'Re: abuse of "help"-command for spamming'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       majordomo-users
Subject:    Re: abuse of "help"-command for spamming
From:       "Joe R. Jah" <jjah () cloud ! ccsf ! cc ! ca ! us>
Date:       2003-11-07 5:03:31
[Download RAW message or body]

On Thu, 6 Nov 2003, Chip Old wrote:

> Date: Thu, 6 Nov 2003 06:34:51 -0500 (EST)
> From: Chip Old <fold@bcpl.net>
> To: MAJORDOMO-USERS <majordomo-users@greatcircle.com>
> Subject: Re: abuse of "help"-command for spamming
> 
> On Thu, 6 Nov 2003 11:06 +0100, Joergen W. Lang wrote:
> 
> > during the past few weeks I was experiencing spam attacks which seem to
> > utilize MD's "help" command.
> >
> > I looks like the originator sends a "help" request to my MD with a
> > forged "From:" or "Reply-To:"-header. The request contains arbitrary
> > advertisements. In turn, MD tries to find a command in the message body
> > but only sees HTML-Code (in the case of non-text-only messages).
> >
> > MD then tries to send back a copy of the offending request alongside
> > with the help message. I only receive the bounces so I reckon, theres a
> > good few messages actually going through if the targeted account is
> > existing.
> 
> What you describe is very common.  If you've been running Majordomo lists
> for any length of time, I'm surprised you haven't seen it earlier.  It
> isn't an attack specifically on MD's "help" function.  It's simply the
> result of one or more spammers who have your majordomo address on their
> list of target addresses.  Any time Majordomo receives a message that
> doesn't contain a recognisable command, it sends the "help" file back to
> the apparent sender.
> 
> If the sender address is a real one it probably doesn't belong to the
> spammer, so some unsuspecting innocent receives Majordomo's "help" reply.
> If the sender address is not a real address, you receive the resulting
> mail delivery error message.
> 
> As for why spammers are sending to your majordomo address, keep in mind
> that most spammers don't do their own address harvesting.  Instead they
> buy CDs full of addresses, usually harvested by other spammers.  Spammers
> are firm believers in the old saying "There's a sucker born every minute",
> and being totally without scruples they apply that to their fellow
> spammers as well as to the targets of their spam.  There are CDs being
> sold that contain nothing but well-known addresses (root, postmaster,
> abuse, majordomo, etc) with thousands of domain names appended.
> 
> Or, it may be that some spammer used an "alphabet attack" on your MTA to
> learn valid e-mail addresses on your system, and harvested your majordomo
> address that way.
> 
> > Since I could not find anything on this particular subject in neither
> > the archives nor the FAQ or on Google, here's my question:
> >
> > Do you know of any way around this problem?
> 
> None that I know of, short of rewriting majordomo to ignore any message
> that contains no valid commands and more than x number of invalid ones.

   ftp://ftp.ccsf.org/majordomo-patches/1.94.5/noCommand_noBounce.0

Regards,

Joe
-- 
     _/   _/_/_/       _/              ____________    __o
     _/   _/   _/      _/         ______________     _-\<,_
 _/  _/   _/_/_/   _/  _/                     ......(_)/ (_)
  _/_/ oe _/   _/.  _/_/ ah        jjah@cloud.ccsf.cc.ca.us

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic