You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Chris Santerre <cs...@MerchantsOverseas.com> on 2005/01/14 23:13:27 UTC
Verizon hosting spammers :)
Brief header I'm not too interested in.
Received: from mail.printosh.hu (241.75-228-195.hosting.adatpark.hu
[195.228.75.241])
by moglobal.com (8.12.5/8.12.5) with ESMTP id j0E5Lj1E012550
for <so...@merchantoverseas.com>; Fri, 14 Jan 2005 00:21:47 -0500
Received: from [195.228.75.61] (HELO 195.228.75.41)
by mail.printosh.hu (CommuniGate Pro SMTP 4.1.8)
with SMTP id 152241; Fri, 14 Jan 2005 06:20:51 +0100
Message-ID: <00...@195.228.75.41>
To: <Ec...@moworldglobal.com>
From: "Low-Cost Term Life" <Se...@2minutequote.prserv.net>
HTML code showing verizon site. Should we block all mysite pages? /sniker/
<a onmouseover="window.status='See Your Savings!';return true;"
href="http://mysite.verizon.net/resoxfmz/1.htm"><img border="0"
src="http://pws.prserv.net/maxlife/EBA.jpg" width="620"
height="393"></a><!-- n bugtwtms sucxjdta uvjezwpb --></p><p><font
face="Microsoft Sans Serif" size="1">
<a href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Legal</a>
<a href="http://mysite.verizon.net/resoxfmz/1.htm">Privacy</a> </font><font
face="Microsoft Sans Serif" color="#4e4e4e" size="1">
<a
href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Preferences</a></
font><font face="Microsoft Sans Serif" size="1"> </font></p><!-- k
hdfkzxgx tyhgmzrl hx--><p><font color="#FFFFFF"><span style="font-size:
1pt">>> >> Will they give the child a good religious upbringing?
That's our religion, isn't it? How ya doin'?</span></font></p>
Chris Santerre
System Admin and SARE/SURBL Ninja
http://www.rulesemporium.com
http://www.surbl.org
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin
Re: Verizon hosting spammers :)
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Saturday, January 15, 2005 6:25 AM -0800 Loren Wilton
<lw...@earthlink.net> wrote:
> Personally I block anything that I can find a "window.status=" in. They
> are all phish as near as I can tell.
No false positives? If not, you might enter a bugzilla to get it entered as
an official rule. I'd love to see your entry from local.cf.
Re: Verizon hosting spammers :)
Posted by Loren Wilton <lw...@earthlink.net>.
> HTML code showing verizon site. Should we block all mysite pages? /sniker/
>
> <a onmouseover="window.status='See Your Savings!';return true;"
Personally I block anything that I can find a "window.status=" in. They are
all phish as near as I can tell.
Loren
Re: Verizon hosting spammers :)
Posted by Jeff Chan <je...@surbl.org>.
On Friday, January 14, 2005, 2:13:27 PM, Chris Santerre wrote:
> HTML code showing verizon site. Should we block all mysite pages? /sniker/
> <a DEFANGED_Onmouseover="window.status='See Your Savings!';return true;"
> href="http://mysite.verizon.net/resoxfmz/1.htm"><img border="0"
> src="http://pws.prserv.net/maxlife/EBA.jpg" width="620"
height="393">></a><!-- n bugtwtms sucxjdta uvjezwpb --></p><p><font
> face="Microsoft Sans Serif" size="1">
> <a href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Legal</a>
> <a href="http://mysite.verizon.net/resoxfmz/1.htm">Privacy</a> </font><font
> face="Microsoft Sans Serif" color="#4e4e4e" size="1">
> <a
> href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Preferences</a></
font>><font face="Microsoft Sans Serif" size="1"> </font></p><!-- k
> hdfkzxgx tyhgmzrl hx--><p><font color="#FFFFFF"><span DEFANGED_STYLE="font-size:
1pt">>>> >> Will they give the child a good religious upbringing?
> That's our religion, isn't it? How ya doin'?</span></font></p>
Let verizon know. They probably have an AUP and probably enforce
it.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Verizon hosting spammers :)
Posted by Alex Broens <sa...@alexb.ch>.
Jeff Chan wrote:
> On Friday, January 14, 2005, 3:26:35 PM, Alex Broens wrote:
>
>>Chris Santerre wrote:
>>
>>>Brief header I'm not too interested in.
>
>
>>>HTML code showing verizon site. Should we block all mysite pages? /sniker/
>
>
>
>>><a DEFANGED_Onmouseover="window.status='See Your Savings!';return true;"
>>>href="http://mysite.verizon.net/resoxfmz/1.htm"><img border="0"
>>>src="http://pws.prserv.net/maxlife/EBA.jpg" width="620"
>>>height="393"></a><!-- n bugtwtms sucxjdta uvjezwpb --></p><p><font
>>>face="Microsoft Sans Serif" size="1">
>>><a href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Legal</a>
>>><a href="http://mysite.verizon.net/resoxfmz/1.htm">Privacy</a> </font><font
>>>face="Microsoft Sans Serif" color="#4e4e4e" size="1">
>>><a
>>>href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Preferences</a></
>>>font><font face="Microsoft Sans Serif" size="1"> </font></p><!-- k
>>>hdfkzxgx tyhgmzrl hx--><p><font color="#FFFFFF"><span DEFANGED_STYLE="font-size:
>>>1pt">>> >> Will they give the child a good religious upbringing?
>>>That's our religion, isn't it? How ya doin'?</span></font></p>
>>>
>> yep. and if you mail "abuse" from europe the won't accept the message. :-)
>
>
>>blocked locally :-)
>
>
> urirhs* may not catch it since it's the third level of a gtld.
Jeff,
not using rbldsnd for this
a URI rule does very nicely as well
Alex
Re: Verizon hosting spammers :)
Posted by Jeff Chan <je...@surbl.org>.
On Friday, January 14, 2005, 3:26:35 PM, Alex Broens wrote:
> Chris Santerre wrote:
>> Brief header I'm not too interested in.
>> HTML code showing verizon site. Should we block all mysite pages? /sniker/
>> <a DEFANGED_Onmouseover="window.status='See Your Savings!';return true;"
>> href="http://mysite.verizon.net/resoxfmz/1.htm"><img border="0"
>> src="http://pws.prserv.net/maxlife/EBA.jpg" width="620"
>> height="393"></a><!-- n bugtwtms sucxjdta uvjezwpb --></p><p><font
>> face="Microsoft Sans Serif" size="1">
>> <a href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Legal</a>
>> <a href="http://mysite.verizon.net/resoxfmz/1.htm">Privacy</a> </font><font
>> face="Microsoft Sans Serif" color="#4e4e4e" size="1">
>> <a
>> href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Preferences</a></
>> font><font face="Microsoft Sans Serif" size="1"> </font></p><!-- k
>> hdfkzxgx tyhgmzrl hx--><p><font color="#FFFFFF"><span DEFANGED_STYLE="font-size:
>> 1pt">>> >> Will they give the child a good religious upbringing?
>> That's our religion, isn't it? How ya doin'?</span></font></p>
>>
> yep. and if you mail "abuse" from europe the won't accept the message. :-)
> blocked locally :-)
urirhs* may not catch it since it's the third level of a gtld.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Verizon hosting spammers :)
Posted by Alex Broens <sa...@alexb.ch>.
Chris Santerre wrote:
> Brief header I'm not too interested in.
> HTML code showing verizon site. Should we block all mysite pages? /sniker/
> <a onmouseover="window.status='See Your Savings!';return true;"
> href="http://mysite.verizon.net/resoxfmz/1.htm"><img border="0"
> src="http://pws.prserv.net/maxlife/EBA.jpg" width="620"
> height="393"></a><!-- n bugtwtms sucxjdta uvjezwpb --></p><p><font
> face="Microsoft Sans Serif" size="1">
> <a href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Legal</a>
> <a href="http://mysite.verizon.net/resoxfmz/1.htm">Privacy</a> </font><font
> face="Microsoft Sans Serif" color="#4e4e4e" size="1">
> <a
> href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Preferences</a></
> font><font face="Microsoft Sans Serif" size="1"> </font></p><!-- k
> hdfkzxgx tyhgmzrl hx--><p><font color="#FFFFFF"><span style="font-size:
> 1pt">>> >> Will they give the child a good religious upbringing?
> That's our religion, isn't it? How ya doin'?</span></font></p>
>
yep. and if you mail "abuse" from europe the won't accept the message. :-)
blocked locally :-) didn't want to risk Jeff's beating.
Alex
Re: Verizon hosting spammers :)
Posted by jdow <jd...@earthlink.net>.
And now Verison is sending out spam to get people to join verison.com.
They are going into my black list at the procmail level ASAP except for
a VERY few verison addresses.
{`,'} A pissed off Joanne.
----- Original Message -----
From: "Martin Hepworth" <ma...@solid-state-logic.com>
To: <mv...@xs4all.nl>
Cc: <us...@spamassassin.apache.org>
Sent: 2005 January, 17, Monday 01:37
Subject: Re: Verizon hosting spammers :)
>
> It's true, Verizon have apparently blocked all email from RIPE, APNIC
> allocated addresses (Europe and Asia Pac) starting Dec 22 2004.
> Apparently MessageLabs took 2 whole days to get onto their whitelist.
>
> http://www.theregister.co.uk/2005/01/14/verizon_email_block/
>
> D'oh...
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> Menno van Bennekom wrote:
> > Yes, I think they host a lot of spammers.
> > I only get spam/virus mails from Verizon here (Netherlands) so I blocked
> > dsl-verizon.net in postfix and it that means about 100 spams/viruses
less
> > per day. If they want to sent real mail they still can do so through the
> > smtp-servers of their provider.
> > There was a funny message on the net lately, about Verizon planning to
> > block all European mail-traffic because of spam. We had a good laugh
about
> > that over here.
> >
> > Menno van Bennekom
> >
> >
> >>Brief header I'm not too interested in.
> >>
> >>Received: from mail.printosh.hu (241.75-228-195.hosting.adatpark.hu
> >>[195.228.75.241])
> >> by moglobal.com (8.12.5/8.12.5) with ESMTP id j0E5Lj1E012550
> >> for <so...@merchantoverseas.com>; Fri, 14 Jan 2005 00:21:47 -0500
> >>Received: from [195.228.75.61] (HELO 195.228.75.41)
> >> by mail.printosh.hu (CommuniGate Pro SMTP 4.1.8)
> >> with SMTP id 152241; Fri, 14 Jan 2005 06:20:51 +0100
> >>Message-ID: <00...@195.228.75.41>
> >>To: <Ec...@moworldglobal.com>
> >>From: "Low-Cost Term Life" <Se...@2minutequote.prserv.net>
> >>
> >>HTML code showing verizon site. Should we block all mysite pages?
/sniker/
> >>
> >><a onmouseover="window.status='See Your Savings!';return true;"
> >>href="http://mysite.verizon.net/resoxfmz/1.htm"><img border="0"
> >>src="http://pws.prserv.net/maxlife/EBA.jpg" width="620"
> >>height="393"></a><!-- n bugtwtms sucxjdta uvjezwpb --></p><p><font
> >>face="Microsoft Sans Serif" size="1">
> >><a href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Legal</a>
> >><a href="http://mysite.verizon.net/resoxfmz/1.htm">Privacy</a>
> >></font><font
> >>face="Microsoft Sans Serif" color="#4e4e4e" size="1">
> >><a
>
>>href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Preferences</a>
</
> >>font><font face="Microsoft Sans Serif" size="1"> </font></p><!-- k
> >>hdfkzxgx tyhgmzrl hx--><p><font color="#FFFFFF"><span style="font-size:
> >>1pt">>> >> Will they give the child a good religious
> >>upbringing?
> >>That's our religion, isn't it? How ya doin'?</span></font></p>
> >>
> >>
> >>Chris Santerre
> >>System Admin and SARE/SURBL Ninja
> >>http://www.rulesemporium.com
> >>http://www.surbl.org
> >>'It is not the strongest of the species that survives,
> >>not the most intelligent, but the one most responsive to change.'
> >>Charles Darwin
> >>
> >
> >
> >
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean.
>
> **********************************************************************
Re: Verizon hosting spammers :)
Posted by Morris Jones <mo...@whiteoaks.com>.
Menno van Bennekom wrote:
>>Mojo wrote:
>>Alas, I'm moving to a Verizon business DSL account for my server. Is
>>there any distinction between residential DSL and business DSL in their
>>network addresses?
>
> I don't know but my postfix check on dsl-verizon.net is based on DNS not
> on ip-address. So if you change the dsl-verizon.net in something else it
> will be allowed (in our case). But if you don't send mail directly
Huh. Reverse DNS on my business DSL line from Verizon comes out as
bdsl.66.15.96.103.gte.net
(One thing I've asked their tech is if they would delegate reverse DNS
to my name server, but the tech had no idea what I was talking about.
I'll try again later ...)
Mojo
--
Morris Jones
Monrovia, CA
http://www.whiteoaks.com
Old Town Astronomers: http://www.otastro.org
Re: Verizon hosting spammers :)
Posted by Menno van Bennekom <mv...@xs4all.nl>.
> Mojo wrote:
> Alas, I'm moving to a Verizon business DSL account for my server. Is
> there any distinction between residential DSL and business DSL in their
> network addresses?
I don't know but my postfix check on dsl-verizon.net is based on DNS not
on ip-address. So if you change the dsl-verizon.net in something else it
will be allowed (in our case). But if you don't send mail directly
(your-server --> ourserver) but via the Verizon smtp-server (your-server
--> verizon-smtp --> ourserver) it will always be allowed even if your own
server has a dsl-verizon.net address (only the last sending address gets
checked). We send mail like that ourselves. Also we have a firewall rule
that allows only smtp-traffic from our mailservers to our isp's
smtp-servers so in case we get a virus on the LAN-workstations it can't be
spread by smtp. And we don't bounce mail but check for user-existence
during the SMTP-session. This way we won't have to bounce to fake
reply-addresses. A lot of spam/viruses we get is because unfortunately our
addresses are used as fake reply-to and for some reason a high number of
mailservers are configured to bounce with the complete attachments,
thereby serving as a virus relay..
Sorry for getting a little off topic!
Menno
Re: Verizon hosting spammers :)
Posted by Morris Jones <mo...@whiteoaks.com>.
