Headspace Back Catalog

Sometimes the internet makes my head hurt.

There is a service called spamcop.net to which you may subscibe if you run mail servers. What you get for your money is the ability to check incoming mail against their database of spammers. Their database is maintained as follows (to oversimplify): one of their subscribers gets a spam, they look at it and decide to report it to spamcop, spamcop adds it to the database, then they use a number of mechanisms to keep track of the perpetrating server.

This all seems fine and dandy until one of your mail servers shows up on the list.

Some background:

Spammers make a concerted effort to find other people's systems to exploit to protect their own identities. Typically they use what are called open relays. Open relays are mail servers that blithely accept mail from anywhere and send it anywhere. In the early days of SPAM this was a HUGE problem. Now, most competent administrators take precautions to ensure they only accept mail that is, as far as can be easily determined, to or from their users. We take these precautions.

There are all sorts of weird and irritating ways spammers can exploit your email system. This was kind of a new one for me. Our mail servers accept mail that is a) addressed to someone@utulsa.edu or b) received from a computer in the 129.244.*.* IP address range. This solves the open relay problem, as you can see. In this case, however, the spammer made use of a web form on one of the websites on campus. It is some sort of comments or feedback form that emails the results. Well, it turns out that, if you know how the web works, you can make it send mail anywhere... and someone did. And we got flagged as spammers.

The worst part for me is that I have no recourse. I pinpointed the problem, notified the admin of that webserver, and he fixed it... but we're still blacklisted... and we can't get off until spamcop is satisfied. Which may or may not happen for a long time due to the very asynchronous nature of the email system.

fleh

Extra

Links

phil

choir, preaching to

I have multiple Exchange servers that I control, and I had one of them get ORB'd because it was an open mail relay. This confused the hell out of me as none of my other servers. It turns out that when I was trying to fix another service, I had reapplied the most recent service pack to the OS (but not to Exchange). Turns out that if don't then reapply the exchange sp, you break the open relay blocking that's in the exchange sp.

Some days I wonder when I'll get fed up and switch all my users over to samba. =)

loophole

Ugh!

That's the worst! Thankfully the whole make/make install upgrade process is pretty good about preserving config files. I would hate to get screwed by a service pack. :/

I'm just amazed that the rewards of being a spammer somehow justify the obviously large quantities of effort they put in to finding holes to exploit.

sarah

So how do you keep people from exploiting your web forms? I've got a couple of guestbook scripts I'm using on my sites and recently the guestbooks have been filling up with totally empty entries, despite the fact that the script is supposed to require certain fields be filled out. I've got a sneaking suspicion people have been using the script for nefarious purposes. Do you know of any decent guestbook scripts that cannot be exploited?