[Mailman-Users] relaying spam using mailing lists

Gadi Evron ge at linuxbox.org
Wed Mar 15 19:32:54 CET 2006 

A friend of mine just wrote about what happened to an ezmlm mailing list 
he runs, and how it was recently used to relay spam (quoted below).

All mailing list managers return bounces of some sort, for 
subscriptions, unsubscriptions, moderation, etc. (*configuration 
dependent*), some just quote the subject line though, as an example.

Do we risk blocking by black lists for allowing mailing list bounces?

Do we in blacklists block spam in bounces?

We all see spam bouncing off our lists, how do we distinguish what's 
what? Especially if these are bounces themselves?

How would mailman be vulnerable, if at all?

Thanks go to Ellen from spamcop for the help.

-----
People tend to think of SPAMers are a bunch of monkeys, i.e. know 
nothing, utilize off the shelf tools, and completely un-imaginative. I 
tend to differ, especially after what I saw happen…

It began about 3 months ago, our ezmlm mailing list was starting to get 
a lot of bounces, and when I say a lot, I mean a lot. The number quickly 
risen to more than 100 per hour, all of them bounces caused by malformed 
ezmlm requests. These bounces weren’t ordinary, their body was composed 
of a SPAMed email.

You would ask your self, why would someone use ezmlm to bounce emails? 
well you take our security oriented mailing-list, which has its 
credibility (both the IP address of the mail server’s credibility and 
the email address’s credibility) and you utilize it for your spamming needs.

In addition, ezmlm will bounce almost any email it receives without 
thinking, and not only bounce it, but also include the entire incoming 
email, in our case the SPAM content. Making it a nice to use SPAM relay.

After several weeks, our mail server was starting to get blocked by 
SpamCop, and others which regard bouncing email SPAM as regular SPAM. 
Several days ago, we decided to put an end to this shenanigan, we 
patched - yes changed the source code, as ezmlm doesn’t support the 
suppression of bouncing emails - ezmlm to stop it from sending back 
emails whenever something bad has happened, and low and behold a few 
hours after the change was put into place, our ezmlm was no longer being 
used to relay SPAM.

The only option I can conclude from this is that the SPAMers use 
some-kind of technique (maybe even “SPAM” themselves) to detect whether 
it is still useful to use your SPAM relay for their needs, in this case 
our ezmlm configuration, and when it is no longer useful, they 
“conserve” their bandwidth and move on to their next target.
-----
http://blogs.securiteam.com/index.php/archives/353

	Gadi.

More information about the Mailman-Users mailing list