Spamtrap addresses vs. list confirmation emails, or how to lose 2k list emails

Feb. 1st, 2010 12:25 pm
robbat2: (Default)
[personal profile] robbat2

In the early hours of this morning, a spammer managed to get the IP of the Gentoo list server on the NiX Spam RBL... simply by spamming the subscribe address :-(. This caused approximately 2000 deliveries of normal list mail to be rejected while the server was present on the RBL.

Notice the subscribe request, line 0004. (whitespace added)

0001 Feb  1 00:15:56 pigeon postfix/smtpd[29314]: 52278E0778: client=unknown[210.212.220.106]
0002 Feb  1 00:15:57 pigeon postfix/cleanup[31589]: 52278E0778:
  message-id=<01caa301$d307f7d0$b173a8c0@ambachglasfaser>
0003 Feb  1 00:15:58 pigeon postfix/qmgr[12260]: 52278E0778:
  from=<ambachglasfaser@test.mailnet.dyndns.biz>,
  size=59874, nrcpt=3 (queue active)
0004 Feb  1 00:15:58 pigeon postfix/local[31581]: 52278E0778:
  to=<gentoo-embedded+subscribe@lists.gentoo.org>,
  orig_to=<gentoo-embedded-subscribe@lists.gentoo.org>,
  relay=local, delay=2.4, delays=2.4/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: ....)
0005 Feb  1 00:15:58 pigeon postfix/local[31716]: 52278E0778:
  to=<gentoo-user-id@lists.gentoo.org>,
  relay=local, delay=2.4, delays=2.4/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to command: ....)
0006 Feb  1 00:15:58 pigeon postfix/local[31509]: 52278E0778:
  to=<gentoo-gwn@lists.gentoo.org>,
  relay=local, delay=2.4, delays=2.4/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to command: ....)
0007 Feb  1 00:15:58 pigeon postfix/qmgr[12260]: 52278E0778: removed

Assuming that the it's a real subscribe request, we send a confirmation request, and promptly get blacklisted for being a good citizen. Line 0013.

0010 Feb  1 00:15:58 pigeon postfix/smtpd[31587]: B6FA9E0778: client=localhost[127.0.0.1]
0011 Feb  1 00:15:58 pigeon postfix/cleanup[31589]: B6FA9E0778:
  message-id=<1264983358-31717-mlmmj-3905840d@lists.gentoo.org>
0012 Feb  1 00:15:58 pigeon postfix/qmgr[12260]: B6FA9E0778:
  from=<gentoo-embedded+bounces-confsub-32dfa15d1a18a7a9-ambachglasfaser=test.mailnet.dyndns.biz@lists.gentoo.org>,
  size=1345, nrcpt=1 (queue active)
0013 Feb  1 00:16:29 pigeon postfix/smtp[31603]: B6FA9E0778:
  to=<ambachglasfaser@test.mailnet.dyndns.biz>,
  relay=mx.dyndns.biz[217.11.54.110]:25, delay=31, delays=0.06/0/30/0.41, dsn=5.7.1,
  status=bounced (host mx.dyndns.biz[217.11.54.110] said:
    554 5.7.1 Service unavailable; Your spam message has been received.
    You will be blacklisted. Thank you (in reply to end of DATA command))
0014 Feb  1 00:16:29 pigeon postfix/bounce[31637]: B6FA9E0778: sender non-delivery notification: B8AE9E089A
0015 Feb  1 00:16:29 pigeon postfix/qmgr[12260]: B6FA9E0778: removed

Why did this happen? I do agree on the importance of spamtrap accounts, but they MUST check the content of their messages. A list confirmation message MUST NOT be considered as spam.

The original subscribe request came from what seems to be a compromised server in Secunderabad, India. So it wouldn't have been detected by RBL focused on modem/dialup addresses.

Short of raising the bar to subscribe (with a specific token that needs to be included, and then it's only a matter of time till spammers include it too), there isn't much we can do to block stuff like this at the list-server level. There is no way to detect than an address is a spamtrap. There cannot be by definition, as the spammers would avoid it themselves otherwise.

Tags:
Flat | Top-Level Comments Only

(no subject)

Date: 2010-02-02 10:25 am (UTC)
From: (Anonymous)
Please see

> http://www.heise.de/ix/foren/S-Re-Mailinglisten-Bestaetigungs-Email-an-Spamtrap-legt-Gentoos-Mailinglisten-lahm/forum-48292/msg-18035095/read/showthread-1/

for a response (in german language) to the problem.

The commenter suggest gentoo list emails honor RFC3834.

Greetings

Marcel.

(no subject)

Date: 2010-02-02 10:38 pm (UTC)
From: [identity profile] robbat2.livejournal.com
Thanks, I have confirmed that we're not fully RFC3834 due to a bug in the mailing list software (it's not passing on some headers that it should be), and I'm taking that up with the upstream.

(no subject)

Date: 2010-02-02 05:24 pm (UTC)
From: [identity profile] amaena.livejournal.com
That sucks :/

сайты порновидео

Date: 2010-06-05 10:35 am (UTC)
From: [identity profile] lacticlealea.livejournal.com
http://owacxjwn.far.ru
http://ygvzczex.far.ru
http://saoetxgm.far.ru
http://uoxemnfb.far.ru
http://rqhcmkmr.far.ru
http://dytgthoq.far.ru
http://zcmigdzi.far.ru
http://viwkhxxc.far.ru
http://azpjdymt.far.ru
http://rjuvuivv.far.ru
http://anpefahv.far.ru
http://obvsgffk.far.ru
http://snavkibu.far.ru
http://ukatbcal.far.ru
http://upculyxm.far.ru
http://tmudfimi.far.ru
http://mfvywput.far.ru
http://tpjytugt.far.ru
http://xpjhpitc.far.ru
http://nqtlkiwb.far.ru
http://tfatfieu.far.ru
http://tbymsxud.far.ru
http://dwvppcvw.far.ru
http://ibnsrovt.far.ru
http://qmizycdk.far.ru
Flat | Top-Level Comments Only

Profile

robbat2: (Default)
robbat2
Orbis-Terrarum Networks: Robbat2 resume

May 2017

S M T W T F S
 123456
78910111213
141516171819 20
21222324252627
28293031   

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags