Security Basics mailing list archives
RE: Spamcop issue
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 11 Sep 2008 09:46:02 -0700
Unless things have changed drastically lately, SpamCop doesn't do anything to block spam sources, it just makes it easy for recipients to complain to the folks responsible. And if you know you're being a spam source, and are choosing not to clean it up at this time, then receiving complaints submitted via SpamCop is "Doing the Right Thing".... I recently caught a spambot on our network. One of the things I watch for is ICMP Unreachables, and I noticed that one of our stations was getting some every few minutes from a couple of servers in Hong Kong. Since the ICMP packet contains the headers of the packet that prompted it, I was able to see that these servers were rejecting SMTP connection attempts. That's kind of odd, since internal email clients should be sending to our enterprise SMTP server.... Time to crank up my sniffer and see what else this station is doing. Hmmm, HTTP connection over some high port number, downloading some several kilobyte binary thing, then SMTP connections to about fifty remote servers.... The two in Hong Kong are refusing the connection. Many of the others are accepting the TCP connect, but at the SMTP level are saying "We won't accept messages from you." Oh, there's one that's accepting a message: yadda yadda VIAGRA yadda.... Block outbound SMTP directly from that machine until Tech Services reports that it has been cleaned. Oh yeah, and block/log that "HTTP" connection, too, in case the same entity has compromised other machines on our network. David Gillett
-----Original Message----- From: marco [mailto:marco () spaz org] Sent: Wednesday, September 10, 2008 4:29 PM To: security-basics () securityfocus com Subject: Spamcop issue Anyone dealt with trying to get whitelisted with them. You are allowed a freebie, but If the spam problem continues, you don't get a second shot. Or better yet, any good tools out there to get rid of spam bugs and/or trojans...or at least scan a workstation to see if there is one or similar Or maybe good tips on how to see if someone is using a particular user's account or outgoing domain to send out spams? Etc... I have some ideas, but can't think straight right now, too busy with other projects. Sure I can use multiple mail gateways for now until I locate the issue...but ya know.. thanks -m----------------------------------((((((((((((((((((((0))))))) )))))))))))))))))))))))) " He who gives up liberty for security ends up with neither". - Benjamin Franklin* "....i can't stop you, but maybe the earth can....." -anonymous activist "My other computer is your Windows box" "......we ArE frequency generators...." " If liberty means anything at all, it means the right to tell people what they do not want to hear. " - George Orwell "......in C we will see what we see......." -my very first Programming teacher, Claude Comair ³.....Without some risks, there is no liberty, only subservience....² "....the last time we mixed religion & politics, peoplewere burnedat the stake..."----- techNotics techNotics.info noizey mac technology 510.684.1550 ----- holdfastrecordings.com missgawker.org
Current thread:
- Spamcop issue marco (Sep 11)
- RE: Spamcop issue David Gillett (Sep 11)
- RE: Spamcop issue Landriault, Yan (Sep 12)
- Re: Spamcop issue Dennis Dayman (Sep 16)
- RE: Spamcop issue Landriault, Yan (Sep 12)
- RE: Spamcop issue David Gillett (Sep 11)