You are here: Home > Participate > Join a Discussion > Mailman Archives
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: spam-tools?

  • From: "Valentin Hilbig" < >
  • Date: Fri, 15 Jun 2001 23:14:00 +0200

I don't have a tool handy.

But here are the fingerprints ORBS used (at least this is a grep of
Queue-Files which got cought by my ANTI-SPAM filter):

 | :S<!sender> | :RPFD:<!orbs-relaytest>
 | :S<sender>          | :RPFD:<!orbs-relaytest>
 | :Ssender@localhost |
 | :Ssender@localhost |
 | :Ssender@localhost | :RPFD:<!orbs-relaytest@[]>
 | :Ssender@localhost |
 | :Ssender@localhost | :RPFD:<[]>
 | :Ssender@localhost |
 | :Ssender@localhost | :RPFD:orbs-relaytest@localhost@[]>
 | :Ssender@localhost |
:RPFD:orbs-relaytest@[email protected]>

:S is the sender :RPFD is the receiver from the transport header.
The machine was or, so you see the tricks

If none of this works the relay seems to be quite closed.

There are several other holes, which are based on wrong access permissions
and the like.  However you cannot probe for that automatically, so above
tests should be enough for a start.

It's my thesis that "closing" a relay is not enough:

One "nice" idea for me how to SPAM even through fully closed relays of ISPs
without fear of beeing punished (I never did it, though):

On a unix box create a .forward to a host which rejects all eMail.  There
are many providers out there who allow you to do that.
Then from somewhere else in the World send SPAM to this account with a FROM
of the recipients you want to reach.
This will first queue the SPAM and then send it back to the given sender!
Be sure the MTA copies the body in full.
The SPAM recipients (senders in the original mail) get a Postmaster message
and WILL read it to investigate .. and will read your SPAM this way.

You (the one with the faulty .forward) will not be blamed, you are the
You (the victim) do NOT punish the SPAMmer either (you don't punish
Usually there is no RECEIVE QUOTA for eMail, only a SEND QUOTA, so there is
no problem at all.
And if the SPAM happens to hit a mailing list (like lately here) the ML
software sorts out the deamon, so you don't get too many upset people ;)

If they find out that this was you, you even can insist on that you wanted
to test something and it "glitched".

AFAICS there is only one protection against such type of SPAM.
And there should be Zillions of such "dead" accounts out there already.  So
you perhaps don't need your own account, you only have to find them (perhaps
analyse Backlog of SPAM?).

Only protection I can imagine:

Enforce the MTA not to copy the body.
And enforce a reasonable limit to the Subject line (else the spammers might
start to put it all in the Subject).

Put your favorite swear word here.



ORBS ( ) is R.I.P. and I think this is good as it
tested my relays regardless that I did not want ORBS to test my relays ever.
So ORBS did an illegal action in my point of view and I don't want illegal
things to happen in Internet.

Valentin `Tino4 Hilbig
URL: 1073 560D 7C71 7548 61F1 E5E1 D89E 4DF3 9557 4064 Ich hab' die Schnauze voll von Ferrero. ----- Original Message ----- From: "Jan Meijer" <jan.meijer@localhost Sent: Friday, June 15, 2001 6:56 PM Subject: spam-tools? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi anti-spam wg, > > Please treat this as a serious question ;). I was just reading up on > the anti-spam wg minutes, came accross the open relay bit and was > musing about ways to both efficiently and adequately open-relay test a > network of approx. 250 connected heterogenous(university) networks, as > my last method (portscan for port 25 and subsequently do a simple open > relay test) did not find them all :(. > > My time is rather limited, so if there would be a install-configure-run > tool that allows me to scan all our customers for port 25 and > open-relay test them for even the more exotic relay methods that would > be very helpful (would save a couple of days of figuring out the > correct settings for the portscan to optimize time but not lose on > completeness of the portscan). One thought that popped up was to use > the tools spammers are using themselves. Perhaps someone has a > pointer/tool that does the trick? > > Jan Meijer > SURFnet Services & Support > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.0 > > iQA/AwUBOyo+N9JQWnx7bpKpEQIQhACgy4PSSYX+tzt7hBjg55zC/RU73SsAoNuN > BAbVGXg0FEi4mx7FMzIQBx8K > =cYEC > -----END PGP SIGNATURE----- >

  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>