Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[Full-Disclosure] Re: Regarding all the spam...
From: L Nehring (nehringnewparticles.com)
Date: Thu Mar 04 2004 - 20:36:20 CST
(openssl-users) This is way off-topic, so let me apologize in advance.
Here's some of my own email numbers to give a piece of my perspective of
the talk about spam on the openssl list and why I just don't see a real
I run a pair of email servers on a very small domain that serves about
10 live users.
I received a total of 21204 emails in the past month for the domain.
In that time frame, I quarantined 1626 messages containing viruses, 3671
messages were rejected, 1267 messages bounced, and 1431 messages were
marked as spam.
Maybe my threshold for pain is higher than normal, but if I were to get
just 24 or even less than 50 rejected|spam|virus messages per day, I
would be checking my email servers for misconfiguration or compromise.
Doesn't matter where the bad messages actually come from anymore, since
it's becoming a given that the 'mail from:' address is invalid or spoofed.
I can't imagine that a change that restricts who might post to the
openssl list would have any noticeable effect on email in my little
domain or anywhere else.
It might be better to petition the antivirus vendors to remove the
arcane/useless bounce notification feature (that has become a serious
source of spam). If a person didn't know they sent a virus, they
probably aren't going to know what to do if they're notified about it.
I they did know they sent a virus, then they aren't going to care...
More likely however, is that the person didn't send any original virus
message at all and was just unlucky enough to have their address spoofed
so that they would end up with a mysterious bounce message.
.....this could be exploited in a similar manner to an ICMP smurf attack
- if you want to mail-bomb somebody just mass mail a virus-laden email
with the from address of your target. Doesn't matter what the virus is
or what it does as long as it's detected and triggers an automatic
response. Probably works better if the mass mailing includes mail
lists in increase the amount of AV notices sent to the target.
Again, I apologize again for being off-topic. I'll copy this post over
the the Full-disclosure list to let the thread continue there.
Scott Lamb wrote:
> On Mar 2, 2004, at 8:37 PM, Joseph Bruni wrote:
>> I don't know about that. During the latest Windows exploit virus
>> blast (when are they going to fix their stuff?) I kept getting bombed
>> by AV bounces aimed at openssl-users-l. Not to mention that the list
>> was DOWN during that time as well. A good number of my posts just got
>> timed out by my legitimate SMTP relay.
>> On Mar 2, 2004, at 2:15 PM, L Nehring wrote:
>>> Have we now crossed the threshold where there are more off-topic
>>> messages discussing spam than spam messages themselves?
>>> There just doesn't seem to be a real need to take any action at all
>>> given the small number of UCE or antivirus bounce messages.
> To put some concrete numbers on this, my mail logs note rejecting 24
> messages MAIL FROM: <owner-mmx-openssl-usersmmx.engelschall.com> in
> the past month, and I have 14 more in my junk folder. So no, we most
> certainly have not crossed that threshold.
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-usersopenssl.org
> Automated List Manager majordomoopenssl.org
Full-Disclosure - We believe in it.