On Wed, Dec 14, 2022 at 08:09:59PM -0600, Jarland Donnell via mailop wrote: > Thanks for sharing this. I'm asking publicly as I'm curious if this message > spawns any conversation, but have you seen or heard a lot of intentional > abuse around using bsdly.net email addresses specifically to attack website > owners? I find that emails to these bsdly.net addresses seem to trigger > immediate blacklistings at sorbs, which is still relatively highly utilized. > Effectively, this means that if I sign up for a blog or mailing list, even > if those websites do everything correctly, and fill out an @bsdly.net > address as if it were mine, the confirmation email will cause IP > blacklisting. A noteworthy blacklisting at that, not just some insignificant > RBL.
It is possible that I will write something longer when or if I get around to analyzing logs properly, but yes, is conceivable that somebody would use one or more of the fake addresses in the manner you describe in order to hurt a third party's mail deliverability. > I, of course, mitigate against this now. The moment anyone on my platform > tries to email @bsdly.net, they're halted and flagged for human review. But > I don't consider that the most favorable position to take because spam traps > become useless concerning emails they don't receive. I wouldn't mind the > occasional blacklisting when it's deserved, even though I catch them before > anyone can even parse their logs, if the data proved helpful at a larger > scale. When a spammer breaks through, consequences are inevitable after all. One of the big reasons the spamtraps list remains useful is that all of the domains there are valid domains, but each one has a small enough number of actually used addresses that it is feasible for a single person to determine whether any given address that turns up is valid or not. Blanket reject of anything claiming to be from @bsdly.net, nxdomain.no, lfja.org or a few others would be likely to hurt the occasional valid delivery too. The most common scenario for how a new entry turns up is that somebody sends mail using a freshly made up address in one of our domains, that message for some reason is undeliverable, and the receiving mail server generates a bounce message that reaches my box but unfortunately turns out to be undeliverable but does generate an entry in the greylist, and when I get around to studying the dumps the fresh fake address is then made into one of the ever-growing set of imaginary friends. Ignoring for now the entries that originate from traffic via SSH or other protocols, the history of the most recent addition "[email protected]" is Dec 12 07:27:33 skapet spamd[10844]: (GREY) 51.79.181.121: <[email protected]> -> <[email protected]> Dec 12 07:27:33 skapet spamd[16006]: new entry 51.79.181.121 from <[email protected]> to <[email protected]>, helo payoh.site Dec 12 15:28:33 skapet spamd[38486]: queueing deletion of 51.79.181.121 payoh.site <[email protected]> <[email protected]> to wit, a single attempt at delivery, never retried. This may or may not have been a bounce from a valid mail server, but the lack of retries has me strongly suspect that what we see is a variant of SMTP callbacks (which I ranted about at length a while back, https://bsdly.blogspot.com/2017/08/twenty-plus-years-on-smtp-callbacks-are.html if you're interested), which again was almost certainly triggered by activity did not originate here but arrived at 51.79.181.121 claiming to be send by some likely fake from address in the bsdly.net domain. > So I suppose my question is, do you notice any significant amount of > behavior that could match my description? I would assume almost every > confirmation email you receive at those addresses (double opt-in to a > mailing list or website registration) would represent a case where someone > didn't purchase or scrape lousy mailing lists but instead was targeted by a > third party who wanted to cause them harm. Automated social engineering at > it's finest. I would need to spend some hours at least poring over logs to check whether that behaviour is in fact common enough to be recognizable. But it is possible that somebody would use the list of known bad addresses in the way you describe in an effort to hurt somebody's ability to deliver mail. The list is long enough that even one fake signup with a fresh address from there per day would be enough to last a very long time. But the more common case is spammers auto-LARTing, such as whoever pwned 15.235.150.92 and had been hawking spamming tools to our imaginary friends from October 4th until they finally stopped yesterday, for whatever reason (the whole thing recorded in https://nxdomain.no/~peter/the_fall_2022_adventures_of_15.235.150.92.txt for those interested in the gory details). All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
