[linux-elitists] Guilt

Karsten M. Self kmself@ix.netcom.com
Tue Apr 6 00:55:48 PDT 2004


on Mon, Apr 05, 2004 at 05:32:33PM -0400, Mister Bad (mr.bad@pigdog.org) wrote:
> So, I get about 10-20 worm bounce messages per day. It would be nice
> if folks who put anti-worm filters into their MTAs would also check
> to see if the worm falsifies "From:" and/or "Sender:"; but they don't,
> so I get a lot of bounces.

You're welcome to the following canned rant 'avspam', from the amazing
rant-o-matic:

================================================================================
Turn off your viral autoresponder.

Ensure that your mail server is generating 5XX *REJECT* messages, *NOT* 
sending a notification to the 'From:' or Envelope From sender, as these
are SPOOFED:


    http://www.theregister.co.uk/content/56/35174.html

    Just like SoBig-F, much of the huge volume of crap generated by
    MyDoom is the result of auto-responder messages. As well as replies
    that someone is out of the office users are getting a stream of
    accusatory messages from anti-virus gateway products accusing them
    of sending a virus. 



    http://www.theregister.co.uk/content/archive/32434.html

    Graham Cluley, senior technology consultant for Sophos Anti-Virus,
    said that the current generation of anti-virus gateway products are
    incapable of determining the email address in a virus contaminated
    email are spoofed.

    "In the circumstances, it might be better for people to turn off
    their auto-responder," Cluley advised, adding the auto responder
    messages could be taken of an accusation that someone wholly
    innocent was sending out viruses.

Also:

    http://www.businessweek.com/magazine/content/04_12/b3875032.htm
    http://www.attrition.org/security/rant/av-spammers.html

My own systems are not susceptible to legacy MS Windows viruses (I run
GNU/Linux exclusively).  For sites unfortunate enough to rely on
Microsoft products, such false reports waste staff and administrative
time on wild-goose chases.


Your email system is generating "bounce" messages to spoofed "from"
addresses.  These are widely considered spam on the UBE basis:

  - Unsolicited?  Check
  - Bulk?         Check
  - Email?        Check

The sending address has been added to the local spamlist; any further
mail from that address will be treated and reported as spam.  Multiple
such reports *will* result in your site being listed on spam-origin
lists, including SPEWS, SpamCop, Spamhaus, and others.

Further similar messages from your domain will be reported as spam.

Any prior and subsequent mail can and will be forwarded to public
services not limited to NANAE (news:news.admin.net-abuse.email) at my
sole discretion.  All "confidentiality" email disclaimers are
specifically rejected.

Thank you.

================================================================================

> Almost all of them get caught by crm114, which, by the way, rocks the
> mike.
> 
> I scan my spam traps once every 2-3 days to check for false positives,
> but I have to admit that I've stopped opening anything from mail
> administrator or postmaster.
> 
> Does this make me a bad person? Or, rather, worse than I was before?

I use a set of procmail filters based on Lars Wirzenius's 'spamfilter'
recipies (packaged for Debain).  I've created a couple of helper scripts
to parse mail messages for sender and dump these into an appropriate
list:  white, black, grey, spam, daemon (for dumping to a daemon
mailbox), etc.

Postmaster/admin mail which is spammy (including avspam as defined
above) gets spamlisted.

Otherwise, it's dumped to a "remote-daemon" box which gets sorted every
few days.  I pick the bounces for p'master, abuse, and any domain or IP
WHOIS contacts and send these to the appropriate reporting address at
http://www.rfc-ignorant.org/.


So does this make you a bad person?

No, of course it doesn't.

You're already:

> ~Mr. Bad



Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    DON'T PANIC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20040406/e140e866/attachment.pgp 


More information about the linux-elitists mailing list