Menno van Bennekom wrote:
> You have sent this mail to the list through out014pub.verizon.net and not
> directly from your own dsl-verizon.net address so you wouldn't have been
> blocked by me ;)
> Menno
Alas, I'm moving to a Verizon business DSL account for my server. Is
there any distinction between residential DSL and business DSL in their
network addresses?
I don't really have a choice of providers for my connection.
My server is currently at a colo in LA, which has its own problems with
having had a spamhaus reputation.
Mojo
--
Morris Jones
Monrovia, CA
http://www.whiteoaks.com
Old Town Astronomers: http://www.otastro.org
Re: Verizon hosting spammers :)
Posted by Menno van Bennekom <mv...@xs4all.nl>.
> This was sent to me off-list. It's an interesting look at the
> implications of doing callbacks:
This is I think the same as the address verification of postfix.
At the postfix site there are big warnings about this, don't use it with
high traffic mailservers and you can be blacklisted by using this.
See: http://www.postfix.org/ADDRESS_VERIFICATION_README.html
I'm not using this option, it indeed seems a bit too rude to me..
Menno
Re: Verizon hosting spammers :)
Posted by Kelson <ke...@speed.net>.
jdow wrote:
> This probably explains the massive runs of emails with nothing in them
> that fetchmail is failing on when it attempts to drag them from NG_Popper.
Maybe. Standard practice on these seems to be to drop the connection
before the transaction is finished, so in *theory* the mail should never
reach your mailbox and popper should never see them.
Unfortunately all the hits I see end with "User unknown," so I don't
have any samples of what Verizon does when the recipient actually exists.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Verizon hosting spammers :)
Posted by jdow <jd...@earthlink.net>.
This probably explains the massive runs of emails with nothing in them
that fetchmail is failing on when it attempts to drag them from NG_Popper.
I guess simply dropping Verizon on the floor is the simplest answer.
Explain to users what you are doing and why. Verizon facilitating
spam and DDoS attacks on smaller ISPs is worthy of blocking them at
the IP level in your firewall, IMAO. Those of us using fetchmail are
not so lucky in that regard.
Of course abuse bounced as did postmaster. So the technical contact
may have received the email including the gratuitous comment that
their phone service sucks dead puppies through garden hoses, too.
(They are about 10 to 20 years overdue replacing their main feeds
from the CO to this area.)
z2c.net is another one that has appeared on my internal block list,
too. They spammed me with a Forbes investment ad. I am getting mad
enough to block major ISPs if I have to. DIGEX, Verizon, Z2C, AOL,
HOTMAIL, and so forth. Scroom all. And I have decided that we're
reaching the depths of an attack by the large ISPs on the small ones
via spam. We need an anti-spam law with teeth enough to hang the
spammers from the yard arm by their genitals.
{^_^}
----- Original Message -----
From: "Kelson Vibber" <ke...@speed.net>
Cc: <us...@spamassassin.apache.org>
Sent: 2005 January, 19, Wednesday 09:14
Subject: Re: Verizon hosting spammers :)
> This was sent to me off-list. It's an interesting look at the
> implications of doing callbacks:
>
> Rich Kulawiec wrote:
> > If you wouldn't mind forwarding this back to the list (your message
> > was forwarded to me off-list)...
> >
> > On Tue, Jan 18, 2005 at 09:25:18AM -0800, Kelson wrote:
> >
> >>Actually, I suspect those are (misguided?) attempts at sender
> >>verification*. We get hammered by those too, and they're always** from
> >><> or antispam[0-9]+@west.verizon.net. We know spammers are forging
our
> >>domain name in the return address, using randomly-generated addresses
> >>which look just like the unknown users Verizon is trying to reach.
> >
> >
> > You're exactly right -- and it's worse, as we've dissected on spam-l
> > a couple of times.
> >
> >
> > What Verizon is doing is known as a "callback". This technique comes
> > from people who have confused "spam" and "forgery" and are operating
> > under the very mistaken notion that doing something about the latter
> > will have any impact on the former.
> >
> > It works like this:
> >
> > When an incoming SMTP connection is made to one of Verizon's MX's,
> > they allow it to proceed until the putative sender is specified,
> > i.e., they wait for this part of the SMTP transaction:
> >
> > MAIL From:<bl...@example.com>
> >
> > Then they pause the incoming connection. And then they start up an
> > *outbound* SMTP connection from somewhere else on Verizon's network,
back
> > to one of the MX's for example.com. They then attempt to verify that
> > "blah" is a valid, deliverable address there. But since most people
have
> > long since (sensibly) disabled SMTP VRFY, they actually construct a
> message
> > and attempt delivery with RCPT. If delivery looks like it's going to
> > succeed, they hang up this connection (which is rude), and un-pause
> > the incoming one, and allow it to proceed. If delivery looks like
> > it's going to fail, then they also hang up the connection (still rude),
> > un-pause the incoming one, and reject the traffic.
