[unisog] Super-hidden spamming exploits?

David Escalante david.escalante at bc.edu
Tue Oct 7 21:06:32 GMT 2003

Thomas DuVally wrote:

>Exactly! Is this new or are the spammers just getting around to us? We
>first saw this early last week. If this is a new trend, how are other
>people handling this. We are implementing a few ideas, but we can't
>think of anything approaching a REAL solution, other than shutting off
>SMTP, which isn't really an option, is it?
We've been plagued by this for the past week and a half.  I've sat down 
at a couple infected machines to try to find the client s/w, and the 
student computers in question were running so many inappropriate 
programs, it was impossible to track down the actual culprit.

What we did this morning to alleviate this, so far successfully (we 
caught several more "baddies" and irritated only a small number of 
legitimate users), was to block our inbound mail server from relaying 
messages sourced from our domain. 

Your mileage may vary -- we could do this because we have an 
architecture which splits inbound mail receipt, outbound mail delivery, 
and campus mail onto different boxes/platforms.  Our legitimate internal 
users are pointed at our "outbound mail delivery" box, which is not 
MX-ed.  My theory on this whole thing is that the hackers are using SMTP 
hosts that show up in MX records as their outbound relays, because in 
our case the hacked student machines SHOULD be using our "outbound mail 
delivery" box, and instead are using an obscure box that happens to 
appear in DNS, but not in any of our documentation for how to send mail 
around campus.  The biggest glitch we ran into thus far was that mail 
sub-domains on campus (e.g. "username at arthistory.bc.edu" where 
"arthistory" is its own MX) look like spammers to the filter, and we had 
to create exceptions for them.

This is not quite a "REAL solution" in my mind, but it appears to have 
mitigated the problem temporarily, and we couldn't do authenticated SMTP 
in the time frame required to shut these nasties down, so I offer it up 
simply as a potential short-term solution if your architecture supports 
something similar.
David Escalante
Director of Computer Security
Boston College

More information about the unisog mailing list