[Dshield] Question about spam sent to list address

Johannes B. Ullrich jullrich at sans.org
Mon Mar 6 13:40:24 GMT 2006

Hash: RIPEMD160

Do you have any packet captures? All the e-mail sent by
mail2.dshield.org should originate from a perl script calling sendmail.
Our outbound mail gateway is running qmail.  But who knows. Maybe a
firewall is messing with the packets.

Frank Knobbe wrote:
> On Fri, 2006-03-03 at 07:48 -0500, Johannes B. Ullrich wrote:
>> Chris Wright wrote:
>>> I would say that I only received two postings today (yours is one of them).
>> I know we had some issues with Comcast blocking our mail as 'spam' last
>> week, but I think that has been resolved. For us, spam is pretty much a
>> two way battle. Not only trying to keep it out of our systems, but also
>> trying to prevent us from being blocked by others as spam. From time to
>> time, people try to blacklist us with various lists (e.g. spamcop and such).
> We noticed something peculiar in regards to the list emails earlier this
> week. It appears that on occasion, the mail server mail2.dshield.org
> sends out packets with Windows size being 0 and IP ID being 0. That
> matches a IDS signature for a known spam MTA. Now, I don't think you
> guys are using spambots to distribute DShield ports, but it might be
> that the list server sets the Windows size in his packets to 0 in order
> to safe bandwidth as it causes the remote hosts to stop sending packets
> back. Perhaps that is done as a measure to easy load on the server,
> don't know.
> But it is likely that certain IPSes and blocking IDSes (like it happened
> to us) might filter email from Dshield based on that behavior.
> Perhaps something to check on your end... why the server sets both,
> receiving TCP Window size *and* IP ID, to 0.
> Regards,
> Frank

- --

- -------------------
Johannes B. Ullrich, Ph.D
Chief Research Officer
SANS Institute
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the list mailing list