> >
> > In words, Verizon is faking mail -- thus generating yet more junk SMTP
> > traffic at a time when we're drowning in junk SMTP traffic -- to do
this.
> >
> > This also means that if the MX they try to connect to is (a) busy
> > (b) down (c) unaware of all the deliverable addresses (d) something
> > else, that they'll refuse the incoming message.
> >
> > Whoops!
> >
> > Real-world example: "support@thuleracks.com" is where mail from the
> support
> > staff at Thule Racks comes from. However, it doesn't accept mail --
> which
> > is arguably a bad practice on Thule's part, but is not a good reason
for
> > Verizon to aggravate the problem by rejecting it.
> >
> > This (callbacks) is bad for a whole bunch of reasons: two of the more
> obvious
> > ones are (a) it's a pathetic "anti-spam" measure because ANY forged
> address
> > ANYWHERE will do, and (b) it doesn't scale. Add to that (c) it abuses
> > RCPT because apparently Verizon is unwilling to use VRFY and to accept
> > the decision of many/most mail server operators to disable it. Oh, and
> > (d) the behavior of their probe systems is nearly indistinguishable
from
> > that of spam-spewing zombies, which don't obey the SMTP protocol
either,
> > and also rudely hang up connections in mid-transaction.
> >
> > But there's a not-so-obvious reason that this goes beyond mere
silliness
> > and into the realm of active support for spammers.
> >
> > A lot of people, including me, are blocking particularly problematic
> > spammer-controlled networks at (a) our border routers (b) our firewalls
> > or (c) our mail servers. In other words, we not only won't accept mail
> > from them, we won't even allow them to connect: we're blocking *all* IP
> > traffic from them. This prevents them from spamming; it also prevents
> > them from building lists of deliverable addresses to sell to other
> spammers
> > by poking at our mail servers.
> >
> > Now go back and look at what Verizon's doing. Since Verizon is doing
> > this testing *from their network*, spammers can easily get around all
> > of our blocking by getting Verizon to do the probing for them. For
free.
> > Anonymously. They can thus use Verizon to build/check their
lists...and
> > there's no way for us to find out who's on the other side of these
> probes.
> >
> > Which means that Verizon is running a free, anonymizing, spam support
> > service.
> >
> > And even this isn't the end of it. I'll spare you the entire analysis
> > (which may be found in the Spam-L archives) but another unpleasant side
> > effect of this tactic is that it's possible to exploit it to conduct
> > DoS attacks against third parties.
> >
> > If they don't cache the results: then they have no way of knowing
> > that they've already queried for any given address (and what the
> > result was) and thus no way of avoiding repeat queries for the
> > same thing. I trust it's obvious why that poses serious problems.
> >
> > If they do cache: then what happens when someone behind
> > an ordinary 500-million message spam run decides to forge
> > 500 million unique addresses in example.com, including
> > little-suzie@example.com, and a few hours, later, someone who
> > operates the _real_ example.com creates the perfectly valid
> > address little-suzie? (That is, if they've managed to survive
> > the DDoS attack launched at them by all the sites doing callbacks.)
> > And if they rate-limit the queries, what happens to the 1 piece
> > of legitimate mail from example.com that happened to be sent at
> > the same time as this spam run?
> >
> > It's unclear (to those of us outside Verizon) what can be done about
> this:
> > refusing their probes will cause them to reject incoming mail. We've
> debated
> > whether we should just answer them all in the affirmative so that the
> technique
> > is rendered useless, but that has its drawbacks too.
> >
> > So for now all we can do is explain that it's causing problems and try
to
> > deal with it.
> >
> > Check your logs for stuff like this (example from sendmail 8.13):
> >
> > Jul 15 07:24:51 <XX...@gsp.org>... User unknown
> > Jul 15 07:24:51 lost input channel from sc014pub.verizon.net
> [206.46.170.58] to MTA after rcpt
> > Jul 15 07:24:51 from=<an...@west.verizon.net>, size=0,
> class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=sc014pub.verizon.net
> [206.46.170.58]
> >
> > That's them.
> >
> >
> > ---Rsk
Re: Verizon hosting spammers :)
Posted by Kelson Vibber <ke...@speed.net>.
This was sent to me off-list. It's an interesting look at the
implications of doing callbacks:
Rich Kulawiec wrote:
> If you wouldn't mind forwarding this back to the list (your message
> was forwarded to me off-list)...
>
> On Tue, Jan 18, 2005 at 09:25:18AM -0800, Kelson wrote:
>
>>Actually, I suspect those are (misguided?) attempts at sender
>>verification*. We get hammered by those too, and they're always** from
>><> or antispam[0-9]+@west.verizon.net. We know spammers are forging our
>>domain name in the return address, using randomly-generated addresses
>>which look just like the unknown users Verizon is trying to reach.
>
>
> You're exactly right -- and it's worse, as we've dissected on spam-l
> a couple of times.
>
>
> What Verizon is doing is known as a "callback". This technique comes
> from people who have confused "spam" and "forgery" and are operating
> under the very mistaken notion that doing something about the latter
> will have any impact on the former.
>
> It works like this:
>
> When an incoming SMTP connection is made to one of Verizon's MX's,
> they allow it to proceed until the putative sender is specified,
> i.e., they wait for this part of the SMTP transaction:
>
> MAIL From:<bl...@example.com>
>
> Then they pause the incoming connection. And then they start up an
> *outbound* SMTP connection from somewhere else on Verizon's network, back
> to one of the MX's for example.com. They then attempt to verify that
> "blah" is a valid, deliverable address there. But since most people have
> long since (sensibly) disabled SMTP VRFY, they actually construct a
message
> and attempt delivery with RCPT. If delivery looks like it's going to
> succeed, they hang up this connection (which is rude), and un-pause
> the incoming one, and allow it to proceed. If delivery looks like
> it's going to fail, then they also hang up the connection (still rude),
> un-pause the incoming one, and reject the traffic.
>
> In words, Verizon is faking mail -- thus generating yet more junk SMTP
> traffic at a time when we're drowning in junk SMTP traffic -- to do this.
>
> This also means that if the MX they try to connect to is (a) busy
> (b) down (c) unaware of all the deliverable addresses (d) something
> else, that they'll refuse the incoming message.
>
> Whoops!
>
> Real-world example: "support@thuleracks.com" is where mail from the
support
> staff at Thule Racks comes from. However, it doesn't accept mail --
which
> is arguably a bad practice on Thule's part, but is not a good reason for
> Verizon to aggravate the problem by rejecting it.
>
> This (callbacks) is bad for a whole bunch of reasons: two of the more
obvious
> ones are (a) it's a pathetic "anti-spam" measure because ANY forged
address
> ANYWHERE will do, and (b) it doesn't scale. Add to that (c) it abuses
> RCPT because apparently Verizon is unwilling to use VRFY and to accept
> the decision of many/most mail server operators to disable it. Oh, and
> (d) the behavior of their probe systems is nearly indistinguishable from
> that of spam-spewing zombies, which don't obey the SMTP protocol either,
> and also rudely hang up connections in mid-transaction.
>
> But there's a not-so-obvious reason that this goes beyond mere silliness
> and into the realm of active support for spammers.
>
> A lot of people, including me, are blocking particularly problematic
> spammer-controlled networks at (a) our border routers (b) our firewalls
> or (c) our mail servers. In other words, we not only won't accept mail
> from them, we won't even allow them to connect: we're blocking *all* IP
> traffic from them. This prevents them from spamming; it also prevents
> them from building lists of deliverable addresses to sell to other
spammers
> by poking at our mail servers.
>
> Now go back and look at what Verizon's doing. Since Verizon is doing
> this testing *from their network*, spammers can easily get around all
> of our blocking by getting Verizon to do the probing for them. For free.
> Anonymously. They can thus use Verizon to build/check their lists...and
> there's no way for us to find out who's on the other side of these
probes.
>
> Which means that Verizon is running a free, anonymizing, spam support
> service.
>
> And even this isn't the end of it. I'll spare you the entire analysis
> (which may be found in the Spam-L archives) but another unpleasant side
> effect of this tactic is that it's possible to exploit it to conduct
> DoS attacks against third parties.
>
> If they don't cache the results: then they have no way of knowing
> that they've already queried for any given address (and what the
> result was) and thus no way of avoiding repeat queries for the
> same thing. I trust it's obvious why that poses serious problems.
>
> If they do cache: then what happens when someone behind
> an ordinary 500-million message spam run decides to forge
> 500 million unique addresses in example.com, including
> little-suzie@example.com, and a few hours, later, someone who
> operates the _real_ example.com creates the perfectly valid
> address little-suzie? (That is, if they've managed to survive
> the DDoS attack launched at them by all the sites doing callbacks.)
> And if they rate-limit the queries, what happens to the 1 piece
> of legitimate mail from example.com that happened to be sent at
> the same time as this spam run?
>
> It's unclear (to those of us outside Verizon) what can be done about
this:
> refusing their probes will cause them to reject incoming mail. We've
debated
> whether we should just answer them all in the affirmative so that the
technique
> is rendered useless, but that has its drawbacks too.
>
> So for now all we can do is explain that it's causing problems and try to
> deal with it.
>
> Check your logs for stuff like this (example from sendmail 8.13):
>
> Jul 15 07:24:51 <XX...@gsp.org>... User unknown
> Jul 15 07:24:51 lost input channel from sc014pub.verizon.net
[206.46.170.58] to MTA after rcpt
> Jul 15 07:24:51 from=<an...@west.verizon.net>, size=0,
class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=sc014pub.verizon.net
[206.46.170.58]
>
> That's them.
>
>
> ---Rsk
Re: Verizon hosting spammers :)
Posted by Kelson <ke...@speed.net>.
j o a r wrote:
> I was _hammered_ all throughout last year by messages to unknown
> accounts from machines in the sc0<nn>pub.verizon.net segment (nn = 01 -
> 99). Eventually I had to blacklist anything matching that pattern. Seems
> to be a lot more quiet now though.
Actually, I suspect those are (misguided?) attempts at sender
verification*. We get hammered by those too, and they're always** from
<> or antispam[0-9]+@west.verizon.net. We know spammers are forging our
domain name in the return address, using randomly-generated addresses
which look just like the unknown users Verizon is trying to reach.
* Since so many admins disable VRFY to guard against dictionary attacks,
the new tactic is to try to send mail to an address, but then drop the
connection before sending an actual message. It can be used to make
dictionary attacks, or it can be used on the purported sender of a
message to make sure the return address exists.
** I've only done spot checks, but every time I have, they've fit this
pattern.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Verizon hosting spammers :)
Posted by j o a r <jo...@joar.com>.
On 2005-01-18, at 08.49, Menno van Bennekom wrote:
> You have sent this mail to the list through out014pub.verizon.net and
> not
> directly from your own dsl-verizon.net address so you wouldn't have
> been
> blocked by me ;)
I was _hammered_ all throughout last year by messages to unknown
accounts from machines in the sc0<nn>pub.verizon.net segment (nn = 01 -
99). Eventually I had to blacklist anything matching that pattern.
Seems to be a lot more quiet now though.
It is interesting to note that Verizon is the only ISP that I felt the
need to single out specifically, all the others were successfully
blocked by standard RBL, and also never stood out in the statistics
like Verizon did. They seem to be a real virii / spam haven...
j o a r
Re: Verizon hosting spammers :)
Posted by Menno van Bennekom <mv...@xs4all.nl>.
> Hey now, you all. I have a Verizon address, and to the best of my ability,
> unless I set up SSH tunneling through them, I cannot send mail from any
> other
> account than mine.
>
> And don't blacklist me!
>
> Rob
You have sent this mail to the list through out014pub.verizon.net and not
directly from your own dsl-verizon.net address so you wouldn't have been
blocked by me ;)
Menno
Re: Verizon hosting spammers :)
Posted by Rob Blomquist <ro...@verizon.net>.
On Monday 17 January 2005 7:34 am, Andy Jezierski wrote:
> Martin Hepworth <ma...@solid-state-logic.com> wrote on 01/17/2005
>
> 03:37:10 AM:
> > It's true, Verizon have apparently blocked all email from RIPE, APNIC
> > allocated addresses (Europe and Asia Pac) starting Dec 22 2004.
> > Apparently MessageLabs took 2 whole days to get onto their whitelist.
> >
> > http://www.theregister.co.uk/2005/01/14/verizon_email_block/
> >
> > D'oh...
>
> Considering that I get more Spam from Verizon address than I do from
> European addresses, maybe I'll follow Verizon's lead and blacklist them.
Hey now, you all. I have a Verizon address, and to the best of my ability,
unless I set up SSH tunneling through them, I cannot send mail from any other
account than mine.
And don't blacklist me!
Rob
--
Mountlake Terrace, WA
USA
Re: Verizon hosting spammers :)
Posted by Andy Jezierski <aj...@stepan.com>.
Martin Hepworth <ma...@solid-state-logic.com> wrote on 01/17/2005
03:37:10 AM:
>
> It's true, Verizon have apparently blocked all email from RIPE, APNIC
> allocated addresses (Europe and Asia Pac) starting Dec 22 2004.
> Apparently MessageLabs took 2 whole days to get onto their whitelist.
>
> http://www.theregister.co.uk/2005/01/14/verizon_email_block/
>
> D'oh...
>
Considering that I get more Spam from Verizon address than I do from
European addresses, maybe I'll follow Verizon's lead and blacklist them.
Andy
Re: Verizon hosting spammers :)
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
It's true, Verizon have apparently blocked all email from RIPE, APNIC
allocated addresses (Europe and Asia Pac) starting Dec 22 2004.
Apparently MessageLabs took 2 whole days to get onto their whitelist.
http://www.theregister.co.uk/2005/01/14/verizon_email_block/
D'oh...
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Menno van Bennekom wrote:
> Yes, I think they host a lot of spammers.
> I only get spam/virus mails from Verizon here (Netherlands) so I blocked
> dsl-verizon.net in postfix and it that means about 100 spams/viruses less
> per day. If they want to sent real mail they still can do so through the
> smtp-servers of their provider.
> There was a funny message on the net lately, about Verizon planning to
> block all European mail-traffic because of spam. We had a good laugh about
> that over here.
>
> Menno van Bennekom
>
>
>>Brief header I'm not too interested in.
