mailing list archives
Re: denial of service on ISN list
From: security curmudgeon <jericho () attrition org>
Date: Thu, 8 Jul 2004 05:58:28 -0400 (EDT)
: ---------- Forwarded message ----------
: Date: Thu, 08 Jul 2004 10:17:46 +0100
: From: lsi <stuart () cyberdelix net>
: To: isn-owner () attrition org
: Cc: full-disclosure () lists netsys com
: Subject: [Full-disclosure] denial of service on ISN list
: I can't subscribe to ISN because their mail server thinks my mail server
: is a spammer. I can report that Pipex are one of the largest ISPs in
: the UK, and that this server might be used by hundreds of thousands of
For any large ISP, a single abusive customer has never caused an entire
ISP to be blacklisted or blocked from reaching attrition.org .. the ISP
not responding to complaints and not doing anything to resolve the abuse
The block had nothing to do with Joe Random sending a ton of spam. It has
to do with Pipex ignoring my complaints to abuse@ and/or postmaster@ and
opting not to track down the spammer for *weeks*, while spam kept flowing
from the same person, via the same mail relay (18.104.22.168).
They opted not to care, they had no issue with the activity of their
customer, they didn't want to lose a few bucks and kick the person from
their service. If you support a company like that, keep paying them, and
keep getting denied by this mail server. If you feel that they DO care
these days (considering the block was added 02-02-03) then a polite mail
to attrition.org would likely cause me to move them to the probation area
and get a fun little # in front of their entry.
: I put it to ISN that your system allows people to be kicked off the
: list. All I need to do is fake some spam from my enemy's SMTP to the
: list, and you block the entire server. When another of Pipex' 100,000
: subscribers attempts to join, they are blocked too. Not good.
You also need to fake the ISP not caring, fake them not responding to
complaints for weeks at a time, and faking hundreds of pieces of spam
through that same relay each day.. then the DoS would be effective. If you
can manage that attack, then yes, ISN is succeptible to a DoS attack as
you describe. Further, not to burst your bubble, mail has been getting
to/from some pipex customers just fine. They use another pipex relay
: > <isn-request () attrition org>: host forced.attrition.org[22.214.171.124] said: 553
: > 5.3.0 - 780 spammer or relay pengo.systems.pipex.net ESMTP Postfix (in
: > reply to MAIL FROM command)
The mail to "isn-owner" was a cute gesture, but you *knew* mail to
anything at attrition.org would bounce, so why bother?
In the future, at least contact someone at attrition.org (from an
alternate account of course, even a disposable hotmail.com address) since
we handle the mail list for ISN. Failing that, mail the ISN moderator
(wk () c4i org, who's mail doesn't route through attrition.org) and ask him
if something can be done, instead of whining to an arbitrary list.
Full-Disclosure - We believe in it.