Showing posts with label spam. Show all posts
Showing posts with label spam. Show all posts

Spam false positives from British Airways

I note that British Airways e-receipt e-mails are probably going astray for a lot of people.

I've had to book a few flights with BA recently. Up until a couple of weeks ago their acknowledgment e-mails came through fine. And then I stopped receiving them. Taking the time to delve in to the mail logs yesterday I noticed this:

Aug 20 07:47:45 jc sm-mta[15347]: l7KElEmk015347: ruleset=check_mail,
  arg1=website +LHS=RHS@bounce.baplc.com,
  relay=ceba-mgw04.baplc.com [163.166.43.64],
  reject=553 5.1.8 website +LHS=RHS@bounce.baplc.com...
  Domain of sender address website+LHS=RHS@bounce.baplc.com does not exist


(I've redacted the left and right hand side of the actual e-mail address it was being sent to)

If that's just so much gibberish to you, it says that BA are sending e-mails with a return path of ...@bounce.baplc.com. Working through the logs shows that they've been doing this for some time.

But at some point in the last few weeks, someone at BA has removed the bounce.baplc.com entry from their DNS. So my, and countless other systems around the world, will begin rejecting messages.

This rejection is quite correct. Since bounce.baplc.com doesn't exist, my system (and any other system with the same configuration) will have nowhere to send any bounces that might occur. And sending messages from domains that do not exist is also an exceedingly common spammer tactic.

I've used the "Report problems with our site" feature to report this to BA, but I don't have high hopes of anyone listening.
on No comments:
Labels:

Issues with SPF and Korean ISPs

If you publish SPF records, send mail to Korean ISPs, and use SPF mechnisms other than ip4:, you may face a problem.

Read more »
on No comments:
Labels:

Sendmail 8.14.0: Logging the GreetPause firing time

Following on from yesterday's discussion of new features in Sendmail 8.14.0, today I'm writing about Sendmail's GreetPause feature, and some additional logging for it that's been added in Sendmail 8.14.0.

Read more »
on 3 comments:
Labels: , , ,

Sendmail 8.14.0: HeloName

Sendmail 8.14.0 was recently released, and it includes a small handful of patches that I sent in. The documentation explains what these options do, but doesn't explain why you might want to use them. So I thought I'd do that in a series of entries here.

First, the new HeloName option.

Read more »
on 3 comments:
Labels: , ,

Alerting users that their PCs are compromised

A great deal of spam is sent by "botnets". These are (typically) Windows PCs that have been compromised in some manner, and are now illicitly controlled by a third party. This third party uses the network of thousands of PCs that they have compromised to:


  1. Send spam

  2. Host phishing sites

  3. Carry out denial of service attacks



There are many DNS based Black Lists (DNSBLs) operated by numerous groups that aim to list the IP addresses of systems that have been compromised in this way. This allows mail server operators to configure their systems to query these DNSBLs and reject messages that are being sent from a compromised system.

The problem with this approach is that it's not visible to the owner of the compromised system. They might notice that it's behaving a little slower, or that their network connection doesn't seem as fast as it was, but they're not going to know why, because there's no easy mechanism to alert them.

In a perfect world, Internet Service Providers would monitor these DNSBLs, notice when IP addresses of their customers appear on them, and terminate (or provide limited) service to that customer, along with appropriate assistance to help them clean their system.

In practice this rarely happens.

It occured to me that one way to make the fact that their PC has been compromised more visible to end users would be by enlisting the help of companies that host or provide online game environments.

For example, consider Second Life, Eve, or World of Warcraft. All huge, multi-player games/environments, to which millions of people connect every day.

If the companies that host these environments were to check the IP addresses of connecting systems against these DNSBLs, they could provide a warning to the player that it's highly likely that their PC has been compromised, and that they should make sure their anti-virus is up to date, and so on.

Further, suppose you've got a PC and an XBox or Nintendo Wii at home1. Both of those game systems support online play. And through a networking quirk that I don't need to go in to here (NAT), it's highly likely that the PC and the games console(s) are going to appear online with the same IP address.

So if the PC appears on a DNSBL the Wii or XBox is going to appear on that DNSBL too. This provides an opportunity for Microsoft and Nintendo to check the IP address, and again, place a warning in the "dashboard" (XBox dashboard, Nintendo Wi-Fi Connection) that their systems display to the user as they go online.

This could significantly raise the awareness of owners/operators of compromised PCs.

1 Guess what I got for Christmas :-)
on No comments:
Labels: ,

Identity theft

I've just discovered that I've been an unwitting participant in an identity theft.

But not, perhaps, in the way that you might imagine.

Read more »
on 4 comments:
Labels: , , ,

Trigger happy hosting / spam @ The Guardian

Two spam related pieces of information today.

The first concerns what happens if you're hosted at an ISP with an anti-spam policy, an itchy-trigger finger, and a support desk that is devoid of clue.

It appears as though the fine folk over at The Weekly had their infrastructure on a shared server at their ISP, HostingPlex. That same server was then used by a spammer to send spam, which was caught by SpamCop. Rather than track down the actual culprits, HostingPlex have locked The Weekly's account, and are demanding US$150 to reinstate access to the server, while ignoring repeated e-mails from The Weekly that contain what appears to be pretty straightforward evidence of their innocence.

I paraphase somewhat, you can read the The Weekly's side of the story for yourself.

In other news, "Thoughts on stopping spam" appeared, somewhat edited, as an article in The Guardian yesterday.

Read more »
on No comments:
Labels: ,

CAPTCHA farming

Charles Arthur's wondering why spam came through his CAPTCHA system, and concludes that people are probably being paid to sit there and fill out CAPTCHAs.

There are a couple of other possibilities. The first is that the CAPTCHA system he's using might be compromised. Some OCR systems can be surprisingly effective on them.

The second is his CAPTCHAs are being reproduced on another site for humans to solve. The canonical example would be where a visitor to a porn site is shown a CAPTCHA and asked to solve it before they can, er, continue. Unbeknownst to them, however, the CAPTCHA is actually coming from Charles' system, and the solution is then used to send him spam. This is "CAPTCHA farming".

Searching for "CAPTCHA porn" turns up a number of stories about this over the past few years.
on 4 comments:
Labels:

Thoughts on stopping spam

I was pinged on IRC earlier today by someone who was having an e-mail discussion with Charles Arthur of the Guardian, in response to this article on Six steps to stopping spam. Since I spend a lot of my day job doing anti-spam engineering for a large organisation, Robbie thought that I might have some useful comment.

I've fired an e-mail off, which I reproduce below, in the hope that it might be useful to a wider audience.

Read more »
on 2 comments:
Labels: ,
Subscribe to: Posts (Atom)