[unisog] cornell.edu blog being used for spam - and now virginia.edu as well

Frank Bulk frnkblk at iname.com
Thu Nov 29 15:15:31 GMT 2007 

Abuse and security e-mail should not be white listed, though providing an
exception for IP-based/SMTP session stuff is not really possible, because
the "To" line hasn't even been sent (one of the ideas thrown out on the
NANOG listserv is to have a separate MX record just for these abuse
addresses, but MTAs look up MX records based on the domain name, not the
whole e-mail address).  That said, if someone has server issues or mail
overloads that cause delivery delays, that's a larger issue the institution
needs to deal with.

To deal with the backscatter issue, auto-replies from the abuse account
could sit in a separate outbound queue with a much lower message expiry
time.  Another option is to have a human examine each e-mail and mark it as
spam or not.  But that would require greater abuse desk support ($$$).

Frank

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of rackow at anl.gov
Sent: Wednesday, November 28, 2007 10:29 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] cornell.edu blog being used for spam - and now
virginia.edu as well

Russell Fulton made the following keystrokes:
 >rackow at mcs.anl.gov wrote:
 >> Depending on what is going on... 12 hours is almost no time at all.
 >> Put yourself into the situation.
 >
 >Franks initial post was about 12 hours *without response*.  Not that it
 >may take more than 12 hours to fix something -- in this business
 >everyone knows that even simple things some times take time.

While getting back to people is important, in many cases, esp. a spam
related issue, that tends to drop on the priority stack.  In some cases the
team dealing with this has many other things going on, so a response back
is not at the top of their stack.  I'm not making excuses
for the site.  I do think 12 hours is too short a time.  If the
person making the report expects a reply in 12 hours, they should
also expect to make a few phone calls to indicate this really is
that important of an issue.

With email, are you even sure it's been delivered to the site, or is
the alert sitting in queue someplace?  greylist, server retry, mail
overload, etc.  It may not have been in the abuse@ mailbox for very long.
Priorities on mail to abuse and security may also have different
priorities on daytime vs night shifts.

I also don't know what was in the original message sent to the site.
As I indicated many messages to abuse about spam are of a FYI nature.
They don't indicate a response is expected.  At least that is what I have
seen on messages to the sites I've been affiliated with.
The wording is not clear that the person reporting the event expects
a reply.  This isn't a reason to not send a "thank you" in reply, but
if it really seems like it's a FYI, do you need to reply?  I do try
to respond to reasonable reports in a timely manner.

For spam related issues, I know that I do not expect a response from the
sites.  In many cases I expect the machine to be bot infested visitor
machine
that by the time I send the report to the site the spewfest from the bot is
over and the real user of the machine has closed their laptop and
went home unaware they caused problems.  Yes, I want it fixed, but
it's a much lower priority issue than finding/fixing the machine causing
an identity theft issue.

 >I have a question for Frank (and the rest of you too ;)  Would having
 >abuse|security mail directed to a procmail script which gives and
 >automated response as well as stuffing the messages into the appropriate
 >mail boxes be of use.  This is something that I know some groups do and
 >something that has been on my to do list for some time.  Ideally the
 >message should establish what can be expected:
I tried this at one point, but moved away from it.  Over 95% of the mail
to abuse, security and other required addresses is spam as well. The
spammers know these addresses as a place to deliver mail.  It may not
really be in their best interest, but it happens.  The problem is bigger in
this as well since to do this right, you may want to reduce the amount
of anti-spam tools you want to run on your abuse@ address.  If you don't
reduce it, how can someone report that your site is sending spam like ....

So, doing an autoresponse on mail to those addresses just adds to
the backscatter problem.   A good number of the message to abuse
are also forged from bad addresses which just result in more
bounce mail for you to process.  It's a hard thing to balance.

--Gene
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list