I manage an email server that uses an Atlantic Broadband SMTP server as a smart host. I maintain a mailing list on the server that currently has about 1,300 email addresses. Each month someone sends a monthly newsletter to the email addresses in that list; the people associated with those addresses are all members of a retirees organization and have all indicated they wish to receive that organization's newsletter. Usually, the newsletter is transmitted without problems, but occasionally I will find that email transmitted from the server is silently discarded with no bounced emai indicating why that is occurring. Though that doesn't occur often, when it occurs, it usually occurs when the newsletter is sent. When the problem occurs, as it did yesterday, I have to request that the IP address of my server be unblocked. Initially, I would call the ISP's phone support number, i.e, an Atlantic Broadband support number, but they would in turn have to contact their email service provider, since the email service they provide is outsourced to Echo Labs as I found from examining email headers - see Email sent via an Atlantic Broadband SMTP server not being delivered. But I found that I could get the block removed more quickly if I submitted a request through Cloudmark, an anti-spam company co-founded by Vipul Ved Prakash and Napster's co-founder Jordan Ritter, which provides an anti-spam service used by Echo Labs.

[ More Info ]

[/network/email/spam/blocklists] permanent link

I manage a Linux server that functions as an email server using the free and open source software (FOSS) package sendmail. I provide a mechanism through the server for someone who has Verizon as his Internet Service Provider (ISP) to send monthly newsletters by email to an organization that has about thirteen hundred members on its email distribution list, since he can't send to that number of people through his ISP-provided email service. I do so by providing an email alias on my server, e.g., thelist@example.com that he puts in the BCC line of his email. The alias is stored in /etc/aliases and points to a text file containing the list of all members' email addresses. So his ISP-provided SMTP server sees only the one address, thelist@example.com, which results in an email message to the server I manage that then translates that address into the approximately 1,300 email addresses of members and sends the newsletter to all members.

But this month the user reported he had sent the message, but it had not been delivered to recipients. I first checked the server's mail log, /var/log/maillog, for any occurrences of his email address for the day he reported the problem. I use several free DNS-based Blackhole List (DNSBL) services to reduce the amount of spam that reaches user's inboxes, so I suspected that one of those services had blocked email from the SMTP server through which he was sending his message, even though I had whitelisted his email address quite some time ago by adding a line like the following one to /etc/mail/access and then running the command makemap hash /etc/mail/access </etc/mail/access.

slartibartfast123987@verizon.net	OK

I didn't find any references to his email address in the /var/log/mail file, so I asked him to resend the message. I still didn't see any references to his email address in the /var/log/maillog file, but I did see that SORBS had blocked email from an America Online (AOL) server at the time he sent the message.

[ More Info ]

[/network/email/spam/sorbs] permanent link

I was notified by someone today that yesterday he had sent an email to a mailing list on an email server I maintain, but the email had not been delivered to recipients. When I checked yesterday's email log, I didn't see any email from his email address, so I asked him to resend the message. He did so, but that email message was also not delivered and I didn't see any log entry for his email address in today's email log, /var/log/maillog. He has a verzion.net email address and Verizon recently transitioned its email service to AOL. I remembered helping him make that transition last month, so I looked for any aol.com entries in the log file and found the entry below for an attempt by an AOL email server to deliver a message that was rejected at the time he told me he had sent the email today.

# grep aol /var/log/maillog
Jun  2 10:50:16 moonpoint sendmail[23955]: ruleset=check_relay, arg1=omr-a006e.m
x.aol.com, arg2=127.0.0.6, relay=omr-a006e.mx.aol.com [204.29.186.55], reject=55
0 5.7.1 Spam Block:mail from 204.29.186.55 refused - see http://dnsbl.sorbs.net/

[ More Info ]

[/network/email/spam/sorbs] permanent link

A family member reported that she hadn't received an email message sent to her today by a Gmail user who had sent her message in reply to the family member's email to her. Since I administer the Sendmail email server she uses, I checked the Sendmail log file at /var/log/maillog. I saw the outgoing email sent to the Gmail address, but no incoming email from that address. So I sent email messages from a Gmail account I have as well as email messages from other external addresses to the root account on the server. The other email messages arrived, but none I sent from the Gmail account arrived. So I ran tcpdump on the server to capture data to/from port 25 on the system, which is the well-known port for Simple Mail Transfer Protocol (SMTP) traffic. I then sent another email message to the root account on the Sendmail server from my Gmail account. After allowing several minutes for an attempted delivery from the Gmail server to occur, I stopped the packet capture with Ctrl-C.

