A friend of mine just wrote about what happened to an ezmlm mailing list he runs, and how it was recently used to relay spam (quoted below).
All mailing list managers return bounces of some sort, for subscriptions, unsubscriptions, moderation, etc. (*configuration dependent*), some just quote the subject line though, as an example.
Do we risk blocking by black lists for allowing mailing list bounces?
Do we in blacklists block spam in bounces?
We all see spam bouncing off our lists, how do we distinguish what's what? Especially if these are bounces themselves?
How would mailman be vulnerable, if at all?
Thanks go to Ellen from spamcop for the help.
People tend to think of SPAMers are a bunch of monkeys, i.e. know nothing, utilize off the shelf tools, and completely un-imaginative. I tend to differ, especially after what I saw happen…
It began about 3 months ago, our ezmlm mailing list was starting to get a lot of bounces, and when I say a lot, I mean a lot. The number quickly risen to more than 100 per hour, all of them bounces caused by malformed ezmlm requests. These bounces weren’t ordinary, their body was composed of a SPAMed email.
You would ask your self, why would someone use ezmlm to bounce emails? well you take our security oriented mailing-list, which has its credibility (both the IP address of the mail server’s credibility and the email address’s credibility) and you utilize it for your spamming needs.
In addition, ezmlm will bounce almost any email it receives without thinking, and not only bounce it, but also include the entire incoming email, in our case the SPAM content. Making it a nice to use SPAM relay.
After several weeks, our mail server was starting to get blocked by SpamCop, and others which regard bouncing email SPAM as regular SPAM. Several days ago, we decided to put an end to this shenanigan, we patched - yes changed the source code, as ezmlm doesn’t support the suppression of bouncing emails - ezmlm to stop it from sending back emails whenever something bad has happened, and low and behold a few hours after the change was put into place, our ezmlm was no longer being used to relay SPAM.
The only option I can conclude from this is that the SPAMers use some-kind of technique (maybe even “SPAM” themselves) to detect whether it is still useful to use your SPAM relay for their needs, in this case our ezmlm configuration, and when it is no longer useful, they “conserve” their bandwidth and move on to their next target.
http://blogs.securiteam.com/index.php/archives/353
Gadi.