Spamtrap addresses vs. list confirmation emails, or how to lose 2k list emails
In the early hours of this morning, a spammer managed to get the IP of the Gentoo list server on the NiX Spam RBL... simply by spamming the subscribe address :-(. This caused approximately 2000 deliveries of normal list mail to be rejected while the server was present on the RBL.
Notice the subscribe request, line 0004. (whitespace added)
0001 Feb 1 00:15:56 pigeon postfix/smtpd: 52278E0778: client=unknown[220.127.116.11] 0002 Feb 1 00:15:57 pigeon postfix/cleanup: 52278E0778: message-id=<01caa301$d307f7d0$b173a8c0@ambachglasfaser> 0003 Feb 1 00:15:58 pigeon postfix/qmgr: 52278E0778: from=<email@example.com>, size=59874, nrcpt=3 (queue active) 0004 Feb 1 00:15:58 pigeon postfix/local: 52278E0778: to=<firstname.lastname@example.org>, orig_to=<email@example.com>, relay=local, delay=2.4, delays=2.4/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: ....) 0005 Feb 1 00:15:58 pigeon postfix/local: 52278E0778: to=<firstname.lastname@example.org>, relay=local, delay=2.4, delays=2.4/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to command: ....) 0006 Feb 1 00:15:58 pigeon postfix/local: 52278E0778: to=<email@example.com>, relay=local, delay=2.4, delays=2.4/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to command: ....) 0007 Feb 1 00:15:58 pigeon postfix/qmgr: 52278E0778: removed
Assuming that the it's a real subscribe request, we send a confirmation request, and promptly get blacklisted for being a good citizen. Line 0013.
0010 Feb 1 00:15:58 pigeon postfix/smtpd: B6FA9E0778: client=localhost[127.0.0.1] 0011 Feb 1 00:15:58 pigeon postfix/cleanup: B6FA9E0778: message-id=<firstname.lastname@example.org> 0012 Feb 1 00:15:58 pigeon postfix/qmgr: B6FA9E0778: from=<email@example.com>, size=1345, nrcpt=1 (queue active) 0013 Feb 1 00:16:29 pigeon postfix/smtp: B6FA9E0778: to=<firstname.lastname@example.org>, relay=mx.dyndns.biz[18.104.22.168]:25, delay=31, delays=0.06/0/30/0.41, dsn=5.7.1, status=bounced (host mx.dyndns.biz[22.214.171.124] said: 554 5.7.1 Service unavailable; Your spam message has been received. You will be blacklisted. Thank you (in reply to end of DATA command)) 0014 Feb 1 00:16:29 pigeon postfix/bounce: B6FA9E0778: sender non-delivery notification: B8AE9E089A 0015 Feb 1 00:16:29 pigeon postfix/qmgr: B6FA9E0778: removed
Why did this happen? I do agree on the importance of spamtrap accounts, but they MUST check the content of their messages. A list confirmation message MUST NOT be considered as spam.
The original subscribe request came from what seems to be a compromised server in Secunderabad, India. So it wouldn't have been detected by RBL focused on modem/dialup addresses.
Short of raising the bar to subscribe (with a specific token that needs to be included, and then it's only a matter of time till spammers include it too), there isn't much we can do to block stuff like this at the list-server level. There is no way to detect than an address is a spamtrap. There cannot be by definition, as the spammers would avoid it themselves otherwise.