robbat2 | Spamtrap addresses vs. list confirmation emails, or how to lose 2k list emails

In the early hours of this morning, a spammer managed to get the IP of the Gentoo list server on the NiX Spam RBL... simply by spamming the subscribe address :-(. This caused approximately 2000 deliveries of normal list mail to be rejected while the server was present on the RBL.

Notice the subscribe request, line 0004. (whitespace added)

0001 Feb  1 00:15:56 pigeon postfix/smtpd[29314]: 52278E0778: client=unknown[210.212.220.106]
0002 Feb  1 00:15:57 pigeon postfix/cleanup[31589]: 52278E0778:
  message-id=<01caa301$d307f7d0$b173a8c0@ambachglasfaser>
0003 Feb  1 00:15:58 pigeon postfix/qmgr[12260]: 52278E0778:
  from=<ambachglasfaser@test.mailnet.dyndns.biz>,
  size=59874, nrcpt=3 (queue active)
0004 Feb  1 00:15:58 pigeon postfix/local[31581]: 52278E0778:
  to=<gentoo-embedded+subscribe@lists.gentoo.org>,
  orig_to=<gentoo-embedded-subscribe@lists.gentoo.org>,
  relay=local, delay=2.4, delays=2.4/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: ....)
0005 Feb  1 00:15:58 pigeon postfix/local[31716]: 52278E0778:
  to=<gentoo-user-id@lists.gentoo.org>,
  relay=local, delay=2.4, delays=2.4/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to command: ....)
0006 Feb  1 00:15:58 pigeon postfix/local[31509]: 52278E0778:
  to=<gentoo-gwn@lists.gentoo.org>,
  relay=local, delay=2.4, delays=2.4/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to command: ....)
0007 Feb  1 00:15:58 pigeon postfix/qmgr[12260]: 52278E0778: removed

Assuming that the it's a real subscribe request, we send a confirmation request, and promptly get blacklisted for being a good citizen. Line 0013.

0010 Feb  1 00:15:58 pigeon postfix/smtpd[31587]: B6FA9E0778: client=localhost[127.0.0.1]
0011 Feb  1 00:15:58 pigeon postfix/cleanup[31589]: B6FA9E0778:
  message-id=<1264983358-31717-mlmmj-3905840d@lists.gentoo.org>
0012 Feb  1 00:15:58 pigeon postfix/qmgr[12260]: B6FA9E0778:
  from=<gentoo-embedded+bounces-confsub-32dfa15d1a18a7a9-ambachglasfaser=test.mailnet.dyndns.biz@lists.gentoo.org>,
  size=1345, nrcpt=1 (queue active)
0013 Feb  1 00:16:29 pigeon postfix/smtp[31603]: B6FA9E0778:
  to=<ambachglasfaser@test.mailnet.dyndns.biz>,
  relay=mx.dyndns.biz[217.11.54.110]:25, delay=31, delays=0.06/0/30/0.41, dsn=5.7.1,
  status=bounced (host mx.dyndns.biz[217.11.54.110] said:
    554 5.7.1 Service unavailable; Your spam message has been received.
    You will be blacklisted. Thank you (in reply to end of DATA command))
0014 Feb  1 00:16:29 pigeon postfix/bounce[31637]: B6FA9E0778: sender non-delivery notification: B8AE9E089A
0015 Feb  1 00:16:29 pigeon postfix/qmgr[12260]: B6FA9E0778: removed

Why did this happen? I do agree on the importance of spamtrap accounts, but they MUST check the content of their messages. A list confirmation message MUST NOT be considered as spam.

The original subscribe request came from what seems to be a compromised server in Secunderabad, India. So it wouldn't have been detected by RBL focused on modem/dialup addresses.

Short of raising the bar to subscribe (with a specific token that needs to be included, and then it's only a matter of time till spammers include it too), there isn't much we can do to block stuff like this at the list-server level. There is no way to detect than an address is a spamtrap. There cannot be by definition, as the spammers would avoid it themselves otherwise.

S	M	T	W	T	F	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Most Popular Tags

airports - 2 uses
alsa - 2 uses
barcampvancouver - 4 uses
bicycle - 3 uses
bugzilla - 3 uses
cacert - 3 uses
computers - 5 uses
cycling - 2 uses
fc - 3 uses
fibre channel - 3 uses
fibrechannel - 3 uses
forsale - 2 uses
geek - 6 uses
gentoo - 54 uses
git - 3 uses
gitosis - 2 uses
google - 3 uses
gpg - 2 uses
gsoc - 2 uses
hard drives - 2 uses
ipv6 - 2 uses
kernel - 2 uses
lazyweb - 2 uses
linux - 7 uses
livejournal - 4 uses
meme - 3 uses
mirrors - 5 uses
mysql - 4 uses
networking - 3 uses
ols2008 - 6 uses
open source - 3 uses
photography - 2 uses
php - 2 uses
phpmyadmin - 2 uses
predictions - 2 uses
rsync - 3 uses
security - 6 uses
server - 2 uses
soc - 2 uses
south africa - 2 uses
spam - 7 uses
statistics - 3 uses
stocks - 2 uses
sun - 3 uses
techbc - 4 uses
tekbc - 2 uses
theft - 2 uses
translink - 2 uses
travel - 3 uses
wishlist - 2 uses

Flat | Top-Level Comments Only

From: (Anonymous)

Please see

> http://www.heise.de/ix/foren/S-Re-Mailinglisten-Bestaetigungs-Email-an-Spamtrap-legt-Gentoos-Mailinglisten-lahm/forum-48292/msg-18035095/read/showthread-1/

for a response (in german language) to the problem.

The commenter suggest gentoo list emails honor RFC3834.

Greetings

Marcel.

From:

robbat2.livejournal.com

Thanks, I have confirmed that we're not fully RFC3834 due to a bug in the mailing list software (it's not passing on some headers that it should be), and I'm taking that up with the upstream.

amaena.livejournal.com

That sucks :/

lacticlealea.livejournal.com

http://owacxjwn.far.ru
http://ygvzczex.far.ru
http://saoetxgm.far.ru
http://uoxemnfb.far.ru
http://rqhcmkmr.far.ru
http://dytgthoq.far.ru
http://zcmigdzi.far.ru
http://viwkhxxc.far.ru
http://azpjdymt.far.ru
http://rjuvuivv.far.ru
http://anpefahv.far.ru
http://obvsgffk.far.ru
http://snavkibu.far.ru
http://ukatbcal.far.ru
http://upculyxm.far.ru
http://tmudfimi.far.ru
http://mfvywput.far.ru
http://tpjytugt.far.ru
http://xpjhpitc.far.ru
http://nqtlkiwb.far.ru
http://tfatfieu.far.ru
http://tbymsxud.far.ru
http://dwvppcvw.far.ru
http://ibnsrovt.far.ru
http://qmizycdk.far.ru

Move along, nothing to read

A dis-illusioned software engineer

Spamtrap addresses vs. list confirmation emails, or how to lose 2k list emails

(no subject)

(no subject)

(no subject)

сайты порновидео

Profile

May 2017

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags