| View previous topic :: View next topic |
| Author |
Message |
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
 |
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16542
|
 Posted: Thu Jul 22, 2004 5:30 am Post subject: |
|
|
Well the postmaster shouldn't respond to a msg where the From: and To: fields are the same! ... But yeah it's going to happen .....
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
Brendan
Lieutenant
Premium Member
Joined: Mar 29, 2004
Posts: 187
Location: UK
|
| Posted: Thu Jul 22, 2004 11:54 pm Post subject: |
|
|
Regarding bounces, there are legits and there are regularly faked bounces (suggesting that a message was sent by the confused recipient but couldn't be received) which attempts to deceive the recipient into opening the virus attachment. Clearly (and desirably) these would be logged as spam should they hit a spam-sink address.
Unsurprisingly, unwitting recipients are easily fooled by this easy spoof tactic and indeed why it is commonly employed. Furthermore, the deployment of spoofed bounces has largely out-moded this form of interactive server response due to security risks and their regularity, and it's my guess that an increasing proportion of spam sufferers would choose to ignore them anyway.
Bounced message notification could just as equally come from a hacker/spammer (commonly one-and-the same nowadays) with a virus attachment, or from a legitimate source. Also, there are many existing First-Alert faithful who regrettably make little attempt to properly check their messages and just report everything anyway - including all bounced reports.
There are also URLs that simply "black-hole" all misdirected incomings, so bounce reports can not actually be relied upon. Better perhaps to request a read receipt, though I fully accept that this is not perfect or relieble either.
Now should a bounce be reported due to a mistaken quoted "reply-to" address (which would also have to accurately match a spam-sink address or a URL supporting catchall spam reporting), then we do have rear-guard support by way of the First-Alert admins in cases where the message appears to be genuine. Furthermore, for users of Mailwasher choosing to see all bounced messages, it should be possible to filter against a whitelist (Friends list) with the salient characteristics of a bounce message.
Nevertheless, some legitimate bounces might be inadvertently missed by FA admins and logged, though the only result being to block any further bounce messages containing the exact same content until the "logged" duration times out.
Now in the case of Paul's two examples...
In this example, tom has incorrectly quoted his return address (which by pure coincidence matches a spam-sink address) or used his spam-sink address to send email, which is neither advised or generally acceptable. Further Emails sent from Tom's spam-sink address, resulting in significant legit messages being reported and identified by admins, results in Tom's portal being suspended or deactivated, barring all future errornous reports.
| Quote: |
Scenario:
Spamsink email is spoofed in the From field. Email is sent to someone@example.com. Postmaster@example.com replies back to spamsink address saying email was blocked for some SPAM or Virus reason.
This email gets forwarded to my portal address for Spamforce.
What happens?
|
Spoof message correctly gets reported to FA and helps avoid the sufferings of others receiving the same spoofed messages (and any attached viruses) from spawning systems. Furthermore, the source information can potentially be used to report probable infectees of propagating systems to ISP abuse teams (for example) - thereby safeguarding the interests of ISP's who could find themselves blocklisted as a result of unabated viral distribution on their networks, and the ISP could in-turn "assist" the user by informing them if/why their account was suspended.
It is a complex issue, though I believe that we're approaching this problem in a balanced and responsible way - given the circumstances.
Brendan.
_________________
_________________
NEVER say "Never"!
_________________
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16542
|
| Posted: Fri Jul 23, 2004 6:03 am Post subject: |
|
|
| Brendan wrote: | Now in the case of Paul's two examples...
In this example, tom has incorrectly quoted his return address (which by pure coincidence matches a spam-sink address) or used his spam-sink address to send email, which is neither advised or generally acceptable. Further Emails sent from Tom's spam-sink address, resulting in significant legit messages being reported and identified by admins, results in Tom's portal being suspended or deactivated, barring all future errornous reports. |
OK so if a SPAMer were to discover that a particular address is a Spamsink, the SPAMer could purposely knock it out of commission by placing it as the From: address. Or if the SPAMer just happens to choose that particular address as the return address, the same effect. 
| Brendan wrote: |
| Quote: |
Scenario:
Spamsink email is spoofed in the From field. Email is sent to someone@example.com. Postmaster@example.com replies back to spamsink address saying email was blocked for some SPAM or Virus reason.
This email gets forwarded to my portal address for Spamforce.
What happens?
|
Spoof message correctly gets reported to FA and helps avoid the sufferings of others receiving the same spoofed messages (and any attached viruses) from spawning systems. Furthermore, the source information can potentially be used to report probable infectees of propagating systems to ISP abuse teams (for example) - thereby safeguarding the interests of ISP's who could find themselves blocklisted as a result of unabated viral distribution on their networks, and the ISP could in-turn "assist" the user by informing them if/why their account was suspended.
|
Eh? So FA! would see this as a bounce and someone@example.com gets suspended because a proactive mail admin bounced the SPAM otherwise destined for them?
|
|
| Back to top |
|
|
Brendan
Lieutenant
Premium Member
Joined: Mar 29, 2004
Posts: 187
Location: UK
|
| Posted: Fri Jul 23, 2004 8:51 am Post subject: |
|
|
| Quote: |
OK so if a SPAMer were to discover that a particular address is a Spamsink, the SPAMer could purposely knock it out of commission by placing it as the From: address. Or if the SPAMer just happens to choose that particular address as the return address, the same effect.
|
Should Tom reveal his spam-sink address(es) and a spammer were to aggressively attempt this action, then naturally there would be a disproportionate rise of bounces from a variety of servers arriving through Tom's portal.
Now if Tom himself were sending messages with a spam-sink address mistakenly quoted as his return address, then this is unlikely to yield a significant number of bounces to his spam-sink address(es) unless for some reason he repeatedly chooses to mail a considerable number of non-existent addresses for some reason, his system is infected and spawning messages that only quote his spam-sink address, or if Tom is himself is a spammer and for any reason uses a spam-sink address that he has raised.
Spammers certainly do use cycled munged addresses in ordinary spam and occasional bounces would of-course be allowed for. Increasingly, innocent users are finding bounce reports arriving in their mailbox from messages that they never sent.
However, it's not actually in a spammer's interests to specifically use real "From" addresses. Doing so might serve as consolidated evidence of systematic abuse and the channels they are using, and if investigated further could ultimately place their valuable spam portals in jeopardy - particularly where bounce reports quote the IP address of the sending server in addition to the (forged) sending address.
| Quote: |
So FA! would see this as a bounce and someone@example.com gets suspended because a proactive mail admin bounced the SPAM otherwise destined for them? |
With apologies I admit to thinking crossed-purposes here and causing some confusion - trying to think and pontificate well into the small hours!  
Brendan.
_________________
_________________
NEVER say "Never"!
_________________
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
Brendan
Lieutenant
Premium Member
Joined: Mar 29, 2004
Posts: 187
Location: UK
|
| Posted: Wed Jul 28, 2004 8:50 am Post subject: |
|
|
Sorry for the late reply 
There are mechanisms to purge the database of false reports subsequently flagged as legit, as occurs with manual reports from Mailwasher users just reporting everything and causing legitimate messages to slip through the net.
For all reports via the portals, these are all being monitored by FA admins as a rear-guard action, and if there were a significant number of reports arriving via a "dirty" portal this should be quickly identified and the portal suspended or removed.
With more portals reporting spam, the ability to identify "Dirty" portals should improve - particularly where reports are not significantly reflected from other portals in a given time-frame.
Brendan.
_________________
_________________
NEVER say "Never"!
_________________
|
|
| Back to top |
|
|
geminipussycat
Trooper
Joined: Apr 18, 2004
Posts: 13
Location: http://zillahthehun.blogspot.com/
|
| Posted: Tue Dec 21, 2004 11:52 am Post subject: |
|
|
Paul,
I have noticed a pattern in the spam I am recieving that attaches a mail worm. Each mail is 76k or 77k in size and carries the same IP address that has been logged in Symantec as an attack on my computer with backdoor trojans and similar nasties. I have a pretty good idea where they are coming from and have sent abuse reports to the ISP only to recieve a less than welcome reply requesting proof of abuse and adding :"For information regarding a customer, please provide us with a subpoena or court
order."
I have roughly 200 of these emails I saved, I sent approx. 50 to abuse@yahoo.com and still have had no reply. I am currently recording them in .jpg format to send to the ISP as proof of abuse originating from that ISP. I figure if I open any more it is just perpetuating more spam to my email address. I dont want to lose my yahoo mail address because I have had it along time. I think this is how many of us in our group are losing our accounts thru yahoo.
Am I going about this correctly or is there another way to handle this kind of harassment?
Almost every one of the mails are labeled mailer-daemon@lalala.com and are spoofed addresses of my family and friends email servers, like it is being spawned from my own address book. I have checked the email headers and they all originate from the same IP address no matter where it claims to come from. It is beginning to look as if my mailbox is being used as a spam spawning hole.
Do you have any suggestions or ideas I overlooked? I'm just not net-literate as to what I should do and then I stumbled onto your question here that is exactly what I'm dealing with.
Thank you,
Geminipussycat
_________________
You can not shake hands with a clenched fist.
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
