[Dshield] PDF Spam Wave

Chuck Rothauser chuckr at keywestkeys.com
Sat Aug 11 13:25:42 GMT 2007


yup...I have first hand experience with my domain being black listed due to 
spammers.....it took 3 months to get it taken off but smtp mail relays that 
do no domain checking still exist........

---> Chuck

----- Original Message ----- 
From: "Tomas L. Byrnes" <tomb at byrneit.net>
To: "General DShield Discussion List" <list at lists.dshield.org>
Sent: Friday, August 10, 2007 11:59 AM
Subject: Re: [Dshield] PDF Spam Wave


> Domains can be blacklisted. Many of the malware and anti-phishing
> blacklists are URLs and FQDNs, not IP addresses.
>
>
>
>> -----Original Message-----
>> From: list-bounces at lists.dshield.org
>> [mailto:list-bounces at lists.dshield.org] On Behalf Of Freddie Sorensen
>> Sent: Friday, August 10, 2007 7:20 AM
>> To: list at lists.dshield.org
>> Subject: Re: [Dshield] PDF Spam Wave
>>
>> Domains are not blacklisted - IP addresses are blacklisted
>>
>>
>>
>> -------- Original Nachricht --------
>> Von: Chuck Rothauser [mailto:chuckr at keywestkeys.com]
>> Gesendet: 10.08.2007 14:52:20
>> An: "General DShield Discussion List" <list at lists.dshield.org>;
>> Betreff: Re: [Dshield] PDF Spam Wave
>>
>>
>> Still worse,
>> Spammers find smtp mailrelays and use legitimate
>> domains which then causes
>> the legitimate domain to be black listed........no fun
>> trying to get your
>> domain "unlisted"......
>> ---> Chuck
>> ----- Original Message -----
>> From: "Cefiar"
>> To:
>> Sent: Friday, August 10, 2007 2:16 AM
>> Subject: Re: [Dshield] PDF Spam Wave
>> > On Tuesday 07 August 2007 19:55:35 jayjwa wrote:
>> >> *this* PDF spam:
>> >>
>> >> 1. Spammer connects to large.email.provider (no
>> http-to-smtp header),
>> >> submits email w/PDF attachment spoofed as
>> >> (random-made-up-user)@certain.domain
>> >>
>> >> 2. Spammer sends email to non-existing user,
>> >> (random)@(random-but-real-domain). So now we have
>> fake mail going to
>> >> non-existing user.
>> >>
>> >> 3. All of the (random-but-real-domain)s now receive
>> mail to the correct
>> >> domain, but to a user that _does not exist_ or
>> cannot receive mail for
>> >> some
>> >> other reason.
>> >>
>> >> 4. They reject this. How is this *not* correct behavior?
>> >>
>> >> 5. Now certain.domain gets this "bounce". Only it's
>> not a real bounce
>> >> because certain.domain _never sent anything or
>> handled any mail_.
>> >>
>> >> 6. "Bounce" (remember, certain.domain did not send
>> anything to begin
>> >> with)
>> >> is labeled to (random)@certain.domain. Obviously,
>> (random) does not
>> >> exist.
>> >> What to do with mail to a user that does not exist?
>> Do you see the cycle
>> >> here?
>> >
>> > ...And unfortunately I've seen this for well over 7
>> years, and in many
>> > cases
>> > my own personal and work addresses have been the destinations.
>> Then it
>> > migrated well over 5 years ago to a combination of
>> random addresses,
>> > addresses pulled from address books and off mailing
>> lists, and corrupted
>> > versions of the same. Ever seen mail aimed at a user
>> called "rdomo"?
>> > Welcome
>> > to a corrupted "majordomo" email address. I've even
>> got email directed at
>> > "r"
>> > and "o" on the same machine.
>> >
>> >> To make matters worse, multiply the above by the
>> 10,000 or so messages
>> >> the
>> >> spam run seemed to generate, and also the fact that
>> some mailservers kept
>> >> trying to re-deliver even after the transaction was 550'ed.
>> The
>> >> "certain.domain" happened to be one of my intranet
>> hosts. The only
>> >> sensible
>> >> thing I could come up with that ended mail to no one
>> looping around in
>> >> circles was eating these fake bounces at the door,
>> which it showed
>> >> towards
>> >> the bottom of my original post.
>> >
>> > In many of the above cases (eg: "rdomo"), I simply
>> created an alias and
>> > fed
>> > the mail directly into things like spamassassin's
>> learning mode,
>> > especially
>> > when I was "sure" the address was bogus.
>> >
>> >> Moreover, this spam operated more like an email
>> virus, in that I don't
>> >> think it would be wise to bounce them, but rather sink them.
>> The only
>> >> place
>> >> all these spam could end would be in the mailbox of
>> a postmaster, which
>> >> seemed to me a pretty worthless spam run (as no
>> end-users ever got any
>> >> messages). Why someone would initiate such a spam
>> run was one of the
>> >> things
>> >> I was hoping to find out. If it was Joe-Job, as
>> someone suggested, then
>> >> no,
>> >> I have not seen alot directed at me (especially to a
>> low-activity,
>> >> intranet
>> >> server) as I do not run a commercial, educational
>> institute or ISP
>> >> mailserver.
>> >
>> > As mentioned above, I have seen this sort problem for the last
>> 7 or so
>> > years,
>> > on various addresses (from commercial, educational, ISP and
>> > non-commercial)
>> > over that time. Spammers and virus writers are
>> feeding off each others
>> > technical know-how, and abusing the system in any way
>> they can get away
>> > with.
>> >
>> >> ------------Reply to second post, tonni at hetnet.nl:
>> >>
>> >> ->I have a perfect pdf spam solution, I refuse all
>> mail that isn't for my
>> >> -> users, my 1550+ user site currently refuses far
>> more mail than it is
>> >> -> offered,
>> >>
>> >> In this case (#2), your perfect pdf spam solution
>> would have contributed
>> >> to
>> >> the storm of bounces already in session...
>> >
>> > It might, but the problem here is not that it's being
>> rejected inline -
>> > it's
>> > that large.email.provider is not adequately filtering
>> mail, no matter what
>> > the source. They're the source of the problem (they
>> accept the mail in the
>> > first place), and they're the ones that should be the
>> source of your ire.
>> >
>> > Personally, I put everything through a spam filter.
>> Whether the user is
>> > authenticated or not, whether they're from a trusted
>> IP space or not, and
>> > even if it's from a local process on the machine
>> running the mail server.
>> > I
>> > also enforce things like not allowing banned files no
>> matter how they're
>> > injected into the system for the same reason. When it
>> comes to things like
>> > this, I trust no one. It also makes things a lot
>> easier by reducing the
>> > complexity of a setup, and therefore the number of
>> different paths that
>> > need
>> > to be tested when things change to ensure correct operation.
>> >
>> > --
>> > Stuart Young - aka Cefiar - cef at optus.net
>> > _________________________________________
>> > SANSFIRE 2007 July 25-August 2 in Washington, DC.  56
>> courses, SANS top
>> > instructors, and a great tools and solutions expo.
>> Register today!
>> > http://www.sans.org/info/4651 (brochure code ISC)
>> _________________________________________
>> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56
>> courses, SANS top
>> instructors, and a great tools and solutions expo.
>> Register today!
>> http://www.sans.org/info/4651 (brochure code ISC)
>>
>> _________________________________________
>> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56
>> courses, SANS top instructors, and a great tools and
>> solutions expo. Register today!
>> http://www.sans.org/info/4651 (brochure code ISC)
>>
>
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
> instructors, and a great tools and solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC) 



More information about the list mailing list