RE: Spamcop issue

["David Gillett" <gillettdavid () fhda edu>]

  Unless things have changed drastically lately, SpamCop doesn't
do anything to block spam sources, it just makes it easy for 
recipients to complain to the folks responsible.
  And if you know you're being a spam source, and are choosing not
to clean it up at this time, then receiving complaints submitted
via SpamCop is "Doing the Right Thing"....

  I recently caught a spambot on our network.  One of the things
I watch for is ICMP Unreachables, and I noticed that one of our
stations was getting some every few minutes from a couple of 
servers in Hong Kong.
  Since the ICMP packet contains the headers of the packet that
prompted it, I was able to see that these servers were rejecting
SMTP connection attempts.  That's kind of odd, since internal
email clients should be sending to our enterprise SMTP server....
  Time to crank up my sniffer and see what else this station is
doing.  Hmmm, HTTP connection over some high port number, downloading
some several kilobyte binary thing, then SMTP connections to about
fifty remote servers....
  The two in Hong Kong are refusing the connection.  Many of the
others are accepting the TCP connect, but at the SMTP level are
saying "We won't accept messages from you."  Oh, there's one that's
accepting a message:  yadda yadda VIAGRA yadda....
  Block outbound SMTP directly from that machine until Tech Services
reports that it has been cleaned.  Oh yeah, and block/log that "HTTP" 
connection, too, in case the same entity has compromised other 
machines on our network.

David Gillett


> -----Original Message-----
> From: marco [mailto:marco () spaz org] 
> Sent: Wednesday, September 10, 2008 4:29 PM
> To: security-basics () securityfocus com
> Subject: Spamcop issue
>
> Anyone dealt with trying to get whitelisted with them.
> You are allowed a freebie, but If the spam problem continues, 
> you don't get a second shot.
>
> Or better yet, any good tools out there to get rid of spam 
> bugs and/or trojans...or at least scan a workstation to see 
> if there is one or similar Or maybe good tips on how to see 
> if someone is using a particular user's account or outgoing 
> domain to send out spams? Etc...
>
> I have some ideas, but can't think straight right now, too 
> busy with other projects.  Sure I can use multiple mail 
> gateways for now until I locate the issue...but ya know..
>
> thanks
>
> -m
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > > >
> ----------------------------------((((((((((((((((((((0)))))))
> ))))))))))))))
> > > > ))))))))))
> > > >
> > > > " He who gives up liberty for security ends up with neither". - 
> > > > Benjamin
> > > > Franklin*
> > > >
> > > >
> > > >
> > > > "....i can't stop you, but maybe the earth can....."
> > > > -anonymous activist
> > > >
> > > >
> > > > "My other computer is your Windows box"
> > > >
> > > >
> > > > "......we ArE frequency generators...."
> > > >
> > > >
> > > > " If liberty means anything at all, it means the right to tell 
> > > > people what they do not want to hear. " - George Orwell
> > > >
> > > >   "......in C we will see what we see......."
> > > > -my very first Programming teacher, Claude Comair
> > > >
> > > > ³.....Without some risks, there is no liberty, only 
> > > > subservience....²
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > "....the last time we mixed religion & politics, people 
> were burned 
> > > > at the stake..."
> > > >
> > > >
> > > > > > -----
> > > > > > techNotics
> > > > > > techNotics.info
> > > > > > noizey mac technology
> > > > > > 510.684.1550
> > > > > > -----
> > > > > > holdfastrecordings.com
> > > > > > missgawker.org