[Dshield] Exchange Open Relay

DigitalNation dshield at digitalnation.ca
Fri Mar 3 20:04:06 GMT 2006


Cristophe,

We too, are very uneasy about this issue. After reading the SPAMCOP info on
auto-generated messages, we are very unsure about the mentality of this
issue. Out-of-office replies are now considered a ubiquitous part of email
services. If you stop offering this to your email services clients they may
just move to a provider who will offer it.

I am also concerned about this whole zero-tolerance "spam trap" issue. It
bothers me that they do not look at each message received for it's content
or source to ensure they do not list a server due to auto-gen messages. I
would think there must be some easy way for them to really filter out the
false positives? With this zero-tolerance policy it seems the potential is
there to cause major headaches for innocent providers.  I take extra care in
ensuring that we do not BL any innocent providers, why shouldn't the SPAMCOP
DNSBL?

Let's say for example, I am a spammer (*never*) and I am angry at 123ISP.com
because they are blocking all my messages. If I knew that USERX at 123ISP.com
has a auto responder running, I could craft a message and send it to that
address knowing it will send a NEW auto-generated (out-of-office) message to
the listed sender....and if the listed sender is a "spam trap" address?
Guess what...the sender of the auto-gen message will be on the SPAMCOP BL in
minutes. Now of course all the "spam-traps" are not advertised....this is
strictly "long shot" of course, but you see the potential.

------------------
M. McBride
Security Admin
DigitalNation
Vancouver, Canada
 


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Christophe Rome
Sent: Friday, March 03, 2006 2:30 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Exchange Open Relay


--- DigitalNation <dshield at digitalnation.ca> wrote:

> *Example of how to get blacklisted and not be an
> open relay*
> 
> You can get on the DNSBL by having too many "out of
> office" responders in
> place. SPAMCOP advises that mail-admins turn off
> that feature....I know this
> because it happened to us last month.
> 
> ------------------
> M. McBride
> Security Admin
> DigitalNation
> Vancouver, Canada
>  
Hmm, I must say your message sent down some shivers
down my spine. Excuse me if the expression is not
correct but english is not my native language.

Anyway, after reading your message I checked SPAMCOP's
site and read the article entitled 'Why are
autoresponders bad?'.

http://www.spamcop.net/fom-serve/cache/329.html

I must say I'm pretty impressed. It appears our
mailservers currently risk of being blacklisted just
because we have some sort of auto responding
mechanisms enabled (out-of-office replies,
autoresponses from individual users, ...) or bounce
back undeliverable messages.

I would like to know the weight of this article.
Should I really care and start crafting an advice to
my users telling them we need to stop sending
out-of-offices to the outside (yes, we debated on this
before and they really hold on to it) and that we need
to stop bouncing undeliverables? 

Furthermore, in the case you still do want to send
bounces to the legitimate senders, SPAMCOP advises the
use of SPF or Domain Keys. Personally I don't think
the value of these mechanisms is pretty high for the
moment. I'm sure 90% of our legitimate email senders
don't have these systems in place.

Some reactions would be welcome... Who has configured
his mailsystems in accordance to the rules stated in
this article?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list