>>
>>Received: from mail.printosh.hu (241.75-228-195.hosting.adatpark.hu
>>[195.228.75.241])
>> by moglobal.com (8.12.5/8.12.5) with ESMTP id j0E5Lj1E012550
>> for <so...@merchantoverseas.com>; Fri, 14 Jan 2005 00:21:47 -0500
>>Received: from [195.228.75.61] (HELO 195.228.75.41)
>> by mail.printosh.hu (CommuniGate Pro SMTP 4.1.8)
>> with SMTP id 152241; Fri, 14 Jan 2005 06:20:51 +0100
>>Message-ID: <00...@195.228.75.41>
>>To: <Ec...@moworldglobal.com>
>>From: "Low-Cost Term Life" <Se...@2minutequote.prserv.net>
>>
>>HTML code showing verizon site. Should we block all mysite pages? /sniker/
>>
>><a onmouseover="window.status='See Your Savings!';return true;"
>>href="http://mysite.verizon.net/resoxfmz/1.htm"><img border="0"
>>src="http://pws.prserv.net/maxlife/EBA.jpg" width="620"
>>height="393"></a><!-- n bugtwtms sucxjdta uvjezwpb --></p><p><font
>>face="Microsoft Sans Serif" size="1">
>><a href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Legal</a>
>><a href="http://mysite.verizon.net/resoxfmz/1.htm">Privacy</a>
>></font><font
>>face="Microsoft Sans Serif" color="#4e4e4e" size="1">
>><a
>>href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Preferences</a></
>>font><font face="Microsoft Sans Serif" size="1"> </font></p><!-- k
>>hdfkzxgx tyhgmzrl hx--><p><font color="#FFFFFF"><span style="font-size:
>>1pt">>> >> Will they give the child a good religious
>>upbringing?
>>That's our religion, isn't it? How ya doin'?</span></font></p>
>>
>>
>>Chris Santerre
>>System Admin and SARE/SURBL Ninja
>>http://www.rulesemporium.com
>>http://www.surbl.org
>>'It is not the strongest of the species that survives,
>>not the most intelligent, but the one most responsive to change.'
>>Charles Darwin
>>
>
>
>
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
Re: Verizon hosting spammers :)
Posted by Menno van Bennekom <mv...@xs4all.nl>.
Yes, I think they host a lot of spammers.
I only get spam/virus mails from Verizon here (Netherlands) so I blocked
dsl-verizon.net in postfix and it that means about 100 spams/viruses less
per day. If they want to sent real mail they still can do so through the
smtp-servers of their provider.
There was a funny message on the net lately, about Verizon planning to
block all European mail-traffic because of spam. We had a good laugh about
that over here.
Menno van Bennekom
> Brief header I'm not too interested in.
>
> Received: from mail.printosh.hu (241.75-228-195.hosting.adatpark.hu
> [195.228.75.241])
> by moglobal.com (8.12.5/8.12.5) with ESMTP id j0E5Lj1E012550
> for <so...@merchantoverseas.com>; Fri, 14 Jan 2005 00:21:47 -0500
> Received: from [195.228.75.61] (HELO 195.228.75.41)
> by mail.printosh.hu (CommuniGate Pro SMTP 4.1.8)
> with SMTP id 152241; Fri, 14 Jan 2005 06:20:51 +0100
> Message-ID: <00...@195.228.75.41>
> To: <Ec...@moworldglobal.com>
> From: "Low-Cost Term Life" <Se...@2minutequote.prserv.net>
>
> HTML code showing verizon site. Should we block all mysite pages? /sniker/
>
> <a onmouseover="window.status='See Your Savings!';return true;"
> href="http://mysite.verizon.net/resoxfmz/1.htm"><img border="0"
> src="http://pws.prserv.net/maxlife/EBA.jpg" width="620"
> height="393"></a><!-- n bugtwtms sucxjdta uvjezwpb --></p><p><font
> face="Microsoft Sans Serif" size="1">
> <a href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Legal</a>
> <a href="http://mysite.verizon.net/resoxfmz/1.htm">Privacy</a>
> </font><font
> face="Microsoft Sans Serif" color="#4e4e4e" size="1">
> <a
> href="http://mysite.verizon.net/resoxfmz/ServiceBasic.htm">Preferences</a></
> font><font face="Microsoft Sans Serif" size="1"> </font></p><!-- k
> hdfkzxgx tyhgmzrl hx--><p><font color="#FFFFFF"><span style="font-size:
> 1pt">>> >> Will they give the child a good religious
> upbringing?
> That's our religion, isn't it? How ya doin'?</span></font></p>
>
>
> Chris Santerre
> System Admin and SARE/SURBL Ninja
> http://www.rulesemporium.com
> http://www.surbl.org
> 'It is not the strongest of the species that survives,
> not the most intelligent, but the one most responsive to change.'
> Charles Darwin
>