[THIN] Re: OT: Exchange Server Spamming

• From: Henry Sieff <hsieff@xxxxxxxxxxxx>
• To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
• Date: Mon, 1 Mar 2004 09:19:18 -0600

Well, the issue has nothing to do with exchange 5.5 for otherwise, or any
malicious program generating the mail. The same technique can be used
against ANY mail server.

Here's what happens.

1. Spammer sends mail with a From:/Reply To: set to the name of the target
user (the user he is actually trying to spam). The To: is any user name
(random or otherwise; remember, you don't your To: to actually exist,
really) at the domain of the mail server you are abusing. eg. You want to
spam joe@xxxxxxxx, so you send mail From:joe@xxxxxxxx To: anyuser@xxxxxxxx
(you can either do this directly by setting mailserver.tool.org as your smtp
mail server, or just send the mail using your own mail server, or whatever.

2. mailserver.tool.org sees that anyuser@xxxxxxxx doesn't exist. It sends an
NDR to joe@xxxxxxxxx The NDR has the original text as attachment.

Disabling relaying is ineffective, because this is not considered relaying
according to standards; the To: is not in a different domain from the mail
server. From the perspective of SMTP, the whole conversation is identical to
a legitimate mail server delivering email which somebody sent to mistyped
address.

Like I said, false, tricksy spammers. . .

