[Dshield] victim of spam-trash

Dave Young dave at boldfish.com
Fri Mar 8 18:28:03 GMT 2002


On Fri, 8 Mar 2002, Johannes B. Ullrich wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> > A spammer is sending tons of emails with the email-adress
> > eddiecandy2782 at sse.de as reply-to or mail from in the header.
> > The Domain sse.de belongs to a customer from us. (Which isn't the spammer)
> 
> You should be able to configure your mail server to bounce all email to 
> this userid (and still allow email to other users in that domain).

that would jsut bounce or /dev/null the bounce or reply. People will still 
get spam from what looks like eddiecandy2782 at sse.de since the mail isn't 
routing through his mail server in the first place.


you could test this now...  change your from address to the eddie at sse.de 
address and send some mail to an address that you know will bounce. 
Martin will soon get your bounce, that's exactly what's happening in this 
spam.


the only thing he can do is stop the person(s) who is sending the mail, 
which is hard to do. It's no different then me changing my from: address 
to jullrich at sans.org, people will think the mail is coming from you, not 
me, unless they look through the headers and realize it's not coming from 
a sans.org machine....

jsut as an example, there's nothing you could really do to stop me from 
doing that...  of course all replies and bounces would come to you (unless 
I can control your DNS server, which I then could make the MX for sans.org 
to point to some machine I control)


so yaeh, I hate to say it but he's pretty much farked, there's nothing he 
can do except try and stop the people from using his domain in the from 
address..



--Dave



 > 
> You probably want to filter these based on the envelope, not based on 
> headers, to limit processing time wasted. In sendmail, look at the 
> 'blacklist_recipients' feature. In qmail, you have to make sure there is 
> no alias setup for the user. 
> 
> other than that, there is not much you can do.
> 
> - -- 
> - -------
> jullrich at sans.org                    Join http://www.DShield.org
>                           Distributed Intrusion Detection System
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE8iOttwWQP+4im9DYRArYYAJ9DAXfQszjcjvRae7Mw526POTXeKACdFCQV
> jmuPuu7C0Kz4MRIkvuTRe2A=
> =yqFN
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 




More information about the list mailing list