Someone is using one of the domain names hosted by us to spam all mail accounts in all local domains. Unfortunely, sendmail is (and was before me) the mail system. It sounds pretty much the same of saturday's topic about the "[suse-security] DOS on sendmail daemon" but the users got the spam in their mail boxes. I've mailed abuse@domain.net and I got Diagnostic-Code: 550 5.2.1 <abuse@hinet.net>... Mailbox disabled for this recipient. Message Headers: Return-Path: <123017@cedoff.org> Received: from ns.e-workshop.ch (ns.e-securenet.ch [212.147.96.4]) by ns.e-workshop.ch (8.12.2/8.12.3/SuSE Linux 0.6) with ESMTP id gA44i1Q1023068; Mon, 4 Nov 2002 05:44:02 +0100 Message-Id: <200211040444.gA44i1Q1023068@ns.e-workshop.ch> Received: from cedoff.org (61-224-129-145.HINET-IP.hinet.net [61.224.129.145]) by mail.cedoff.org (AvMailGate-2.0.1.7) id 23063-44BB0D0E; Mon, 04 Nov 2002 05:43:59 +0100 From: "download your free" <asiamailer@pchome.com.tw> Subject: Want to boost your sales with Internet Marketing? Try HiMailer. Content-Type: text/html Date: Sun, 3 Nov 2002 23:59:33 +0800 X-Priority: 3 X-Library: Indy 9.0.3-B X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.7; AVE: 6.16.0.0; VDF: 6.16.0.12; host: ns) To: undisclosed-recipients:; Status: RO Where the hole is? Thanks for your help -- .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-securenet.ch http://www.e-securenet.ch "Was Sind und was Sollen die Zahlen?" Dedekind. ____________________________________________________________
On Mon, Nov 04, 2002 at 06:36:46PM +0100, Miguel Albuquerque wrote:
Someone is using one of the domain names hosted by us to spam all mail accounts in all local domains.
You cannot spam "all accounts". You can only try to send spam to addresses you are knowing or guessing.
Unfortunely, sendmail is (and was before me) the mail system.
I don't think that other programs will handle this much better than sendmail.
Diagnostic-Code: 550 5.2.1 <abuse@hinet.net>... Mailbox disabled for this recipient.
That should be the correct address for complaints to hinet.net, but unfortunately HINET violates RfC 2142 rejecting mails sent to abuse@hinet.net or postmaster@hinet.net (as one can see on http://www.rfc-ignorant.org). You could write to network-adm@hinet.net or cykang@ms1.hinet.net (these addresses I found by "whois -h whois.apnic.net 61.224.129.145"). But sending complaints to China or Taiwan is almost the same as sending them directly to /dev/null. As a solution you could block all HINET IPs by your access table. Or better: all IPs in Korea, Taiwan and China - if you don't expect any wanted mails from this countries. Or you use the FEATURE(`dnsbl') of sendmail to block all known spammer IPs. More information about that you can find on http://www.sendmail.org/~ca/email/chk-810.html. Bye, Hatto
On Monday 04 November 2002 21:11, Hatto von Hatzfeld wrote: [snip]
As a solution you could block all HINET IPs by your access table. Or better: all IPs in Korea, Taiwan and China - if you don't expect any wanted mails from this countries. Or you use the FEATURE(`dnsbl') of sendmail to block all known spammer IPs. More information about that you can find on http://www.sendmail.org/~ca/email/chk-810.html.
That's not going to work in Miguel's case. He is using AvMailGate, which has the drawback that all mail appears to be coming from the machine where the mailgate runs on. Therefor a lot of IP based spam prevention techniques employed in sendmail will be useless. The better solution is to use AvMilter (from the same company), which uses the milter interface and does not have this disadvantage. It's similar in operation as the combination of AMaViS and AntiVir, but runs quite a bit faster (useful if you happen to receive *lots* of mail or on slower machines). Arjen -- 51 N 25' 05.1" - 05 E 29' 13.3" Key fingerprint - 66 4E 03 2C 9D B5 CB 9B 7A FE 7E C1 EE 88 BC 57
Miguel, Visit www.spamcop.net . They have loads of useful advice, and if you register with them you can forward spam to them and they have clever programs which work out exactly who to complain to. I have seen loads of these himailer spams, they come from a variety of sources. Oh, by the way, I don't think your incident was at all like the earlier discussion. That concerned a site that was plagued by *responses* to spam rather than spam itself. This is a growing problem; spammers nearly always fake the return addresses, and if they happen to choose your domain you get swamped with error messages (and angry e-mails from misguided people who think you are to blame for the spam). Bob On Mon, 4 Nov 2002, Miguel Albuquerque wrote:
Someone is using one of the domain names hosted by us to spam all mail accounts in all local domains. Unfortunely, sendmail is (and was before me) the mail system.
It sounds pretty much the same of saturday's topic about the "[suse-security] DOS on sendmail daemon" but the users got the spam in their mail boxes.
I've mailed abuse@domain.net and I got
Diagnostic-Code: 550 5.2.1 <abuse@hinet.net>... Mailbox disabled for this recipient.
Message Headers: Return-Path: <123017@cedoff.org> Received: from ns.e-workshop.ch (ns.e-securenet.ch [212.147.96.4]) by ns.e-workshop.ch (8.12.2/8.12.3/SuSE Linux 0.6) with ESMTP id gA44i1Q1023068; Mon, 4 Nov 2002 05:44:02 +0100 Message-Id: <200211040444.gA44i1Q1023068@ns.e-workshop.ch> Received: from cedoff.org (61-224-129-145.HINET-IP.hinet.net [61.224.129.145]) by mail.cedoff.org (AvMailGate-2.0.1.7) id 23063-44BB0D0E; Mon, 04 Nov 2002 05:43:59 +0100 From: "download your free" <asiamailer@pchome.com.tw> Subject: Want to boost your sales with Internet Marketing? Try HiMailer. Content-Type: text/html Date: Sun, 3 Nov 2002 23:59:33 +0800 X-Priority: 3 X-Library: Indy 9.0.3-B X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.7; AVE: 6.16.0.0; VDF: 6.16.0.12; host: ns) To: undisclosed-recipients:; Status: RO
Where the hole is? Thanks for your help
-- .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND
Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-securenet.ch http://www.e-securenet.ch
"Was Sind und was Sollen die Zahlen?" Dedekind. ____________________________________________________________
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Miguel
I have seen loads of these similar spams, they come from a variety of sources.
I get them all the time as well. Usually sent to Mailman at www.sheflug.org.uk. For some reason Hinet couldn't care less about what happens as is true for some black listed domains. I would have thought that a local community project like ours would not have received spam of this sort but spammers are people who are ruthless and uncaring. The argument about whether to use Spam Cop or not seems to revolve around the fact of whether or not you feel up to being able to understand the intellectual challenge of writing spam filters that provide the correct positives and not some false positives. You might think that Spam Cop is quicker and easier ? There are people out there who shout at you if you send anything to Spam Cop at all :) -- Thanks Richard www.sheflug.co.uk
Richard, Could you elaborate on this? Who shouts at you if you send things to Spamcop? Fighting spam is something that can only be done effectively if we work as a community. If you report spam to Spamcop there is a chance that the spam will be blocked at source, which is (literally) millions of times more useful than just blocking your copy of it. And if the community does not fight back against spam then because it is so cheap to produce there will be such vast quantities of the stuff that e-mail will be destroyed as a communications medium. If you go it alone then you are very likely to spend more effort fighting it off than you would if you just deleted the stuff. Bob On Tue, 5 Nov 2002, Richard Ibbotson wrote:
The argument about whether to use Spam Cop or not seems to revolve around the fact of whether or not you feel up to being able to understand the intellectual challenge of writing spam filters that provide the correct positives and not some false positives. You might think that Spam Cop is quicker and easier ?
There are people out there who shout at you if you send anything to Spam Cop at all :)
-- Thanks
Richard www.sheflug.co.uk
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Bob
Could you elaborate on this? Who shouts at you if you send things to Spamcop?
Oh .. lets see .. there's most ISPs in the UK.. been through a few shouting matches with them.. then there's Oxford and Cambridge Universities.. and many UK businesses who all hate Spam Cop and what it represents. Then there's a whole load more who I can't mention on this list. I've been threatened in the street before now. Incidentally, since I sent mail into this list the other day the level of spam to myself has increased by a factor of four. I'm getting great big piles of it now.
If you go it alone then you are very likely to spend more effort fighting it off than you would if you just deleted the stuff.
Personally I don't see an argument in either direction :) But, I am amazed that a free community project which exists to help and educate interested people attracts so many thugs. -- Thanks Richard www.sheflug.co.uk
participants (5)
-
Arjen de Korte -
Bob Vickers -
Hatto von Hatzfeld -
Miguel Albuquerque -
Richard Ibbotson