[Dshield] DDoS by spam-bounces & DSL blacklists

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Thu Jan 15 00:31:54 GMT 2004

Subject was: Spamhouse now listing exploited IPs in new blocklist

Hi Stephane, list,

The Spamhaus FAQ applies to the SBL, not XBL. http://cbl.abuseat.org 
actually runs XBL and has its own FAQ and lookup page. The main page 
reads, among other things: "Entries automatically expire after a period 
of time" (but it does not specify how long).

If you open http://cbl.abuseat.org/lookup.cgi and enter an IP address, 
the page will inform you when it was blacklisted. Also if it is listed, 
a link to a removal page will be provided, so IMO this list is friendly.

If you have a dynamic IP and you keep getting listed, *please* complain 
to your provider (in particular if your ISP is one of those who forward 
non-customer abuse emails to /dev/null). Your ISP is the only one who 
knows who was using the IP-address when it got blacklisted.

Anyway, most people don't know that spam causes DDoS-like attacks.

There are probably thousands of backdoored DSL-PC's in control by 
spammers at any time now (trend increasing), and they're causing REAL 
DAMAGE. Have you ever looked at the return path in spams? Have you ever 
wondered what happens when your account is disabled, your mailbox is 
full, you send Out-of-Office replies, or whitelisting requests?

Then usually an email is "returned" to the address that the spammer has 
specified in either the message From: header or the envelope Mail From: 
(a.k.a. return-path), which hardly ever is their own, but belongs to an 
innocent third party. Often the site in that address exists, but the 
username does not. It is commonly known as a "Joe-job" if the entire 
address is valid ( http://www.joes.com/spammed.html is one of the first 
publicly known cases of someone being harassed in such a way). If the 
username does not exist, but the site does, I call it a site-Joe-job.

My mailserver (a small box) is undergoing such a site-Joe-job. It is 
receiving > 120000 spam bounces per month (most cannot be delivered 
because the username does not exist). Also there are lots of secondary 
effects that cause all kinds of problems, including sites portscanning 
my mailserver because they believe I'm hosting a spammer (perhaps I'll 
elaborate in another message someday).

To illustrate what's happening, the following is taken from a typical 
failed delivery status notification (DSN) my MTA received tonight
(note: although neither sender nor recipient exists, I've replaced the 
at sign by an asterisk in the addresses below):

| <adriano*it.pt>: unknown user: "adriano"
| --B97302C1A.1074114805/trantor.it.pt
| Content-Description: Undelivered Message
| Content-Type: message/rfc822
| Received: from frontend-2.cgpmail.ua.pt (mail.ua.pt [])
|         by trantor.it.pt (sendmail) with ESMTP id B97302C1A
|         for <adriano>; Wed, 14 Jan 2004 21:13:16 +0000 (PWT)
| X-UA-Spam: Yes
| X-UA-Spam-Status: hits=16.0 required=5.0
| X-UA-Spam-Report: BAYES_99
|         HTML_IMAGE_ONLY_04
|         HTML_MESSAGE
|         MIME_HTML_ONLY
|         RCVD_IN_DSBL
|         RCVD_IN_SORBS
| Received: from [xx.216.168.76] (HELO sisa.co.uk)
|        by frontend-2.cgpmail.ua.pt (CommuniGate Pro SMTP 4.0.6)
|        with ESMTP id 14554192 for adriano*it.pt; Wed, 14 Jan 2004
|        21:34:00 +0000
| Received: from by smtp.dutndo7.tn.tudelft.nl;
|         Thu, 15 Jan 2004 13:39:44 +0000
| From: "Sondra Doyle" <s_doyleeh*dutndo7.tn.tudelft.nl>
| To: adriano*it.pt
| Subject: no doctor vísit
| Date: Thu, 15 Jan 2004 10:39:14 -0300
| Message-ID: <auto-000014554192 at frontend-2.cgpmail.ua.pt>

The last Received: headerline was added by the spammer (actually are 4 random bytes; I also observe 255.x.x.x etc).
Also, smtp.dutndo7.tn.tudelft.nl does not exist (never has) but 
dutndo7.tn.tudelft.nl does (it's an alias for cpo.tn.tudelft.nl).
Finally the spammers deliberately "advance" the clock and add an 
approx. 5-30 second offset from the Date: header (and randomize
it's timezone).

For privacy reasons I've munged the IP-address of the real originator 
xxx.216.168.76 (note that it is NOT sisa.co.uk; that HELO/EHLO hostname 
was also spoofed by the spammers, and since they're in de spammer's 
database, quite likely sisa.co.uk is also being site-Joe-jobbed).

Although ua.pt knows that the message is spam, they do "return" it to 
me (which actually is RFC-compliant, and IMO the correct thing to do). 
However, IMO they should have rejected the email based upon the sender 
IP, when it connected to their inbound MTA frontend-2.cgpmail.ua.pt.
Most bounces my MTA receives don't have X-SPAM-* headers though.

