[Dshield] "Academic Freedom" vs Computer Security

Laurie Kennedy cblmaint at cblptyltd.com.au
Sun Feb 15 23:12:35 GMT 2004


This hapenned to my personal account a couple of years ago. The flaw is
basically, when certain mail servers accept a spoofed email back into itself
(incestuous, just like a bank system being allowed to deposit a cheque back
into the same cheque account, it only generates fees) it 'reverse spams'
other users on the network. The servers should really check their own mail
list and dump (or record for later tracking analysis) the spurious garbage
before it propagates.

Unfortunately, if 'they' use your personal email address as the sender
address, you will get all of the bounces back from all of the servers they
try to spam. I was receiving these 'bounce' notices from all around the
world (at least they were consolidated) about 3 years before the spam
fighters started getting hit. And I was only sending emails to Australian
'letters to the editors' addresses and a couple of others (about 8 in
total). They do this to try to block your email access to the servers they
spam.

Laurence N. Kennedy
Competency Based Learning

----- Original Message ----- 
From: "Doug White" <doug at clickdoug.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Friday, February 13, 2004 3:56 PM
Subject: Re: [Dshield] "Academic Freedom" vs Computer Security


> Thanks for the example. It looks like my filtering is doing a better job
than
> the rather costly Postini service.  It is explained in the link in my
signature
> line.
> While I do have a personally maintained blacklist, I also use cbl,
spamhaus,
> sorbs, spamcop, and a few others.
>
> That one example of "received from unknown" is rejected immediately by
Postfix
> anyway, and does not even get to the filtering.
>
> ======================================
> Stop spam on your domain, Anti-spam solutions
> http://www.clickdoug.com/stopspam.htm
> For hosting solutions http://www.clickdoug.com
> ======================================
> Aspire to Inspire before you Retire or Expire!
>
>
> ----- Original Message ----- 
> From: "Erik van Straten" <emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl>
> To: <list at dshield.org>
> Sent: Thursday, February 12, 2004 9:19 PM
> Subject: Re: [Dshield] "Academic Freedom" vs Computer Security
>
>
> : Doug,
> :
> : On Thu, 12 Feb 2004 19:07:17 -0600 Doug White wrote:
> : > I don't know how Brightmail or Postini handles it, but I suspect
> : > much the same way, and they are not going to accept spamming from any
> : > IP, no matter who the academic source.
> :
> : They accept from seemingly ANY source. Then evnetually mail bounces to
> : someone else like me (below, vguzmanym at cpo.tn.tudelft.nl does NOT
> : exist, and this is the last one I have from/via Postini):
> :
> : | Received: from neutron.nccray.com (unknown [66.97.228.6])
> : |         by mailhost3.tudelft.nl (Postfix) with ESMTP id A70144081
> : |         for <vguzmanym at cpo.tn.tudelft.nl>; Fri, 13 Feb 2004 03:36:12
+0100
> (MET)
> : [snip]
> : | 550 <cshepherd at nccray.com>... User unknown
> : |
> : |    ----- Original message follows -----
> : | Received: from psmtp.com (exprod5mx103.postini.com [12.158.34.59])
> : |         by neutron.nccray.com (8.9.3/8.9.3) with SMTP id UAA20175
> : |         for <cshepherd at nccray.com>; Thu, 12 Feb 2004 20:37:37 -0600
> : | Received: from source ([64.53.54.194]) by exprod5mx103.postini.com
> ([12.158.34.245]) with SMTP;
> : |         Thu, 12 Feb 2004 18:35:59 PST
> : | Message-ID: <bb1201c3f1da$93f36147$41d5ccaf at hsqqmbb>
> : | MIME-Version: 1.0
> : | To: cshepherd at nccray.com
> : | Subject: hi
> : | From: "Vanessa Guzman" <vguzmanym at cpo.tn.tudelft.nl>
> : | Date: Fri, 13 Feb 2004 02:39:55 +0000
> :
> : Note: http://cbl.abuseat.org/lookup.cgi?ip=64.53.54.194
> : | IP Address 64.53.54.194 was found in the CBL.
> : |
> : | It was detected at 2004-01-18 10:00 GMT (+/- 30 minutes).
> :
> : Since 11 Feb 2004 22:11:00 +0100 in total 103 messages like this
> : JUST from Postini :(
> :
> : > Your mileage may vary.....
> :
> : It does (not seeing much Brightmail).
> :
> : Regards,
> : Erik van Straten
> : Delft University of Technology
> : The Netherlands
> :
> : _______________________________________________
> : list mailing list
> : list at dshield.org
> : To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> :
> :
>
>
>




More information about the list mailing list