[prev in list] [next in list] [prev in thread] [next in thread]
List: majordomo-users
Subject: Re: abuse of "help"-command for spamming
From: "Joe R. Jah" <jjah () cloud ! ccsf ! cc ! ca ! us>
Date: 2003-11-07 5:03:31
[Download RAW message or body]
On Thu, 6 Nov 2003, Chip Old wrote:
> Date: Thu, 6 Nov 2003 06:34:51 -0500 (EST)
> From: Chip Old <fold@bcpl.net>
> To: MAJORDOMO-USERS <majordomo-users@greatcircle.com>
> Subject: Re: abuse of "help"-command for spamming
>
> On Thu, 6 Nov 2003 11:06 +0100, Joergen W. Lang wrote:
>
> > during the past few weeks I was experiencing spam attacks which seem to
> > utilize MD's "help" command.
> >
> > I looks like the originator sends a "help" request to my MD with a
> > forged "From:" or "Reply-To:"-header. The request contains arbitrary
> > advertisements. In turn, MD tries to find a command in the message body
> > but only sees HTML-Code (in the case of non-text-only messages).
> >
> > MD then tries to send back a copy of the offending request alongside
> > with the help message. I only receive the bounces so I reckon, theres a
> > good few messages actually going through if the targeted account is
> > existing.
>
> What you describe is very common. If you've been running Majordomo lists
> for any length of time, I'm surprised you haven't seen it earlier. It
> isn't an attack specifically on MD's "help" function. It's simply the
> result of one or more spammers who have your majordomo address on their
> list of target addresses. Any time Majordomo receives a message that
> doesn't contain a recognisable command, it sends the "help" file back to
> the apparent sender.
>
> If the sender address is a real one it probably doesn't belong to the
> spammer, so some unsuspecting innocent receives Majordomo's "help" reply.
> If the sender address is not a real address, you receive the resulting
> mail delivery error message.
>
> As for why spammers are sending to your majordomo address, keep in mind
> that most spammers don't do their own address harvesting. Instead they
> buy CDs full of addresses, usually harvested by other spammers. Spammers
> are firm believers in the old saying "There's a sucker born every minute",
> and being totally without scruples they apply that to their fellow
> spammers as well as to the targets of their spam. There are CDs being
> sold that contain nothing but well-known addresses (root, postmaster,
> abuse, majordomo, etc) with thousands of domain names appended.
>
> Or, it may be that some spammer used an "alphabet attack" on your MTA to
> learn valid e-mail addresses on your system, and harvested your majordomo
> address that way.
>
> > Since I could not find anything on this particular subject in neither
> > the archives nor the FAQ or on Google, here's my question:
> >
> > Do you know of any way around this problem?
>
> None that I know of, short of rewriting majordomo to ignore any message
> that contains no valid commands and more than x number of invalid ones.
ftp://ftp.ccsf.org/majordomo-patches/1.94.5/noCommand_noBounce.0
Regards,
Joe
--
_/ _/_/_/ _/ ____________ __o
_/ _/ _/ _/ ______________ _-\<,_
_/ _/ _/_/_/ _/ _/ ......(_)/ (_)
_/_/ oe _/ _/. _/_/ ah jjah@cloud.ccsf.cc.ca.us
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic