Re: [SLE] need help-1 bounce-what is going to happen here-ezmlm message is included
Hi Anders, It looks like SuSE may have been a victim of what I will call the "blackhole attack", or more properly the "open mail relay blackhole list attack", a new twist on a denial of service attack which subverts the Internet's own self-help organizations in order to disrupt email services. If a mail server acts as an open mail relay, then a spammer-attacker can send spam or just a dummy mail message via this mail server to one of a number of sites which keeps a blackhole list. The blackhole list site then puts the mail server on the list, which disrupts mail sent from the mail server to all destinations which subscribe to that list. http://www.orbz.org is one such blackhole list site. http://www.mail-abuse.org is another. A short time ago, I had a similar problem. In my case, someone attacked my ISP, BigPond, causing my mail server to be listed at http://www.mail-abuse.org This stopped all my mail to the DRI-user mailing list, hosted on SourceForge, because SourceForge susbscribes to the mail-abuse.org list. The amazing thing about this particular attack is that most comments I have seen paint the admin of the mail server as the perpetrator and not the victim. Sure, the admin needs to lock down the mail server. But the admin and the ISP are being belted by both the spammers and the anti-spam groups. And the ISP's customers are denied service. In Thomas' case, I just checked at http://www.orbz.org and found: ORBZ Database Information IP: 202.58.118.7 State: clean Listed in inputs: no Listed in outputs: no (What's the difference between inputs and outputs?) Last Test: 2001-08-20 19:45:10 Last Test Result: no probes received back --------------------------------------------------------- ========================================================= Direct DNS Lookups inputs.orbz.org: clean outputs.orbz.org: clean or.orbl.org: clean relays.ordb.org: clean orbs.dorkslayers.com: clean dev.null.dk: clean relays.osirusoft.com: clean So, the mail server 202.58.118.7 is clean. Yet Thomas received:
<tgland@iserv.net>: Connected to 204.177.184.15 but sender was rejected. Remote host said: 550 5.7.1 Mail from 202.58.118.7 refused by blackhole site inputs.orbz.org
To me, this means that iserv.net has somehow incorrectly listed 202.58.118.7 as a blackholed server. The answer in this case could be to contact the admin of iserv.net with all of the information above and ask for 202.58.118.7 to be no longer treated as a blackholed mail server, since inputs.orbz.org actually lists it as clean. For more discussion on this topic, see http://www.kuro5hin.org/story/2001/8/23/1978/40794 Best regards
From: Anders Johansson <andjoh@cicada.linux-site.net> Date: Mon, 3 Sep 2001 01:00:55 +0200 On Monday 03 September 2001 00.55, Christian Klippel wrote:
hi thomas,
the message you got from the mailserver means that the ip 202.58.118.7 is blocked by some mta's because it is listed in a blackhole list as a spam site. Who did that? Redhat or Microsoft? That's suse's list server! :)
hi, regarding to the discussion link at the bottom of your mail i must say that, from my point of view, it is always in the hands of the providers/admins if they get listed or not. before i came into the company where im now, they had running a netcrap, aeh, netscape mail server, allowing relaying. thus we got listed on such lists, too. after switching over qmail (with an antispam patch) and mailing them about that, we got removed in a couple of hours. so there is absolutely no problem with working together with abuse.org, orbz.org or the like. just dropping a note that the relay is closed together with the ip of that relay helps almost immediatly...... the reasons that some ips's tell you for having an open relay are just lies. if you have an mail server running closed, you can give particular access (to the relaying) to specified domains. so, if anyone needs to send mail from whereever one is, the simplest way would be to add that isp to the list of allowed relayers. sure, this is weak ;-) but as an isp it should be no problem to set up an domain which is allowed to relay, and give the customers, that need to relay, access over _that_ domain. maybe some admins are simply unable to setup their systems that way, because they dont know how (but then they should consider a job a taxi driver instead). but i guess that some simply dont care about that and prefer to spend their working time in surfing the net instead of fixing _their_ net ....... (no, no, no ... before flaming me, that wasnt meant into suse's direction just because its suse's ip mentioned in the mail below ... no, no, its just an general thought !) as some postings to that article stated, dont do the work that your isp has to do, force your isp to clear that problem, dont contact the anti-spam orgs yourself. if your isp gets blocked more often, consider a change ..... for my point of view it is politically perfect to leave an isp that supports spammers. and im sure some isp's take extra $$'s from "special customers" to allow spamming. (same with some isp/mail providers that sell your adress to spammers .... see hotmail, im sure they sell the adresses, or how does it come that hotmail accounts always get flooded with spam ???) just my 2 cents from the view of an admin ..... ;) greets, chris Am Montag, 3. September 2001 03:51 schrieb Paul C.Leopardi:
Hi Anders, It looks like SuSE may have been a victim of what I will call the "blackhole attack", or more properly the "open mail relay blackhole list attack", a new twist on a denial of service attack which subverts the Internet's own self-help organizations in order to disrupt email services.
If a mail server acts as an open mail relay, then a spammer-attacker can send spam or just a dummy mail message via this mail server to one of a number of sites which keeps a blackhole list. The blackhole list site then puts the mail server on the list, which disrupts mail sent from the mail server to all destinations which subscribe to that list.
http://www.orbz.org is one such blackhole list site. http://www.mail-abuse.org is another.
A short time ago, I had a similar problem. In my case, someone attacked my ISP, BigPond, causing my mail server to be listed at http://www.mail-abuse.org This stopped all my mail to the DRI-user mailing list, hosted on SourceForge, because SourceForge susbscribes to the mail-abuse.org list.
The amazing thing about this particular attack is that most comments I have seen paint the admin of the mail server as the perpetrator and not the victim. Sure, the admin needs to lock down the mail server. But the admin and the ISP are being belted by both the spammers and the anti-spam groups. And the ISP's customers are denied service.
In Thomas' case, I just checked at http://www.orbz.org and found:
ORBZ Database Information IP: 202.58.118.7 State: clean Listed in inputs: no Listed in outputs: no (What's the difference between inputs and outputs?) Last Test: 2001-08-20 19:45:10 Last Test Result: no probes received back --------------------------------------------------------- ========================================================= Direct DNS Lookups inputs.orbz.org: clean outputs.orbz.org: clean or.orbl.org: clean relays.ordb.org: clean orbs.dorkslayers.com: clean dev.null.dk: clean relays.osirusoft.com: clean
So, the mail server 202.58.118.7 is clean. Yet Thomas received:
<tgland@iserv.net>: Connected to 204.177.184.15 but sender was rejected. Remote host said: 550 5.7.1 Mail from 202.58.118.7 refused by blackhole site inputs.orbz.org
To me, this means that iserv.net has somehow incorrectly listed 202.58.118.7 as a blackholed server. The answer in this case could be to contact the admin of iserv.net with all of the information above and ask for 202.58.118.7 to be no longer treated as a blackholed mail server, since inputs.orbz.org actually lists it as clean.
For more discussion on this topic, see http://www.kuro5hin.org/story/2001/8/23/1978/40794
Best regards
From: Anders Johansson <andjoh@cicada.linux-site.net>
Date: Mon, 3 Sep 2001 01:00:55 +0200
On Monday 03 September 2001 00.55, Christian Klippel wrote:
hi thomas,
the message you got from the mailserver means that the ip 202.58.118.7 is blocked by some mta's because it is listed in a blackhole list as a spam site.
Who did that? Redhat or Microsoft? That's suse's list server! :)
-- visit me at http://mamalala.de
participants (2)
-
Christian Klippel -
Paul C.Leopardi