Henry

> -----Original Message-----
> From: Philip Walley [mailto:philip.walley@xxxxxxxxxxxxxx]
> Sent: Monday, March 01, 2004 9:01 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: OT: Exchange Server Spamming
> 
> 
> I've seen this same thing on 5.5. What I found when I looked 
> into it is =
> that a 5.5 server can have relaying disabled, but you are 
> still able to =
> submit the mail (they just will not go anywhere). You may 
> want to run =
> something like adaware on the server to see if you can find what is =
> generating the emails.=20
> 
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
> Behalf Of Henry Sieff
> Sent: Monday, March 01, 2004 8:50 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: OT: Exchange Server Spamming
> 
> 
> Well, the "reverse Spam" technique doesn't use just ex-employees email
> addresses, it uses randomaddress@xxxxxxxxxx where domain.com is your =
> domain.
> You could (I suppose) continually add addresses to this list 
> as you see
> them, but this is impractical (to say the least).
> 
> Turning off NDR is a possibility, as someone else said, but 
> its a little
> draconian, imo (not that I haven't considered it). Bounces 
> are a usueful
> part of the SMTP, and turning them off does break RFC.
> 
> The emergence of this technique will probably require some form of
> content-based filtering to combat (I hate spam filtering based on =
> content,
> but there may be no choice).
> 
> Another possibility is to only accept mail from servers on a =
> "white-list".
> There are several companies I have dealt with that forward the first =
> email
> from either a domain or a mail server to the mail admin. The 
> mail admin =
> can
> approve either the address, the domain, or the server, and 
> only after =
> that
> will email be accepted for delivery.
> 
> Without something like this, there is no technological 
> defense against =
> this
> technique w/o breaking RFC.
> 
> False, tricksy spammers. . .
> 
> Henry
> 
> > -----Original Message-----
> > From: Dennis van Turnhout [mailto:turnhout@xxxxxxxxxx]
> > Sent: Monday, March 01, 2004 2:29 AM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: OT: Exchange Server Spamming
> >=20
> >=20
> > If it's spam to addresses that used to exist, try this option
> > Works like a charm over here.
> >=20
> > -----
> >=20
> > Black Holes - not just a space thing!
> >=20
> > As users leave your company, you will more than likely delete their
> > mailbox after a certain amount of time. It is then common 
> for the SMTP
> > address of the departed employee to be added to another 
> mailbox, or a
> > public folder, perhaps being monitored by the departed employee's
> > manager. The aim is to make sure that any important 
> business email is
> > acknowledged for some amount of time after the user has left.
> >=20
> > Clearly there is a long term issue with this method, since 
> eventually,
> > the monitoring of the messages sent to that address will=20
> > stop. Removing
> > the SMTP address from the organisation will obviously not=20
> > stop messages
> > being sent to that address; there are always going to be those pesky
> > spam messages, and additionally, your Exchange server has to=20
> > generate a
> > non-delivery report for each message.
> >=20
> > One solution to put the issue out of your mind is to 
> implement what is
> > sometimes referred to as the 'black hole' method. This allows your
> > Exchange server to simply delete the messages sent to specific SMTP
> > addresses, whilst at the same time never generating a non-delivery
> > report for these messages.
> >=20
> > Here are the 3 simple steps to implement the black hole method:
> >=20
> > 1. Create a distribution list (Exchange 5.5) or a mail-enabled
> > distribution group (Exchange 2000).
> >=20
> > 2. Make sure that there are NO members in this distribution=20
> > list/group.
> > This is the key part to this tip.
> >=20
> > 3. Add the SMTP addresses of the ex-employees to the distribution
> > list/group. Add them as secondary SMTP addresses in exactly=20
> > the same way
> > you would for a mailbox.
> >=20
> > Now, when messages are sent to these problematic SMTP addresses,
> > Exchange silently deletes them. No non-delivery reports are 
> generated,
> > and the administrator no longer has to be concerned about these
> > messages.
> >=20
> > Try it. It works well!
> >=20
> > Neil Hobson
> >=20
> > -----Original Message-----
> > From: Nick Smith [mailto:nick@xxxxxxxxxxxxxxx]=3D20
> > Sent: maandag 1 maart 2004 08:22
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: OT: Exchange Server Spamming
> >=20
> >=20
> > Jeff - It's being used for Reverse Spam. The idea is that you=20
> > send out a
> > bunch of spam to a server from valid email addresses; your 
> server then
> > sends an NDR  to the addresses, thus delivering the spam. Swithc off
> > NDRs to stop this. NIck
> >=20
> > -----Original Message-----
> > From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx]=3D3D20
> > Sent: 01 March 2004 05:26
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] OT: Exchange Server Spamming
> >=20
> > I have a customer with an NT4 Small Business Server with 
> Exchange 5.5
> > SP4. The outbound SMTP queue is filling with undelivered mail,
> > indicating that the server is being used to spam. The server is
> > definitely not an open relay (tested myself and through 
> ORDB.ORG), and
> > doesn't allow *any* SMTP relay. I've found that the 
> outbound queue on
> > this server fills up even if it's disconnected from the 
> network, which
> > tells me that the server itself is generating the mail. It's=20
> > got Norton
> > Antivirus with the latest definitions, and I've scanned it=20
> > with Trend's
> > online virus scanner. I don't find any viruses at all. I've 
> looked at
> > the processes for processes that are using a bunch of CPU time, but
> > don't see anything obvious. Any ideas? TIA. =3D3D20 JD
> >=20
> > ********************************************************
> > This weeks sponsor triCerat Inc.
> > triCerat makes your job easier by offering essential applications to
> > eliminate your printing, policy and profile, and your application
> > management problems. http://www.triCerat.com
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode
> > use the below link: http://thin.net/citrixlist.cfm
> >=20
> >=20
> > ********************************************************
> > This weeks sponsor triCerat Inc.
> > triCerat makes your job easier by offering essential applications to
> > eliminate your printing, policy and profile, and your application
> > management problems. http://www.triCerat.com=3D20
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or=3D20
> > set Digest or Vacation mode use the below link:
> > http://thin.net/citrixlist.cfm
> > ********************************************************
> > This weeks sponsor triCerat Inc.
> > triCerat makes your job easier by offering essential
> > applications to eliminate your printing, policy and profile,
> > and your application management problems.
> > http://www.triCerat.com=20
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or=20
> > set Digest or Vacation mode use the below link:
> > http://thin.net/citrixlist.cfm
> >=20
> ********************************************************
> This weeks sponsor triCerat Inc.
> triCerat makes your job easier by offering essential
> applications to eliminate your printing, policy and profile,
> and your application management problems.
> http://www.triCerat.com=20
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or=20
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> ********************************************************
> This weeks sponsor triCerat Inc.
> triCerat makes your job easier by offering essential
> applications to eliminate your printing, policy and profile,
> and your application management problems.
> http://www.triCerat.com 
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or 
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 
********************************************************
This weeks sponsor triCerat Inc.
triCerat makes your job easier by offering essential
applications to eliminate your printing, policy and profile,
and your application management problems.
http://www.triCerat.com 
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts:

• » [THIN] OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming
• » [THIN] Re: OT: Exchange Server Spamming

1. Home
2. thin
3. Archive
4. 03-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---