relaying spam using mailing lists
A friend of mine just wrote about what happened to an ezmlm mailing list he runs, and how it was recently used to relay spam (quoted below).
All mailing list managers return bounces of some sort, for subscriptions, unsubscriptions, moderation, etc. (*configuration dependent*), some just quote the subject line though, as an example.
Do we risk blocking by black lists for allowing mailing list bounces?
Do we in blacklists block spam in bounces?
We all see spam bouncing off our lists, how do we distinguish what's what? Especially if these are bounces themselves?
How would mailman be vulnerable, if at all?
Thanks go to Ellen from spamcop for the help.
People tend to think of SPAMers are a bunch of monkeys, i.e. know nothing, utilize off the shelf tools, and completely un-imaginative. I tend to differ, especially after what I saw happen…
It began about 3 months ago, our ezmlm mailing list was starting to get a lot of bounces, and when I say a lot, I mean a lot. The number quickly risen to more than 100 per hour, all of them bounces caused by malformed ezmlm requests. These bounces weren’t ordinary, their body was composed of a SPAMed email.
You would ask your self, why would someone use ezmlm to bounce emails? well you take our security oriented mailing-list, which has its credibility (both the IP address of the mail server’s credibility and the email address’s credibility) and you utilize it for your spamming needs.
In addition, ezmlm will bounce almost any email it receives without thinking, and not only bounce it, but also include the entire incoming email, in our case the SPAM content. Making it a nice to use SPAM relay.
After several weeks, our mail server was starting to get blocked by SpamCop, and others which regard bouncing email SPAM as regular SPAM. Several days ago, we decided to put an end to this shenanigan, we patched - yes changed the source code, as ezmlm doesn’t support the suppression of bouncing emails - ezmlm to stop it from sending back emails whenever something bad has happened, and low and behold a few hours after the change was put into place, our ezmlm was no longer being used to relay SPAM.
The only option I can conclude from this is that the SPAMers use some-kind of technique (maybe even “SPAM” themselves) to detect whether it is still useful to use your SPAM relay for their needs, in this case our ezmlm configuration, and when it is no longer useful, they “conserve” their bandwidth and move on to their next target.
http://blogs.securiteam.com/index.php/archives/353
Gadi.
At 8:32 PM +0200 3/15/06, Gadi Evron wrote:
A friend of mine just wrote about what happened to an ezmlm mailing list he runs, and how it was recently used to relay spam (quoted below).
All mailing list managers return bounces of some sort, for subscriptions, unsubscriptions, moderation, etc. (*configuration dependent*), some just quote the subject line though, as an example.
My installation of Mailman doesn't. I have spam filters that make sure that poorly-formed requests don't get to Mailman.
Do we risk blocking by black lists for allowing mailing list bounces?
At this point in time, it's fairly net-unfriendly to run a mail reflector that isn't protected by spam filters. If anyone uses your mail reflector to propagate spam, you'll have a hard time getting your domain unblocked.
We all see spam bouncing off our lists, how do we distinguish what's what? Especially if these are bounces themselves?
How would mailman be vulnerable, if at all?
Don't relay mail to Mailman that you don't want Mailman to receive. Install good spam filters and tune your MDA so that it won't deliver scattershot messages to Mailman.
-- Thank you,
Heather Madrone <heather@madrone.com> http://www.madrone.com
At 11:35 AM -0800 2006-03-15, Heather Madrone wrote:
Don't relay mail to Mailman that you don't want Mailman to receive. Install good spam filters and tune your MDA so that it won't deliver scattershot messages to Mailman.
We've gone through this discussion before. There are lots of decisions that are made inside of Mailman that the MTA cannot possibly know anything about.
If you configure your Mailman installation so that it never rejects a message or ever sends back any kind of notice that the message has been held for moderation (so that you don't ever generate any blowback), then you will seriously impact the level of services that you can provide your subscribers. At that point, you have to seriously question whether or not it's worth running a mailing list at all.
Moreover, I'm pretty sure that you will be running a pretty highly hacked version of Mailman, because there are some things you can turn off, but there are others that I don't believe you can. At that point, you're not likely to be able to get a lot of help on this mailing list.
-- Brad Knowles, <brad@stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755LOPSA member since December 2005. See <http://www.lopsa.org/>.
Brad Knowles wrote:
At 11:35 AM -0800 2006-03-15, Heather Madrone wrote:
Don't relay mail to Mailman that you don't want Mailman to receive. Install good spam filters and tune your MDA so that it won't deliver scattershot messages to Mailman.
We've gone through this discussion before. There are lots ofdecisions that are made inside of Mailman that the MTA cannot possibly know anything about.
Further, I honestly believe that despite that extra moderation work, using spam filters for mailing lists is a bad idea.. at least in my experience and to my preference.
Gadi.
participants (3)
-
Brad Knowles -
Gadi Evron -
Heather Madrone