AW: [Dshield] victim of spam-trash

Martin Muller mueller at webpartner.de
Mon Mar 11 09:45:45 GMT 2002


Hi all,

first sorry, that i have not answered earlier, but it was weekend, and i had
no chance to read my mails. :-)
Thanks to all who has answered my posting.

I think, there is no real way to stop this(the only way is, to release the
domain).

Since we are located in germany, i consider to go to the german police,
which has a own "internet-criminality-work-group"  but i dont think that
they have any real chance.

Thanks to all,

Martin


Martin Mueller
---------------------------------------
Webpartner Kommunikationsdienste GmbH
Metzstrasse 14b
81667 Muenchen

-----Ursprungliche Nachricht-----
Von: list-admin at dshield.org [mailto:list-admin at dshield.org]Im Auftrag
von Dave Young
Gesendet: Freitag, 8. Marz 2002 19:28
An: list at dshield.org
Betreff: Re: [Dshield] victim of spam-trash


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > A spammer is sending tons of emails with the email-adress
> > eddiecandy2782 at sse.de as reply-to or mail from in the header.
> > The Domain sse.de belongs to a customer from us. (Which isn't the
spammer)
>
> You should be able to configure your mail server to bounce all email to
> this userid (and still allow email to other users in that domain).

that would jsut bounce or /dev/null the bounce or reply. People will still
get spam from what looks like eddiecandy2782 at sse.de since the mail isn't
routing through his mail server in the first place.


you could test this now...  change your from address to the eddie at sse.de
address and send some mail to an address that you know will bounce.
Martin will soon get your bounce, that's exactly what's happening in this
spam.


the only thing he can do is stop the person(s) who is sending the mail,
which is hard to do. It's no different then me changing my from: address
to jullrich at sans.org, people will think the mail is coming from you, not
me, unless they look through the headers and realize it's not coming from
a sans.org machine....

jsut as an example, there's nothing you could really do to stop me from
doing that...  of course all replies and bounces would come to you (unless
I can control your DNS server, which I then could make the MX for sans.org
to point to some machine I control)


so yaeh, I hate to say it but he's pretty much farked, there's nothing he
can do except try and stop the people from using his domain in the from
address..



--Dave



 >
> You probably want to filter these based on the envelope, not based on
> headers, to limit processing time wasted. In sendmail, look at the
> 'blacklist_recipients' feature. In qmail, you have to make sure there is
> no alias setup for the user.
>
> other than that, there is not much you can do.
>
> - --
> - -------
> jullrich at sans.org                    Join http://www.DShield.org
>                           Distributed Intrusion Detection System
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE8iOttwWQP+4im9DYRArYYAJ9DAXfQszjcjvRae7Mw526POTXeKACdFCQV
> jmuPuu7C0Kz4MRIkvuTRe2A=
> =yqFN
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list