[Mailman-Users] relaying spam using mailing lists
Gadi Evron
ge at linuxbox.org
Wed Mar 15 19:32:54 CET 2006
A friend of mine just wrote about what happened to an ezmlm mailing list
he runs, and how it was recently used to relay spam (quoted below).
All mailing list managers return bounces of some sort, for
subscriptions, unsubscriptions, moderation, etc. (*configuration
dependent*), some just quote the subject line though, as an example.
Do we risk blocking by black lists for allowing mailing list bounces?
Do we in blacklists block spam in bounces?
We all see spam bouncing off our lists, how do we distinguish what's
what? Especially if these are bounces themselves?
How would mailman be vulnerable, if at all?
Thanks go to Ellen from spamcop for the help.
-----
People tend to think of SPAMers are a bunch of monkeys, i.e. know
nothing, utilize off the shelf tools, and completely un-imaginative. I
tend to differ, especially after what I saw happen…
It began about 3 months ago, our ezmlm mailing list was starting to get
a lot of bounces, and when I say a lot, I mean a lot. The number quickly
risen to more than 100 per hour, all of them bounces caused by malformed
ezmlm requests. These bounces weren’t ordinary, their body was composed
of a SPAMed email.
You would ask your self, why would someone use ezmlm to bounce emails?
well you take our security oriented mailing-list, which has its
credibility (both the IP address of the mail server’s credibility and
the email address’s credibility) and you utilize it for your spamming needs.
In addition, ezmlm will bounce almost any email it receives without
thinking, and not only bounce it, but also include the entire incoming
email, in our case the SPAM content. Making it a nice to use SPAM relay.
After several weeks, our mail server was starting to get blocked by
SpamCop, and others which regard bouncing email SPAM as regular SPAM.
Several days ago, we decided to put an end to this shenanigan, we
patched - yes changed the source code, as ezmlm doesn’t support the
suppression of bouncing emails - ezmlm to stop it from sending back
emails whenever something bad has happened, and low and behold a few
hours after the change was put into place, our ezmlm was no longer being
used to relay SPAM.
The only option I can conclude from this is that the SPAMers use
some-kind of technique (maybe even “SPAM” themselves) to detect whether
it is still useful to use your SPAM relay for their needs, in this case
our ezmlm configuration, and when it is no longer useful, they
“conserve” their bandwidth and move on to their next target.
-----
http://blogs.securiteam.com/index.php/archives/353
Gadi.
More information about the Mailman-Users
mailing list