|
I just tried to do a telnet session with this server and it requires
SMTP AUTH. My feeling here is that there are enough Earthlink
customers out there that someone could quite easily generate lists of
hundreds of valid usernames and passwords from an AUTH attack on a
server such as this, and that this is what they have done. Your mail
headers and the ones that I have seen show clearly that spam zombies
are sending E-mail directly through this server, and since this server
requires AUTH to do so, I am guessing that this is what they are
doing. I first noticed this about a month ago, although at this moment
I can't guarantee it was the exact same machine at Earthlink that was
leaking the spam. Here's the bad news about this server...it is a legitimate relay. Yesterday's log shows a message that is definitely legitimate that comes from this server (in addition to about 4 pieces of spam from the Cyrillic Spammer who encodes subjects in Windows 1251 charactersets and sends in both English and Russian if this is the guy that I am thinking it is). Unfortunately I don't have a copy of that message so I can't tell if it was relayed from another Earthlink server, or if it was relayed directly from a client through that server and then to us. Unless it is relayed from another server, you can't IPBYPASS it. Note that there are other Earthlink servers that are also relaying authenticated spam such as 207.217.120.220, 207.217.120.131, 207.217.120.227, etc. All of the spam is from this Cyrillic Spammer guy and it seems to be an issue with their entire mail server network. If anyone thinks that there is an easy way to stop this from our end...think again. If someone hacks your the AUTH in enough accounts, you can set up networks of spam zombies to send in low enough volume that you can bypass their automatic detection of such abuse (if it exists at present). In otherwords, it's totally up to Earthlink to stem this abuse. In the meantime since it seems to be completely isolated to this one guy, here's a filter that can be used in JunkMail Pro v1.79i8 or higher: # HACKEDEARTHLINK v1.0.0 REVDNS END NOTENDSWITH .earthlink.net MAILFROM END CONTAINS earthlink SUBJECT 10 CONTAINS =?windows-1251?b? This filter will work because he randomizes his Mail From address so it will frequently be from another domain. I would consider it to be quite safe to score high. The only time you should get a false positive is when a Earthlink customer relays E-mail that is Windows 1251 encoded through their servers and has configured their mail client to use a different domain name. In otherwords, this is about as safe of a filter as they come. Let's hope that other spammers are slower in picking up on the AUTH hacking bandwagon and that ISP's put in place proper E-mail intrusion detection systems. Matt Brad Morgan wrote:
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== |
- Re: [Declude.JunkMail] Message header review Matt
- [Declude.JunkMail] Declude reporting wrong IP... why? Joe Wolf
- Re: [Declude.JunkMail] Declude reporting wrong IP.... R. Scott Perry
- Re: [Declude.JunkMail] Declude reporting wrong... Joe Wolf
- Re: [Declude.JunkMail] Declude reporting w... R. Scott Perry
- RE: [Declude.JunkMail] Message header review Brad Morgan
- Re: [Declude.JunkMail] Message header review i360 Support
- Re: [Declude.JunkMail] Message header review R. Scott Perry
