rsync - Mar 2005 - Spam to this list

Hi,

I'm not sure what the policy of this list is and I bet everyone has a spam 
filter, so nobody might have noticed, but we got spammed.

Can anyone send mail to the list or do you have to subscribe first ?

--   dag wieers,  dag@wieers.com,  http://dag.wieers.com/   --
[all I want is a warm bed and a kind word and unlimited power]

On Fri, 25 Mar 2005 20:42:19 +0100 (CET), Dag Wieers dag-at-wieers.com
|Rsync List| <...> wrote:
> I'm not sure what the policy of this list is and I bet everyone has a
spam
> filter, so nobody might have noticed, but we got spammed.
> 
> Can anyone send mail to the list or do you have to subscribe first ?
Anyone can send mail, including phishers. I think we all got this one
an hour ago or so:

-----
 We regret to inform you that your eBay account could be suspended if
you don't re-update your account information. To resolve this problems
please  click here and re-enter your account information. If your
problems could not be resolved your account will be suspended for a
period of 3-4 days, after this period your account will be terminated.
-----

This nicely done phish uses
http://lenix.brinkster.net/ebay/redirect.php to collect your Ebay
login information.

The rsync list is one of my higher sources of spam, but I also
understand the reasoning behind keeping the list open.  The list
managers have installed filters, but they can only do so much.

For a complete history of spam discussions here, try this Google search:

http://www.google.com/search?as_q=spam&num=10&as_sitesearch=lists.samba.org

  -- Steve

John Van Essen wrote:
> Off list to rsync list owner (feel free to reply on-list if you like):
>
>
> On Fri, 25 Mar 2005, Dag Wieers <dag@wieers.com> wrote:
>
>>Hi,
>>
>>I'm not sure what the policy of this list is and I bet everyone has
a spam
>>filter, so nobody might have noticed, but we got spammed.
The policy is to block as much spam as possible without blocking
legitimate posts.  A 100% solution is impossible, even if we had human
moderation (humans make mistakes).

It seems that these posts got through during a surge of spam when the
filter hit its maximum-process limit.  During the day of the 24th more
than 60 spam messages to the list were blocked.
> I got several.  Delivered to the mailing list from:
>
>   cpe-24-243-54-175.satx.res.rr.com [24.243.54.175]
>   unknown [219.252.105.93]
>   unknown [218.59.89.16]
>   unknown [200.159.206.55]
>
> The first one has been in the dul.dnsbl.sorbs.net blacklist since Oct.
> I use these 4 DNS-based blacklists in the mail server that I manage:
>
>   sbl-xbl.spamhaus.org
>   list.dsbl.org
>   dul.dnsbl.sorbs.net
>   web.dnsbl.sorbs.net
>
> And they have helped a LOT.
> The other 3 have no reverse DNS entries.  A machine with no reverse DNS
> that is sending email is not very likely to be a legitimate email server.
> It's much more likely a compromised machine on a clueless ISP's
network.
> Rejecting email from those unidentified machines also has helped a lot.
Using any of those measures alone tends to block legitimate posters,
particularly those running their own mail server, which to my mind is a
greater harm than letting ocassional spam go through.  Our purpose here
is to run a mailing list, not punish ISPs.  So we use all the things you
named as part of a weighted score.

--
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url :
http://lists.samba.org/archive/rsync/attachments/20050326/bab6ffd0/signature.bin

Unfortunately I must report that legitimate emails are also blocked by
sbl-xbl.spamhaus.org.

After exchanging a number of private emails with jdc@inr.net, my next answer
was blocked without reason at all.

krisnek@citykom.net
-------------- next part --------------
HTML attachment scrubbed and removed

Christian Nekvedavicius wrote:
> Unfortunately I must report that legitimate emails are also blocked by
> sbl-xbl.spamhaus.org.
If you e-mails are being blocked by a sbl-xbl.spamhaus.org listing then 
you should be complaining loudly to your network provider.

It my help if you find out what list(s) that the I.P. address that is 
being listed is really on.

The sbl-xbl.spamhaus.org is combination of three lists:

   sbl = sbl.spamhaus.org
   xbl = opm.blitzed.org and cbl.abuseat.org

To get on the sbl portion, an internet provider has either had to work 
at being a bad network citizen and have been ignoring legitimate abuse 
complaints or is actively and knowingly assisting a spammer.  The sbl is 
very conservative and will only list a production mail server as a last 
resort.

To get on the opm.blitzed.org means that I.P. address has recently been 
tested and confirmed to be an open proxy, which basically means that it 
is providing unlimited free e-mail and other network services to every 
criminal on the internet.  opm.blitzed.org will retest on request.

To get on cbl.abuseat.org, the I.P. in question must have sent e-mail to 
a spamtrap address, and the contents of that e-mail was determined not 
to be from an auto-responder that is generating a new mail in response 
to spam or a virus.

About the only way to get on the cbl.abuseat.org is for the I.P. listed 
to either be controlled by a virus or controlled by a spammer through an 
open proxy.

Removal from the cbl.abuseat.org is done through a webform, one removal 
is allowed per week.


So about only way that a mail server can get on the sbl-xbl.spamhaus.org 
is if it is under the control of a virus or a spammer.


Now looking at the mail server that your post went through:

It is not listed in the sbl-xbl.spamhaus.org.

opm.blitzed.org claims that they have never listed the I.P. address and 
have never been requested to do a test on that I.P. address.

The cbl.abuseat.org also shows that is is not listed currently.  No 
other information is available.

The I.P. address is listed in bl.spamcop.net as hitting spamtraps.

There appears to be 5 outgoing mail servers for that domain, and that 
means that currently you have a 20% chance of your mail being rejected 
if you mail someone whose postmaster is using the spamcop blocking list 
for rejection instead of scoring.

At least three of the mail servers have recently sent spam to spamtraps 
operated by the opm.blitzed.org.  This caused proxy tests to be 
performed on them which they passed.
> 195.202.32.15 listed in bl.spamcop.net (127.0.0.2)
> 
> If there are no reports of ongoing objectionable email from this
> system it will be delisted automatically in approximately 21 hours.
> Causes of listing
Maximum listing time after the last spam report is 48 hours.
Minimum listing time is 1/2.  The time between varies based on an 
algorithm that takes into account prior listings of that I.P. address, 
and the amount of spam reported from it.
> * System has sent mail to SpamCop spam traps in the past week (spam
> traps are secret, no reports or evidence are provided by SpamCop)
To get listed this way, it means that the amount of spam hitting 
spamcop.net spamtraps exceeded 1% of the volume of e-mail from that I.P. 
from various monitoring points on the Internet.

For an ISP mail server, 1% is usually a large number.

Senderbase is reporting measuring well over 10,000 e-mails per day from 
that I.P.
> Additional potential problems
> (these factors do not directly result in spamcop listing)
> 
>     * System administrator has already delisted this system once
> 
> Because of the above problems, express-delisting is not available
> Listing History
> In the past 17.7 days, it has been listed 3 times for a total of 38
 > hours

For a production mail server to get listed by spamcop.net this many 
times in that short of time, it indicates that there is a problem at 
that mail server, either it is relaying spam, or it is abusively 
bouncing spam and virus reports to what are known to be forged e-mail 
addresses instead of following the standard practice and using SMTP rejects.

Or they have a clueless user that is using the fake bounce function that 
some poorly written anti-spam software has.  Of course they would have 
had to bounce a lot of spam/viruses in a short time to cause a listing.

Sending bounces or virus notifications to forged addresses are 
effectively a denial of service attack against the user that the spam or 
virus impersonated.

It looks like someone delisted the I.P. address from the spamcop.net 
list with out fixing the problem that resulted in the listing.

Getting an ISP mail server listed on spamcop.net is also rare, but does 
happen, but generally there is a large period of time (Think 
months/years) between listings unless there is a chronic problem with 
the configuration or security of that server.

-John
wb8tyw@qsl.net
Personal Opinion Only