Regarding XBL: http://cbl.abuseat.org/lookup.cgi?ip=xxx.216.168.76
appears not to have been listed, but it is listed on spamcop (which is 
a more aggressive list, but they DO auto-unlist in a few days):

| Since SpamCop started counting, this system has been reported about
| 20 times by less than 10 users. It has been sending mail
| consistently for at least 4.0 days. In the past 210.0 days, it has
| been listed 8 times for a total of 6.5 days

However in my experience XBL/abuseat usually is quite effective. From 
the bounced spams I'm receiving right now most have been recently 
listed, for example, from one of the (many!) backdoored comcast PC's:

| Return-Path: <cary_gaylk*cpo.tn.tudelft.nl>
| Received: from ccohs.ca (c-24-1-x-x.client.comcast.net [24.1.x.x])
|       by mailmx.cnc.com (8.11.6/8.11.6) with ESMTP id i0F0bPl09965
|       for <newtontab*cnc.com>; Wed, 14 Jan 2004 19:37:26 -0500
| Message-ID: <752601c3db7f$bb494f9c$19da9128 at ccohs.ca>
| From: "Cary F. Gay" <cary_gaylk*cpo.tn.tudelft.nl>
| To: newtontab*cnc.com
| Subject: hello
| Date: Thu, 15 Jan 2004 11:53:20 -0400

Check XBL/CBL: http://cbl.abuseat.org/lookup.cgi?ip=24.1.x.x
| IP Address 24.1.x.x was found in the CBL.
| It was detected at 2004-01-13 04:00 GMT (+/- 30 minutes).
| If this address is listed incorrectly, you may request its removal.
removal -> http://cbl.abuseat.org/remove.cgi?ip=24.1.x.x

Obviously there's nothing I can do to stop this site-Joe-job; the 
bounces are being sent by legitimate MTA's from ISP's including Yahoo, 
AOL etc. I'm fortunate to have a fast network (and not have to pay for 
using it). However not every Joe-jobbed site is that lucky: for them it 
simply is a continuous DDoS attack initiated by backdoored DSL PC's, 
bounced by multiple sites, having the focal point at the Joe-jobbed 
site. Imagine yourself running a small company with your own MTA, 
connected via DSL and being struck like this?

That alone justifies blacklisting PC's that are spamming, and calls for 
a *fast* DSL blacklist (both listing and delisting).

Furthermore, many netizens don't use spamfilters. Most of them will 
think users of my site, or any other site that's being Joe-jobbed, are 
a bunch of spammers. What do I tell them if they complain? (only a few 
do by the way, and I *do* read all mail sent to postmaster, abuse and 
mailer-daemon). If I reply they probably won't believe me anyway.

Final note: spammers involved in this will do allmost anything for 
money. They don't care about laws (they'll hack *your* PC if you've not 
patched it). They may someday use their zombie network for other 
purposes than spam (quite a scary idea). It's really time we (and 
ISP's) do a better job educating people and help them to prevent their 
PC's getting compromised (there's a task for software makers too).

I hope that readers of this list change their minds. Spam is not just 
irritating stuff that can be taken care of by spamfilters. I agree that 
spamfilter Q-factor discussions do not belong on this list. However, 
when compromised PC's are involved, spam has *everything* to do with 
security (which, IIRC, this list is all about), and those PC's *should* 
be blacklisted because often that's the only way to convince the ISP, 
and eventually the owner, that the PC must be taken care of.

Erik van Straten
CPO Sysadmin

P.S. I too apologize for the long email, but found myself unable to 
clarify this complicated subject otherwise.

On Wed, 14 Jan 2004 14:16:41 +0100 Stephane Grobety wrote:
Subject: [Dshield] Spamhouse now listing exploited IPs in new blocklist
> [To the moderator: if it is off-topic, please do not hesitate to
> drop this message, just drop me a notice you did so]
> I just noticed that SpamHaus has released a new RBL containing a list
> of IPs that are know to be "exploited" in some way: Open proxy,
> mass-mailer virus, etc.
> (http://www.spamhaus.org/news.lasso?article=151)
> Now, how about some contention: I personally applaud the effort of the
> Spamhaus to provide a list of "dangerous" clients but I have to worry
> about the fine prints on their web page: In the FAQ, they state that,
> unless someone actively asks to be de-listed, entries in the database
> are only deleted after 6 month without new submission.
> Now, this period of time might be reasonable for open SMTP relay
> servers, I find this period excessively long for common folks that
> just happened to have been infected with a virus.
> Chances are that even after taking the proper steps to stop being a
> menace to the general network by cleaning up their system, patching it
> and installing an anti-virus product, they will NOT know how to get
> de-listed for 6 month.
> Additionally, there is the problem of IP sharing: what if my neighbor,
> who share the same ADSL provider as me, get listed ? Since our ISP
> forces an IP change every day, I routinely get the IP he had the day
> before. Now, if he is blacklisted, I will statistically get
> blacklisted as well at least as much as he (and this won't even
> prevent the spam from coming from his machine).
> Anyone got feelings about this ?
> Good luck,
> Stephane

More information about the list mailing list