On Thu, 6 Nov 2003 11:06 +0100, Joergen W. Lang wrote:
> during the past few weeks I was experiencing spam attacks which seem to
> utilize MD's "help" command.
>
> I looks like the originator sends a "help" request to my MD with a
> forged "From:" or "Reply-To:"-header. The request contains arbitrary
> advertisements. In turn, MD tries to find a command in the message body
> but only sees HTML-Code (in the case of non-text-only messages).
>
> MD then tries to send back a copy of the offending request alongside
> with the help message. I only receive the bounces so I reckon, theres a
> good few messages actually going through if the targeted account is
> existing.
What you describe is very common. If you've been running Majordomo lists
for any length of time, I'm surprised you haven't seen it earlier. It
isn't an attack specifically on MD's "help" function. It's simply the
result of one or more spammers who have your majordomo address on their
list of target addresses. Any time Majordomo receives a message that
doesn't contain a recognisable command, it sends the "help" file back to
the apparent sender.
If the sender address is a real one it probably doesn't belong to the
spammer, so some unsuspecting innocent receives Majordomo's "help" reply.
If the sender address is not a real address, you receive the resulting
mail delivery error message.
As for why spammers are sending to your majordomo address, keep in mind
that most spammers don't do their own address harvesting. Instead they
buy CDs full of addresses, usually harvested by other spammers. Spammers
are firm believers in the old saying "There's a sucker born every minute",
and being totally without scruples they apply that to their fellow
spammers as well as to the targets of their spam. There are CDs being
sold that contain nothing but well-known addresses (root, postmaster,
abuse, majordomo, etc) with thousands of domain names appended.
Or, it may be that some spammer used an "alphabet attack" on your MTA to
learn valid e-mail addresses on your system, and harvested your majordomo
address that way.
> Since I could not find anything on this particular subject in neither
> the archives nor the FAQ or on Google, here's my question:
>
> Do you know of any way around this problem?
None that I know of, short of rewriting majordomo to ignore any message
that contains no valid commands and more than x number of invalid ones.
--
Chip Old (Francis E. Old) E-Mail: fold@bcpl.net
Manager, BCPL Network Services Phone: 410-887-6180
Manager, BCPL.NET Internet Services FAX: 410-887-2091
320 York Road
Towson, MD 21204 USA
Follow-Ups:
References:
|
|
