Spamtrap addresses vs. list confirmation emails, or how to lose 2k list emails
In the early hours of this morning, a spammer managed to get the IP of the Gentoo list server on the NiX Spam RBL... simply by spamming the subscribe address :-(. This caused approximately 2000 deliveries of normal list mail to be rejected while the server was present on the RBL.
Notice the subscribe request, line 0004. (whitespace added)
0001 Feb 1 00:15:56 pigeon postfix/smtpd: 52278E0778: client=unknown[188.8.131.52]
0002 Feb 1 00:15:57 pigeon postfix/cleanup: 52278E0778:
0003 Feb 1 00:15:58 pigeon postfix/qmgr: 52278E0778:
size=59874, nrcpt=3 (queue active)
0004 Feb 1 00:15:58 pigeon postfix/local: 52278E0778:
relay=local, delay=2.4, delays=2.4/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: ....)
0005 Feb 1 00:15:58 pigeon postfix/local: 52278E0778:
relay=local, delay=2.4, delays=2.4/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to command: ....)
0006 Feb 1 00:15:58 pigeon postfix/local: 52278E0778:
relay=local, delay=2.4, delays=2.4/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to command: ....)
0007 Feb 1 00:15:58 pigeon postfix/qmgr: 52278E0778: removed
Assuming that the it's a real subscribe request, we send a confirmation request, and promptly get blacklisted for being a good citizen. Line 0013.
0010 Feb 1 00:15:58 pigeon postfix/smtpd: B6FA9E0778: client=localhost[127.0.0.1]
0011 Feb 1 00:15:58 pigeon postfix/cleanup: B6FA9E0778:
0012 Feb 1 00:15:58 pigeon postfix/qmgr: B6FA9E0778:
size=1345, nrcpt=1 (queue active)
0013 Feb 1 00:16:29 pigeon postfix/smtp: B6FA9E0778:
relay=mx.dyndns.biz[184.108.40.206]:25, delay=31, delays=0.06/0/30/0.41, dsn=5.7.1,
status=bounced (host mx.dyndns.biz[220.127.116.11] said:
554 5.7.1 Service unavailable; Your spam message has been received.
You will be blacklisted. Thank you (in reply to end of DATA command))
0014 Feb 1 00:16:29 pigeon postfix/bounce: B6FA9E0778: sender non-delivery notification: B8AE9E089A
0015 Feb 1 00:16:29 pigeon postfix/qmgr: B6FA9E0778: removed
Why did this happen? I do agree on the importance of spamtrap accounts, but they MUST check the content of their messages. A list confirmation message MUST NOT be considered as spam.
The original subscribe request came from what seems to be a compromised server in Secunderabad, India. So it wouldn't have been detected by RBL focused on modem/dialup addresses.
Short of raising the bar to subscribe (with a specific token that needs to be included, and then it's only a matter of time till spammers include it too), there isn't much we can do to block stuff like this at the list-server level. There is no way to detect than an address is a spamtrap. There cannot be by definition, as the spammers would avoid it themselves otherwise.
Syndicated 2010-02-01 20:25:41 from Move along, nothing to read