# tcpdump -i enp1s4 port 25 -w smtp_2017-04-30.pcap
tcpdump: listening on enp1s4, link-type EN10MB (Ethernet), capture size 65535 bytes
^C225 packets captured
225 packets received by filter
0 packets dropped by kernel
# ls -lh smtp_2017-04-30.pcap 
-rw-r--r--. 1 tcpdump tcpdump 33K Apr 30 12:33 smtp_2017-04-30.pcap
#

[ More Info ]

[/network/email/spam/sorbs] permanent link

Examining the message headers from an email sent from a tech support person at Atlantic Broadband, whom I contacted on June 1 regarding the problem, to my Gmail account (see Viewing message headers in Gmail), I learned that Atlantic Broadband uses Echo Labs to handle their email. I saw the following in the message headers:

Received: from cluster1.echolabs.net (mail.atlanticbb.net. [38.111.141.32])
        by mx.google.com with ESMTP id l144si10145927ybf.89.2016.06.01.19.40.53

[ More Info ]

[/network/email/spam/blocklists] permanent link

[More Info]

[/network/email/spam] permanent link

Michael Jackson died on June 25. Spammers are already trying to capitalize on his death by referencing it in their spam messages. Mcafee's TrustedSource site reports the following at Michael Jackson News Affects Web Traffic

The announcement of Michael Jackson.s death has caused immediate effects on the Web 2.0 world. The impact ranged from the interruption on Facebook of coverage of Farrah Fawcett.s death to a surge experienced by Twitter. The Web 2.0 world is definitely abuzz with traffic regarding his passing.

Within hours the percentage of “long-tail” URL traffic associated with Michael Jackson was growing. It peaked around 1 p.m. Eastern time today and now seems to be dropping. These URLs contained mostly generic information about Jackson-blogs, posts, tributes, photos, and collections of his entertainment past. And, yes, some even contained links to malware or rogue anti-virus software.

How do people find these URLs? We.ve seen spam, tweets, blog postings, group postings, and even mobile phone alerts. In addition, as predicted by Avert Labs, we.ve seen search-engine optimization (SEO) in action. There were several attempts to capitalize on redirecting users to known malware-serving sites associated with other SEO campaigns. We found it interesting during our research to see how fast some of the search engines seemed to respond to this. One popular keyword search done around 9 p.m. yesterday showed seven of the top 10 links going to some of these well-known malicious servers. That same search done an hour later showed only one of the top 10 involved.

As the entertainment industry continues to pay tribute and homage to Jackson, we expect that spam and SEO efforts will grow over the weekend. Eventually a new piece of news will replace this event, and there will be a new story-with much the same results.

My wife got email this morning with a subject of "Michael Jackson dead? NO!!!". Withing the message was the following text:

Michael Jackson dead? NO!!!

Open attached file and read!!!

There was an attachment with the message, Michael Jackson Live!.html . I saved the attachment to the hard drive and opened it with a text editor. There was only one line in it, which is shown below:

<meta http-equiv='Refresh' content='0; url=http://addfamous.com/' />

If you opened the file in a web browser, that line would cause your browser to "refresh" the webpage you opened, but using the URL addfamous.com .

The spam message my wife received was listed at Michael Jackson dead? NO!!! on Spam me! Send me your spam messages!, a site which states "In a normal situation you should definitelly not want such thing in your e-mail inbox, however, this website is meant to do exactly the opposite: get as many spam messages as possible, clean them of any harmful stuff (adult images, links to dubious websites and others) and present them to you to research or whatever you want them for."

I didn't visit the addfamous.com site, but out of curiosity, checked its reputation at various web reputation sites.

TrustedSource

I issued a query for addfamous.com at TrustedSource. Unfortunately, that site was experiencing difficulties when I checked and simply returned "Service currently not available (3), please try again later!"

McAfee SiteAdvisor^®

I issued a query for addfamous.com at the McAfee SiteAdvisor^® site. It returned "Our analysis found that this site may be promoted through spammy e-mail." It also reported "This site has been queued for testing. Please come back soon for automated results."

Norton Safe Web

I issued a query for addfamous.com at Symantec's Norton Safe Web site. It reported "This site has not been tested yet."

Barracuda Central

I also checked the reputation of the site using Barracuda Central's IP / Domain Lookups tools. Barracuda Networks sells antspam appliances. I clicked on the Domain Reputation tab and put in addfamous.com . Barracuda Central reported "This domain name addfamous.com is listed on Barracuda's Intent Block List."

Trend Micro Web Reputation Query

I issued a query on http://addfamous.com. The Trend Micro Web Reputation Query site reported "This URL is not currently listed as malicious."

BorderWare ReputationAuthority

I issued a query on addfamous.com. The site reported the domain had a "good" reputation.

[/network/email/spam] permanent link

FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl', `bl.csma.biz', `550 Spam Block: mail from $&{client_addr} refused - See http://bl.csma.biz/')dnl
FEATURE(`dnsbl', `sbl.spamhaus.org', `550 Spam Block: mail from $&{client_addr} refused - See http://www.spamhaus.org/sbl/')dnl
FEATURE(`dnsbl', `psbl.surriel.com', `550 Spam Block: mail from $&{client_addr} refused - see http://psbl.surriel.com/')dnl
FEATURE(`dnsbl',`dnsbl.sorbs.net',`550 Spam Block: mail from $&{client_addr} refused - see http://dnsbl.sorbs.net/')dnl
FEATURE(`dnsbl',`dnsrbl.swinog.ch',`550 Spam Block: mail from $&{client_addr} refused - see http://antispam.imp.ch/spamikaze/remove.php')dnl

After adding the entry for the Swinog RBL, I generated a sendmail.cf file from sendmail.mc and restarted sendmail.

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# /etc/init.d/sendmail restart

I checked /var/log/maillog just moments after adding that blacklist and found it had blocked spam:

# grep 'antispam.imp.ch' /var/log/maillog
Apr  8 21:16:57 frostdragon sendmail[15676]: n391GuGi015676: ruleset=check_rcpt,
 arg1=<broderbundxxxxxx@moonpoint.com>, relay=65-75-229-245.dsl.ctcn.net [65.75.
229.245] (may be forged), reject=550 5.7.1 <broderbundxxxxxx@moonpoint.com>... S
pam Block:mail from 65.75.229.245 refused - see http://antispam.imp.ch/spamikaze
/remove.php

The Swinog DNSBL blocked email to an email address that I used on December 8, 2004 when I registered software with Brøderbund Software. I never used the email for any other purpose. Usually, when I'm providing an email address to any company, I don't use my primary email address, but instead create an alias for that address that points to my primary email address. So, if I start getting a lot of spam addressed to the alias, I can just invalidate the alias. And, since the aliases I create are not ones a spammer would use if the spammer was employing a name dictionary attack, i.e. guessing likekly names, I know that the company has provided the email address I gave them to a spammer. So I know the spammer got the address above, which I've changed for any spam spiders that may crawl across this page, from Brøderbund Software or one of the companies that subsequently owned Brøderbund Software.

The Wikipedia article on the company at Brøderbund lists the following history of corporate ownership for Brøderbund.

Brøderbund was purchased by The Learning Company in 1998 for about USD$420 million in stock. Ironically, Brøderbund had initially attempted to purchase the original The Learning Company in 1995, but was outbid by Softkey, who purchased The Learning Company for $606 million in cash and then adopted its name. In a move to rationalize costs, The Learning Company promptly terminated 500 employees at Brøderbund the same year, representing 42% of the company's workforce. Then in 1999 the combined company was bought by Mattel for $3.6 billion. Mattel reeled from the financial impact of this transaction, and Jill Barad, the CEO, ended up being forced out in a climate of investor outrage. Mattel then gave away The Learning Company in September 2000 to Gores Technology Group, a private acquisitions firm, for a share of whatever Gores could obtain by selling the company. In 2001, Gores sold The Learning Company's entertainment holdings to Ubisoft, and most of the other holdings, including the Brøderbund name, to Irish company Riverdeep. Currently, all of Brøderbund's games, such as the Myst series, are published by Ubisoft.

I suspect that it wasn't just my email address that was sold to spammers. Probably Brøderbund's entire mailing list was sold by either Brøderbund or one of the companies that acquired it, though, of course there is a possibility it could just have been an employee of one of the companies trying to make some easy cash or one who was losing a job as his or her company was acquired by another company, who could have been looking to compensate for lost wages.

The address is still being used by spammers over four years later, even though the address has probably not been valid for over a year. Unfortunately, I don't remember when I first started getting spam addressed to that email address.

After having a hernia operation recently, I noticed I've been getting spam on a fairly regular basis suggesting I might want to use the legal services mentioned in the spam if I wanted to sue for any problems related to the patch used in the surgery. I don't remember seeing any of this type of message previously, though it's possible that I might have received such messages, but they never registered in my consciousness then as I deleted spam. But I'm wondering now if someone at the office of the doctor who performed the surgery sold my email address. I believe I did put my primary email address on a form I filled out at the doctor's office. If I had used an alias, I would know for certain, if that was the case.

[/network/email/spam/blocklists] permanent link

Mark Sunner, MessageLabs MessageLabs' chief security analyst, reported that spammers are now also using Google Docs and Microsoft's SkyDrive free online storage to host the contents of their spam messages. The spammers put a link into the messages they send pointing to online documents hosted on those services, which have the advantage of providing large amounts of bandwidth.

References:

1. Report: Cyberspace Becoming More Malicious
   By William Jackson
   June 4, 2008
   Redmond Developer News

[/network/email/spam] permanent link

Smart Network Data Services (SNDS) is a revolutionary Windows Live Mail initiative designed to allow everyone who owns IP space to contribute to the fight against spam, malware, viruses, and other internet evils, and to protect e-mail and the internet as a valued communications, productivity and commerce tool. Windows Live Mail and MSN Hotmail, with over 250 million active user accounts world-wide, is in a unique position to collect and analyze e-mail activity data. By providing that data to service providers, most of whom wouldn.t otherwise have access to any such data, they are empowered to use their relationship with their customers to react and take repair actions, such as preventing spam from originating within their IP space. The overarching goal of SNDS is to make the Internet a better, safer place. Working together, Windows Live Mail and service providers can make their respective customers happier and more satisfied with the various services we all provide.

When you click on Submit you will see the message "We've determined that the following email addresses are associated with the specified network in an appropriately authoritative way. Please choose one that you can receive mail at and we will send instructions for completing the signup process to that address." You may then see 4 addresses similar to those below:

abuse@yourdomain.com 
noc@isp1.net 
noc@isp2.net 
postmaster@yourdomain.com

Two of the addresses will be of the form abuse@yourdomain.com and postmaser@yourdomain.com, assuming that a reverse DNS lookup on a provided IP address yields "yourdomain.com".

A "whois" lookup will also be done on a provided IP address using the relevant registrar, which, if you are in the U.S. will likely be the American Registry for Internet Numbers (ARIN). The "OrgTechEmail" address listed for the IP address may be used as one of the possible addresses, e.g. noc@isp1.net, if that was the "OrgTechEmail" listed for the ISP.

You can see further information on how the email addresses are derived at SNDS - FAQ.

If you have PTR record in DNS that points back to yourdomain.com, and wish to use one of those email addresses, make sure that you have valid abuse@yourdomain.com and postmaster@yourdomain.com email addresses.

What data does SNDS provide?

The data provided by SNDS is meant to provide as broad a picture of an IP's mail sending behavior as necessary for the system's consumers to be able to stop spam.  It reports on a variety of characteristics of mail traffic.  The data points provided are designed to be difficult or impossible for spammers to avoid differentiating themselves from well-behaved mailers.  Similarly however, data isn't provided on IPs that send very little mail because they (currently) account for a negligible amount of spam.  For each IP within the ranges that the user has been authorized, the following data is provided:

• IP Address
• Mail data
  • Activity period
  • Traffic data
    • SMTP verb and message recipient counts
    • Sample commands
  • Junk mail data
    • Filter result
    • Complaint reports
    • Trap hits
    • Sample messages
• Virus-infected emails
• Malware hosting
• Open proxy status

An email message is sent to the address you specified. You will need to go to a link provided in that email message to grant access to the data to a Windows Live ID account, such as a hotmail.com email address, you specified when you requested an account.

Once you have confirmed access, you can view data at SNDS - View Data There you will see a calendar where you can select dates for which to view data. You have the option to change your settings to allow access your data as a .CSV file without the need for browser-based authentication technologies such as Windows Live™ ID. This facilitates access to your data via your own automated scripts or programs.

I didn't see any data listed for an IP address I specified. I know email is sent from that address to hotmail.com users, but the volume of traffic is fairly low. The SNDS - FAQ states that "data isn't provided on IPs that send very little mail because they (currently) account for a negligible amount of spam."

[/network/email/spam] permanent link