What the Hell? Fw: Mail delivery failed: returning message to sender

[jdow <jd...@earthlink.net>]

Apache is using a DoS tool as a blacklist?

Send email from your ISP to listme@listme.dsbl.org and watch the
results. They say one email to that address is sufficient to cause
the entire relay path to be marked as spammers.

{+_+}
----- Original Message ----- 
From: "Mail Delivery System" <Ma...@grouse.mail.pas.earthlink.net>
To: <jd...@earthlink.net>
Sent: Monday, 2004 September, 20 23:57
Subject: Mail delivery failed: returning message to sender


> This message was created automatically by mail delivery software (Exim).
>
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
>
>   users@spamassassin.apache.org
>     SMTP error from remote mailer after RCPT
TO:<us...@spamassassin.apache.org>:
>     host mail.apache.org [209.237.227.199]: 550
http://dsbl.org/listing?ip=207.217.120.116
>
> ------ This is a copy of the message, including all the headers. ------
>
> Return-path: <jd...@earthlink.net>
> Received: from ar39.lsanca2-4.16.240.206.lsanca2.elnk.dsl.genuity.net
([4.16.240.206] helo=kittycat)
> by grouse.mail.pas.earthlink.net with smtp (Exim 3.33 #1)
> id 1C9eak-0002FK-00
> for users@spamassassin.apache.org; Mon, 20 Sep 2004 23:57:34 -0700
> Message-ID: <04...@kittycat>
> From: "jdow" <jd...@earthlink.net>
> To: <us...@spamassassin.apache.org>
> References: <41...@amnafzar.com>
<15...@supranet.net>
> Subject: Re: SpamAssissian
> Date: Mon, 20 Sep 2004 23:57:33 -0700
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1437
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>
> And Apache.org uses a filter that is a DoS attack waiting to happen.
>
> Apache.org is using the dsbl.org blacklist that is basically a DoS
> attack on ISPs waiting to happen. All anybody needs to do is forward
> one message from anyplace through the Earthlink mailers to one published
> destination address, listme@listme.dsbl.org. It then adds every server
> that was involved in the path to their list. All ANYBODY needs to do to
> deny service to Earthlink customers, for example, is relay one message
> through Earthlink's servers.
>
> The idiot, the fuggheaded idiot, at Apache who considered using this
> list for even one femto-second should have his brains beaten in with
> a cluestick.
>
> It appears somebody played this prank earlier today.
>
> {O.O}
> ----- Original Message ----- 
> From: "Jeff Chan" <je...@surbl.org>
> To: <us...@spamassassin.apache.org>
> Sent: Monday, 2004 September, 20 23:07
> Subject: Re: SpamAssissian
>
>
> > On Monday, September 20, 2004, 10:59:10 PM, Mehdi Mehdi wrote:
> > > Do spamassissian has database to keep spam soruce servers?
> > > Thanks
> >
> > For keeping track of spam source servers, SpamAssassin uses
> > external RBLs like xbl.spamhaus.org, list.dsbl.org, etc.
> >
> > Jeff C.
> > -- 
> > Jeff Chan
> > mailto:jeffc@surbl.org
> > http://www.surbl.org/

Re: What the Hell? Fw: Mail delivery failed: returning message to sender

[Wess Bechard <sp...@eliquid.com>]

To be fair to the blacklisters,

There are many ways to authenticate smtp before allowing remote
senders.  Perhaps Earthlink does use its own method, but maybe it is
just not doing enough.

On Tue, 2004-09-21 at 15:06, jdow wrote:

> From: "Bob Apthorpe" <ap...@cynistar.net>
> 
> 
> > A quick check of http://dsbl.org/listing?ip=207.217.120.116 shows
> > earthlink's server being listed for being a single-hop open relays and
> > insecure formmail scripts. Looks like earthlink relays for o1.com users;
> > you may want to ask DSBL how trusted their reporter 'salsbury' is.
> 
> My understanding is that Earthlink servers are "open" so that people
> who are mobile can still send mail through their Earthlink accounts.
> The way they handle the spam issue is a tarpit operation. The more
> mails you send in a given interval the slower the mail processes. So
> Earthlink mailers can be used for spam - in very small quantities.
> 
> This is the basic reason I believe black lists are the spawn of the
> devil himself. They seldom take into account the technology used at
> the so called open relays.
> 
> And it still seems like its automated operation could be spoofed into
> blacklisting the entirety of the Earthlink servers. (I'm lucky I could
> switch to another one. They have "quite a few".)
> 
> It's rather frustrating and my urge is to find a way to deal with the
> twits at dsbl.org rather than Earthlink.
> 
> {^_^}

Re: What the Hell? Fw: Mail delivery failed: returning message to sender

[snowjack <sn...@fastmail.fm>]

morticia wrote:
> I wish they'd use it and make it the default. But I do not wish to pay
> even more for my account because of the increased stupid luser support
> calls that would generate. Getting plain old dialup or DSL working is
> beyond most people. And many of them do not want to use something special
> like "TotalAccess." So....

If someone is so clueless that they can't enter a password to connect to 
their SMTP server, they will probably have trouble setting up their 
portable computer to access Earthlink's allegedly open relay through a 
non-Earthlink Internet access point anyway.

People connecting directly to Earthlink's network (i.e. the _vast_ 
majority of Earthlink's customers) will not need separate SMTP 
authentication since, presumably, they had to identify themselves to 
make their PPP/DSL/etc. connection in the first place. Earthlink has 
toll-free/local dial-up numbers for mobile users, right?

> And for what it is worth the tarpit approach they have is technically
> superior when faced with the throwaway account or the legitimate account
> that is hijacked by a spamming virus. (And with the password protection
> on Microsoft stuff you can bet the virus writers are already quite
> capable of pirating MS user's ISP passwords.)

No reason they couldn't use both SMTP-AUTH and their tarpit "solution."

> As I say they've not thought the problem through properly at DSBL.

Sure they have. There's NO legit reason to have an open relay. End of 
story. Earthlink's "solution," as you have described it, still allows 
criminals to hide their identities by using Earthlink servers as an 
anonymizer. It just reduces the scope of the problem. But again I'm 
skeptical that they really allow unauthenticated SMTP relays from 
systems outside their network, potentially exposing themselves to 
significant legal liability.

> AND at Apache they are using it in an ill considered way to simply
> block email rather than score email. *NEVER* use a BL to utterly
> dispose of mail

You and I are in complete agreement on this point. But DSBL is one of 
the best blacklists around. If it's possible that you're mistaken about 
Earthlink allowing ANYONE to relay a message through their servers, call 
Earthlink and ask them to follow DSBL's simple de-listing procedure. It 
is more likely that some clueless Earthlink customer screwed up, 
misconfigured some DSBL software setup, and accidentally got their own 
mail relay listed.

Re: What the Hell? Fw: Mail delivery failed: returning message to sender

[morticia <jd...@earthlink.net>]

From: "snowjack" <sn...@fastmail.fm>

> jdow wrote:
> > My understanding is that Earthlink servers are "open" so that people
> > who are mobile can still send mail through their Earthlink accounts.
> > The way they handle the spam issue is a tarpit operation. The more
> > mails you send in a given interval the slower the mail processes. So
> > Earthlink mailers can be used for spam - in very small quantities.
> 
> And you're blaming DSBL?
> 
> If what you say is true, do you suppose Earthlink has ever heard of 
> SMTP-AUTH for their mobile users? I wonder how Earthlink would prevent a 
> spammer from spoofing his/her IP address to a different address for each 
> message.

I wish they'd use it and make it the default. But I do not wish to pay
even more for my account because of the increased stupid luser support
calls that would generate. Getting plain old dialup or DSL working is
beyond most people. And many of them do not want to use something special
like "TotalAccess." So....

And for what it is worth the tarpit approach they have is technically
superior when faced with the throwaway account or the legitimate account
that is hijacked by a spamming virus. (And with the password protection
on Microsoft stuff you can bet the virus writers are already quite
capable of pirating MS user's ISP passwords.)

As I say they've not thought the problem through properly at DSBL.

AND at Apache they are using it in an ill considered way to simply
block email rather than score email. *NEVER* use a BL to utterly
dispose of mail unless you are using it against the SOURCE address
not against relay addresses. Critical mail can be lost. (This has
cost my customer some major contracts. He insists on using AOL. That
is simple enough and gaudy enough to appeal to his salesman's instincts.)

{^_^}

Re: What the Hell? Fw: Mail delivery failed: returning message to sender

[snowjack <sn...@fastmail.fm>]

jdow wrote:
> My understanding is that Earthlink servers are "open" so that people
> who are mobile can still send mail through their Earthlink accounts.
> The way they handle the spam issue is a tarpit operation. The more
> mails you send in a given interval the slower the mail processes. So
> Earthlink mailers can be used for spam - in very small quantities.

And you're blaming DSBL?

If what you say is true, do you suppose Earthlink has ever heard of 
SMTP-AUTH for their mobile users? I wonder how Earthlink would prevent a 
spammer from spoofing his/her IP address to a different address for each 
message.

I have a hard time believing that Earthlink doesn't use SMTP-AUTH. It's 
more likely that some legitimate (if somewhat clueless) Earthlink 
customer accidentally used DSBL software to list their own SMTP relay.

Re: What the Hell? Fw: Mail delivery failed: returning message to sender

[jdow <jd...@earthlink.net>]

From: "Bob Apthorpe" <ap...@cynistar.net>


> A quick check of http://dsbl.org/listing?ip=207.217.120.116 shows
> earthlink's server being listed for being a single-hop open relays and
> insecure formmail scripts. Looks like earthlink relays for o1.com users;
> you may want to ask DSBL how trusted their reporter 'salsbury' is.

My understanding is that Earthlink servers are "open" so that people
who are mobile can still send mail through their Earthlink accounts.
The way they handle the spam issue is a tarpit operation. The more
mails you send in a given interval the slower the mail processes. So
Earthlink mailers can be used for spam - in very small quantities.

This is the basic reason I believe black lists are the spawn of the
devil himself. They seldom take into account the technology used at
the so called open relays.

And it still seems like its automated operation could be spoofed into
blacklisting the entirety of the Earthlink servers. (I'm lucky I could
switch to another one. They have "quite a few".)

It's rather frustrating and my urge is to find a way to deal with the
twits at dsbl.org rather than Earthlink.

{^_^}

Re: What the Hell? Fw: Mail delivery failed: returning message to sender

[Bob Apthorpe <ap...@cynistar.net>]

Hi,

On Tue, 21 Sep 2004 02:16:58 -0700 "jdow" <jd...@earthlink.net> wrote:

> Apache is using a DoS tool as a blacklist?
> 
> Send email from your ISP to listme@listme.dsbl.org and watch the
> results. They say one email to that address is sufficient to cause
> the entire relay path to be marked as spammers.

You missed a part (http://dsbl.org/faq-help#testmessage):

"How should a DSBL listme mail be formatted?

In order to avoid false positives DSBL email needs to be formatted in a
special way, indicating the reason the mail is listed (so the admin can
fix the problem) and the email address the sender uses:

DSBL LISTME: <transport> <input ip>
<cookie>
<details>
DSBL END

<transport> should be 'smtp', 'formmail', 'socks', etc. (without the
quotes).
<input ip> is the IP address that is being tested (for the purpose of
determining multihop).
<cookie> is the token the tester requested by contacting
cookie.dsbl.org.
<details> should be the details for the transport, i.e. the SMTP
envelope for smtp, or the URL for formmail.

In order to prevent malicious users from getting email list servers onto
DSBL these headers have to occur on the beginning of the line and need
to start within the first 6 lines of the message."

Mail sent to listme that isn't formatted properly only gets the server
listed on unconfirmed.dsbl.org. If you block mail based on that, then
yes, you're an idiot. But grouse.mail.pas.earthlink.net is listed in
singlehop (list.dsbl.org) which apparently has higher standards for
listing.

A quick check of http://dsbl.org/listing?ip=207.217.120.116 shows
earthlink's server being listed for being a single-hop open relays and
insecure formmail scripts. Looks like earthlink relays for o1.com users;
you may want to ask DSBL how trusted their reporter 'salsbury' is.

If Earthlink isn't supposed to relay mail for o1.com users, then
Earthlink is operating an open relay and should be listed, otherwise the
DSBL reporter 'salsbury' needs a severe whacking with a cluebat and loss
of reporting privileges. Have you considered talking to Earthlink or
DSBL directly rather than grousing about ASF mail admins? The problem is
bigger than just Apache's use of list.dsbl.org.

Since the first of the year I've seen 181 rejections of mostly broadband
client machines (zombies) due to list.dsbl.org with no obvious FPs. YMMV.

-- Bob