[Dshield] Question about spam sent to list address

Frank Knobbe frank at knobbe.us
Sat Mar 4 05:44:16 GMT 2006


On Fri, 2006-03-03 at 07:48 -0500, Johannes B. Ullrich wrote:
> Chris Wright wrote:
> > I would say that I only received two postings today (yours is one of them).

> I know we had some issues with Comcast blocking our mail as 'spam' last
> week, but I think that has been resolved. For us, spam is pretty much a
> two way battle. Not only trying to keep it out of our systems, but also
> trying to prevent us from being blocked by others as spam. From time to
> time, people try to blacklist us with various lists (e.g. spamcop and such).

We noticed something peculiar in regards to the list emails earlier this
week. It appears that on occasion, the mail server mail2.dshield.org
sends out packets with Windows size being 0 and IP ID being 0. That
matches a IDS signature for a known spam MTA. Now, I don't think you
guys are using spambots to distribute DShield ports, but it might be
that the list server sets the Windows size in his packets to 0 in order
to safe bandwidth as it causes the remote hosts to stop sending packets
back. Perhaps that is done as a measure to easy load on the server,
don't know.

But it is likely that certain IPSes and blocking IDSes (like it happened
to us) might filter email from Dshield based on that behavior.

Perhaps something to check on your end... why the server sets both,
receiving TCP Window size *and* IP ID, to 0.

Regards,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20060303/876de183/attachment.bin


More information about the list mailing list