[Coco] Re: Boisy & Mark

John E. Malmberg wb8tyw at qsl.net
Sun Feb 27 23:43:34 EST 2005 

Dave Poitras wrote:
> Mark,
> 
> 3rd try to cloud9tech address and the blocking.
> 
> Here is the "Details"
> 
>    <mark at cloud9tech.com>553 64.136.29.16 
> rejected due to spam, contact
>    480-505-8877 (dnsbl.sorbs.net)

http://www.moensted.dk/spam/?addr=64.136.29.16&Submit=Submit

+ SORBSSPAM List of hosts that have been noted as sending spam/UCE/UBE 
to the admins of SORBS. : spam.dnsbl.sorbs.net -> 127.0.0.6

The SORBS spamtrap zone is not suitable for use in an ISP blocking list 
unless you do not want e-mail from any major ISP.

It is almost impossible for a major ISP to keep their servers off of 
that list when a new virus breaks out, and many have given up on jumping 
through the hoops of donating to a charity of their choice to get off of it.

The SORBS DUHL zone appears to be the most up to date DHCP zone, and it 
even allows removals by individuals if their TTL of their static domain 
is long enough to indicate that it is not dynamic.

Specific details on this listing:

> Address:	64.136.29.16
> Record Created:	Fri Jan 28 13:41:11 2005 GMT
> Record Updated:	Wed Feb 23 13:35:29 2005 GMT
> Additional Information:	

> Received: from pop.communityarchitect.com (blaze1.lax.untd.com
> [64.136.29.16]) by desperado.sorbs.net (Postfix) with ESMTP id
 >  5931611451 for <[email]>; Wed, 23 Feb 2005 22:39:25 +1000 (EST)

It is also in the list below, which is far more serious, and further 
investigation shows that there was and still could be a serious security 
breach in progress on the mail server.

http://psbl.surriel.com/listing?ip=64.136.29.16

This has a link to google, which a quick check shows the spam coming out 
of it.

The mail server is claiming that the spam is coming in from a webmailer.

This indicates that there is either a security problem with the web 
mailer, or that the spammers have phished the password of a user of that 
mail server.

There has been an outbreak of Advance Fee Scams and Nigerian 419 scams 
from insecure web mailers for the past several months, and much of the 
discussion about it seems to be about a buggy PHP script enabling 
spammers to have full control of the web mailer.

As the first spam was seen from this on Jan 19th, and google shows that 
the problem was allowed to continue to at least Feb 26, it indicates 
that the ISP took quite some time to figure out what the security 
problem is, and since it has not been 48 hours yet from the easily 
available public sighting, it remains to be seen if it really is fixed.

Looking a little further at the spam that google found with the title:
" Subject: Congratulations!!!You Have Won."

> ------- start of forwarded message -------
> Return-Path: <goldenstklo... at goldeninfodesk.com>
> X-Original-To: X... at wsrcc.com
> Delivered-To: X... at wsrcc.com
> Received: from pop.communityarchitect.com (blaze1.lax.untd.com [64.136.29.16])
>         by sonic.wsrcc.com (Postfix) with ESMTP id 12522846BD2
>         for <X... at wsrcc.com>; Fri, 28 Jan 2005 01:38:05 -0800 (PST)
> Reply-To: goldenstklo... at netscape.net
> X-Mailer: Mail::Webmail (v1.221)
> X-Originating-Ip: 213.148.228.55
> X-Originating-Email: golden stklotto <goldenstklo... at goldeninfodesk.com>

The I.P. address that the web mailer picked up the spam from is listed 
in the sbl.spamhaus.org:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL23068

It has been listed there since January 22, 2005.  The sbl.spamhaus.org 
is known for being conservative, and if a web mailer is accepting e-mail 
from anything listed in the sbl-xbl.spamhaus.org, then they are 
effectively an open relay.


Dave,

I would recommend that you have a chat with your ISP's support staff, 1 
month to find a repetitive security problem in a web mail service is way 
too long.  And you can use the links above to show them the public evidence.

People who post to news.admin.net-abuse.sightings generally file abuse 
reports to the designated role accounts, so the only way that your ISP 
could not be aware of the problem is if they are not reading them.

And this type of spam means that either the web mail service was owned 
by the criminals, or they had phished the account of a valid user, or 
your ISP is effectively operating an open relay.

The ISP logs should have indicated which user had their account phished 
if that were the case, and if logs do not show it, it means that the 
server is owned.

If this problem is not fixed, I would expect that you will find more 
mail servers refusing e-mail from that IP address.

This is why any discussions about blocking lists needs to have both the 
name of the list being used and the I.P. address being blocked.

The SORBS Spamtrap zone generally will cause a lot of collateral damage, 
but the PSBL is trivial to get off unless the problem is not fixed, so 
more mail servers will be using it.

-John
wb8tyw(at)qsl.net
Personal Opinion Only

More information about the Coco mailing list