Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Regarding all the spam...
From: L Nehring <nehring () newparticles com>
Date: Thu, 04 Mar 2004 19:36:20 -0700

(openssl-users) This is way off-topic, so let me apologize in advance.

Here's some of my own email numbers to give a piece of my perspective of the talk about spam on the openssl list and why I just don't see a real problem.....

I run a pair of email servers on a very small domain that serves about 10 live users. I received a total of 21204 emails in the past month for the domain. In that time frame, I quarantined 1626 messages containing viruses, 3671 messages were rejected, 1267 messages bounced, and 1431 messages were marked as spam.

Maybe my threshold for pain is higher than normal, but if I were to get just 24 or even less than 50 rejected|spam|virus messages per day, I would be checking my email servers for misconfiguration or compromise. Doesn't matter where the bad messages actually come from anymore, since it's becoming a given that the 'mail from:' address is invalid or spoofed.

I can't imagine that a change that restricts who might post to the openssl list would have any noticeable effect on email in my little domain or anywhere else.

It might be better to petition the antivirus vendors to remove the arcane/useless bounce notification feature (that has become a serious source of spam). If a person didn't know they sent a virus, they probably aren't going to know what to do if they're notified about it. I they did know they sent a virus, then they aren't going to care... More likely however, is that the person didn't send any original virus message at all and was just unlucky enough to have their address spoofed so that they would end up with a mysterious bounce message. .....this could be exploited in a similar manner to an ICMP smurf attack - if you want to mail-bomb somebody just mass mail a virus-laden email with the from address of your target. Doesn't matter what the virus is or what it does as long as it's detected and triggers an automatic response. Probably works better if the mass mailing includes mail lists in increase the amount of AV notices sent to the target. Again, I apologize again for being off-topic. I'll copy this post over the the Full-disclosure list to let the thread continue there.


Scott Lamb wrote:


On Mar 2, 2004, at 8:37 PM, Joseph Bruni wrote:

I don't know about that. During the latest Windows exploit virus blast (when are they going to fix their stuff?) I kept getting bombed by AV bounces aimed at openssl-users-l. Not to mention that the list was DOWN during that time as well. A good number of my posts just got timed out by my legitimate SMTP relay.


On Mar 2, 2004, at 2:15 PM, L Nehring wrote:

Have we now crossed the threshold where there are more off-topic messages discussing spam than spam messages themselves?

There just doesn't seem to be a real need to take any action at all given the small number of UCE or antivirus bounce messages.


To put some concrete numbers on this, my mail logs note rejecting 24 messages MAIL FROM: <owner-mmx-openssl-users () mmx engelschall com> in the past month, and I have 14 more in my junk folder. So no, we most certainly have not crossed that threshold.

Scott

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users () openssl org
Automated List Manager                           majordomo () openssl org


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • Re: Regarding all the spam... L Nehring (Mar 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault