, is a
perfectly legitimate operation, so it's not feasible to block that
ability. The only viable solution to that problem is some combination
of tracking SMTP connections and greylisting -- so that you can begin
to recognize PATTERNS of behavior that are unacceptable, rather than
individual actions.
And he's right. And Glenn Anderson recognized that, and implemented a
wonderful series of modifications to EIMS that has already helped to
block 100,000 bogus messages to my mail server.
LetterRip, unfortunately, has no such capabilities, and I'm not sure
there's any good way to handle this situation without them. As far as
I can tell from the LR server logs, the attacks are coming from a
botnet...TONS of different IPs, and virtually no pattern.
My question, then, is this:
1) I'm running EIMS on a machine on the same local network as LR. Is
there an efficient way to leverage EIMS' greylisting/filters to help
remedy the situation?
or
2) Is there a clever way to use OS X's ipfw and some other arcane
*nixy tool to implement some sort of greylisting/pattern watching on
port 25 of that machine?
spud.
On May 7, 2007, at 2:39 PM, John May wrote:
Yes, SMTP errors would be ideal instead of bounce messages.
- John
A couple of things:
1) Again, is Speakeasy talking to you about the content of the
messages in
their spam trap, or is it just the fact that messages end up in
there? If
it is the latter, this change won't help you. Subscribe requests will
result in replies that end up in the same spot.
2) RE: Spam engine. All of those messages will end up in a reply
to the
person that sent the mail (or that Letterrip thinks sent the
mail). You
are not redistributing SPAM. Letterrip is rejecting it. This is
exactly
the same behavior that any other mail server would do.
The one idea that came out of this would be to handle failures
with SMTP
errors rather then sending replies.
a.h.s. boy (lists) said:
OK, I just got my second notice from Speakeasy, since the same
problem happened again. I doubt they will continue to be as
forgiving.
Any chance of getting a build that can somehow prevent this?
QUICKLY?
Ideally, it would be nice to have the option to 1) simply do not
respond to messages from non-subscribers (except for "subscribe"
and
"subscribe digest") AND 2) do not echo the incoming message. But #2
alone would help a bit.
Judging by the LetterRip log files, my LR machine is now just being
used as a huge SPAM engine:
None of the following users are subscribed to my lists...I suspect
it's ALL spam...and at the rate of 4-6 messages per SECOND, it's a
bad bad situation to be in.
05/07 12:18:01 [114] - smtp send: sending to: [EMAIL PROTECTED]
05/07 12:18:01 [114] - smtp send: sending to:
[EMAIL PROTECTED]
05/07 12:18:01 [114] - smtp send: sending to: [EMAIL PROTECTED]
05/07 12:18:01 [114] - smtp send: sending to:
[EMAIL PROTECTED]
05/07 12:18:02 [114] - smtp send: sending to: [EMAIL PROTECTED]
05/07 12:18:02 [114] - smtp send: sending to: [EMAIL PROTECTED]
05/07 12:18:02 [114] - smtp send: sending to: [EMAIL PROTECTED]
05/07 12:18:02 [124] - smtp send: sending to:
[EMAIL PROTECTED]
05/07 12:18:02 [114] - smtp send: sending to:
[EMAIL PROTECTED]
05/07 12:18:02 [114] - smtp send: sending to:
[EMAIL PROTECTED]
05/07 12:18:02 [114] - smtp send: sending to:
[EMAIL PROTECTED]
05/07 12:18:02 [114] - smtp send: sending to: [EMAIL PROTECTED]
Cheers,
spud, now desperate.
On May 3, 2007, at 4:43 PM, a.h.s. boy (lists) wrote:
I just got off the phone with my ISP (Speakeasy), who were about
ready to cut off my service...here's why:
1) Spammer sends an unsubscribe request to [EMAIL PROTECTED],
spoofing the From: header to be "[EMAIL PROTECTED]".
2) Spammer also includes spammy nonsense in the body of the
message.
3) LetterRip receives the message, and responds to
[EMAIL PROTECTED] with "You are not subscribed to this list"
_AND_ all the spammy crap that was posted with the unsub request.
4) Speakeasy calls me, and threatens to shut me off because my
mailing list software is being hijacked to send spam.
Is there some way I can modify LetterRip to NOT echo the original
message back with the response? Otherwise, I'm going to have to
abandon LetterRip altogether, since LR has _already_ sent mail
to a
spamtrap address...
>> spud.
--
-------------------------------------------------------------------
John May : President <http://www.pointinspace.com/>
Point In Space Internet Solutions [EMAIL PROTECTED]
Professional FileMaker Pro, MySQL, Lasso & PHP Hosting
--
This message is from the Letterrip-Talk Mailing list.
To unsubscribe, send mail to: [EMAIL PROTECTED]
Archive: http://www.mail-archive.com/letterrip-talk%
40lists.letterrip.com/
-------------------------------------------------------------------
a.h.s. boy
spud(at)nothingness.org "as yes is to if,love is to yes"
http://www.nothingness.org/
-------------------------------------------------------------------
--
This message is from the Letterrip-Talk Mailing list.
To unsubscribe, send mail to: [EMAIL PROTECTED]
Archive: http://www.mail-archive.com/letterrip-talk%40lists.letterrip.com/
