[Dshield] DDoS by spam-bounces & DSL blacklists
Erik van Straten
emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Thu Jan 15 00:31:54 GMT 2004
Subject was: Spamhouse now listing exploited IPs in new blocklist
Hi Stephane, list,
The Spamhaus FAQ applies to the SBL, not XBL. http://cbl.abuseat.org
actually runs XBL and has its own FAQ and lookup page. The main page
reads, among other things: "Entries automatically expire after a period
of time" (but it does not specify how long).
If you open http://cbl.abuseat.org/lookup.cgi and enter an IP address,
the page will inform you when it was blacklisted. Also if it is listed,
a link to a removal page will be provided, so IMO this list is friendly.
If you have a dynamic IP and you keep getting listed, *please* complain
to your provider (in particular if your ISP is one of those who forward
non-customer abuse emails to /dev/null). Your ISP is the only one who
knows who was using the IP-address when it got blacklisted.
Anyway, most people don't know that spam causes DDoS-like attacks.
There are probably thousands of backdoored DSL-PC's in control by
spammers at any time now (trend increasing), and they're causing REAL
DAMAGE. Have you ever looked at the return path in spams? Have you ever
wondered what happens when your account is disabled, your mailbox is
full, you send Out-of-Office replies, or whitelisting requests?
Then usually an email is "returned" to the address that the spammer has
specified in either the message From: header or the envelope Mail From:
(a.k.a. return-path), which hardly ever is their own, but belongs to an
innocent third party. Often the site in that address exists, but the
username does not. It is commonly known as a "Joe-job" if the entire
address is valid ( http://www.joes.com/spammed.html is one of the first
publicly known cases of someone being harassed in such a way). If the
username does not exist, but the site does, I call it a site-Joe-job.
My mailserver (a small box) is undergoing such a site-Joe-job. It is
receiving > 120000 spam bounces per month (most cannot be delivered
because the username does not exist). Also there are lots of secondary
effects that cause all kinds of problems, including sites portscanning
my mailserver because they believe I'm hosting a spammer (perhaps I'll
elaborate in another message someday).
To illustrate what's happening, the following is taken from a typical
failed delivery status notification (DSN) my MTA received tonight
(note: although neither sender nor recipient exists, I've replaced the
at sign by an asterisk in the addresses below):
| <adriano*it.pt>: unknown user: "adriano"
| Content-Description: Undelivered Message
| Content-Type: message/rfc822
| Received: from frontend-2.cgpmail.ua.pt (mail.ua.pt [220.127.116.11])
| by trantor.it.pt (sendmail) with ESMTP id B97302C1A
| for <adriano>; Wed, 14 Jan 2004 21:13:16 +0000 (PWT)
| X-UA-Spam: Yes
| X-UA-Spam-Status: hits=16.0 required=5.0
| X-UA-Spam-Level: XXXXXXXXXXXXXXXX
| X-UA-Spam-Report: BAYES_99
| Received: from [xx.216.168.76] (HELO sisa.co.uk)
| by frontend-2.cgpmail.ua.pt (CommuniGate Pro SMTP 4.0.6)
| with ESMTP id 14554192 for adriano*it.pt; Wed, 14 Jan 2004
| 21:34:00 +0000
| Received: from 18.104.22.168 by smtp.dutndo7.tn.tudelft.nl;
| Thu, 15 Jan 2004 13:39:44 +0000
| From: "Sondra Doyle" <s_doyleeh*dutndo7.tn.tudelft.nl>
| To: adriano*it.pt
| Subject: no doctor vísit
| Date: Thu, 15 Jan 2004 10:39:14 -0300
| Message-ID: <auto-000014554192 at frontend-2.cgpmail.ua.pt>
The last Received: headerline was added by the spammer (actually
22.214.171.124 are 4 random bytes; I also observe 255.x.x.x etc).
Also, smtp.dutndo7.tn.tudelft.nl does not exist (never has) but
dutndo7.tn.tudelft.nl does (it's an alias for cpo.tn.tudelft.nl).
Finally the spammers deliberately "advance" the clock and add an
approx. 5-30 second offset from the Date: header (and randomize
For privacy reasons I've munged the IP-address of the real originator
xxx.216.168.76 (note that it is NOT sisa.co.uk; that HELO/EHLO hostname
was also spoofed by the spammers, and since they're in de spammer's
database, quite likely sisa.co.uk is also being site-Joe-jobbed).
Although ua.pt knows that the message is spam, they do "return" it to
me (which actually is RFC-compliant, and IMO the correct thing to do).
However, IMO they should have rejected the email based upon the sender
IP, when it connected to their inbound MTA frontend-2.cgpmail.ua.pt.
Most bounces my MTA receives don't have X-SPAM-* headers though.
