[unisog] Super-hidden spamming exploits?
david.escalante at bc.edu
Tue Oct 7 21:06:32 GMT 2003
Thomas DuVally wrote:
>Exactly! Is this new or are the spammers just getting around to us? We
>first saw this early last week. If this is a new trend, how are other
>people handling this. We are implementing a few ideas, but we can't
>think of anything approaching a REAL solution, other than shutting off
>SMTP, which isn't really an option, is it?
We've been plagued by this for the past week and a half. I've sat down
at a couple infected machines to try to find the client s/w, and the
student computers in question were running so many inappropriate
programs, it was impossible to track down the actual culprit.
What we did this morning to alleviate this, so far successfully (we
caught several more "baddies" and irritated only a small number of
legitimate users), was to block our inbound mail server from relaying
messages sourced from our domain.
Your mileage may vary -- we could do this because we have an
architecture which splits inbound mail receipt, outbound mail delivery,
and campus mail onto different boxes/platforms. Our legitimate internal
users are pointed at our "outbound mail delivery" box, which is not
MX-ed. My theory on this whole thing is that the hackers are using SMTP
hosts that show up in MX records as their outbound relays, because in
our case the hacked student machines SHOULD be using our "outbound mail
delivery" box, and instead are using an obscure box that happens to
appear in DNS, but not in any of our documentation for how to send mail
around campus. The biggest glitch we ran into thus far was that mail
sub-domains on campus (e.g. "username at arthistory.bc.edu" where
"arthistory" is its own MX) look like spammers to the filter, and we had
to create exceptions for them.
This is not quite a "REAL solution" in my mind, but it appears to have
mitigated the problem temporarily, and we couldn't do authenticated SMTP
in the time frame required to shut these nasties down, so I offer it up
simply as a potential short-term solution if your architecture supports
Director of Computer Security
More information about the unisog