Regarding XBL: http://cbl.abuseat.org/lookup.cgi?ip=xxx.216.168.76
appears not to have been listed, but it is listed on spamcop (which is
a more aggressive list, but they DO auto-unlist in a few days):
| Since SpamCop started counting, this system has been reported about
| 20 times by less than 10 users. It has been sending mail
| consistently for at least 4.0 days. In the past 210.0 days, it has
| been listed 8 times for a total of 6.5 days
However in my experience XBL/abuseat usually is quite effective. From
the bounced spams I'm receiving right now most have been recently
listed, for example, from one of the (many!) backdoored comcast PC's:
| Return-Path: <cary_gaylk*cpo.tn.tudelft.nl>
| Received: from ccohs.ca (c-24-1-x-x.client.comcast.net [24.1.x.x])
| by mailmx.cnc.com (8.11.6/8.11.6) with ESMTP id i0F0bPl09965
| for <newtontab*cnc.com>; Wed, 14 Jan 2004 19:37:26 -0500
| Message-ID: <752601c3db7f$bb494f9c$19da9128 at ccohs.ca>
| From: "Cary F. Gay" <cary_gaylk*cpo.tn.tudelft.nl>
| To: newtontab*cnc.com
| Subject: hello
| Date: Thu, 15 Jan 2004 11:53:20 -0400
Check XBL/CBL: http://cbl.abuseat.org/lookup.cgi?ip=24.1.x.x
| IP Address 24.1.x.x was found in the CBL.
| It was detected at 2004-01-13 04:00 GMT (+/- 30 minutes).
| If this address is listed incorrectly, you may request its removal.
removal -> http://cbl.abuseat.org/remove.cgi?ip=24.1.x.x
Obviously there's nothing I can do to stop this site-Joe-job; the
bounces are being sent by legitimate MTA's from ISP's including Yahoo,
AOL etc. I'm fortunate to have a fast network (and not have to pay for
using it). However not every Joe-jobbed site is that lucky: for them it
simply is a continuous DDoS attack initiated by backdoored DSL PC's,
bounced by multiple sites, having the focal point at the Joe-jobbed
site. Imagine yourself running a small company with your own MTA,
connected via DSL and being struck like this?
That alone justifies blacklisting PC's that are spamming, and calls for
a *fast* DSL blacklist (both listing and delisting).
Furthermore, many netizens don't use spamfilters. Most of them will
think users of my site, or any other site that's being Joe-jobbed, are
a bunch of spammers. What do I tell them if they complain? (only a few
do by the way, and I *do* read all mail sent to postmaster, abuse and
mailer-daemon). If I reply they probably won't believe me anyway.
Final note: spammers involved in this will do allmost anything for
money. They don't care about laws (they'll hack *your* PC if you've not
patched it). They may someday use their zombie network for other
purposes than spam (quite a scary idea). It's really time we (and
ISP's) do a better job educating people and help them to prevent their
PC's getting compromised (there's a task for software makers too).
I hope that readers of this list change their minds. Spam is not just
irritating stuff that can be taken care of by spamfilters. I agree that
spamfilter Q-factor discussions do not belong on this list. However,
when compromised PC's are involved, spam has *everything* to do with
security (which, IIRC, this list is all about), and those PC's *should*
be blacklisted because often that's the only way to convince the ISP,
and eventually the owner, that the PC must be taken care of.
Erik van Straten
P.S. I too apologize for the long email, but found myself unable to
clarify this complicated subject otherwise.
On Wed, 14 Jan 2004 14:16:41 +0100 Stephane Grobety wrote:
Subject: [Dshield] Spamhouse now listing exploited IPs in new blocklist
> [To the moderator: if it is off-topic, please do not hesitate to
> drop this message, just drop me a notice you did so]
> I just noticed that SpamHaus has released a new RBL containing a list
> of IPs that are know to be "exploited" in some way: Open proxy,
> mass-mailer virus, etc.
> Now, how about some contention: I personally applaud the effort of the
> Spamhaus to provide a list of "dangerous" clients but I have to worry
> about the fine prints on their web page: In the FAQ, they state that,
> unless someone actively asks to be de-listed, entries in the database
> are only deleted after 6 month without new submission.
> Now, this period of time might be reasonable for open SMTP relay
> servers, I find this period excessively long for common folks that
> just happened to have been infected with a virus.
> Chances are that even after taking the proper steps to stop being a
> menace to the general network by cleaning up their system, patching it
> and installing an anti-virus product, they will NOT know how to get
> de-listed for 6 month.
> Additionally, there is the problem of IP sharing: what if my neighbor,
> who share the same ADSL provider as me, get listed ? Since our ISP
> forces an IP change every day, I routinely get the IP he had the day
> before. Now, if he is blacklisted, I will statistically get
> blacklisted as well at least as much as he (and this won't even
> prevent the spam from coming from his machine).
> Anyone got feelings about this ?
> Good luck,
More information about the list