Discuss April 2005

discuss@lists.surbl.org

48 participants
112 discussions

RE: [SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago.
by David Vella 08 Apr '05

08 Apr '05

Hi, Sorry for this. I am the GFI MailEssentials/MailSecurity/MailArchiver product manager and I am a list subscriber because I like the SURBL concept. The reason of these emails seems to be because yesterday our network administrator installed a new email relay server (named passthrough) and I believe that he has mis-configured it. I sent him all this info so that he will look into it. I will make sure that this is fixed immediately. regards, David Vella - GFI Software Ltd. - www.gfi.com Messaging, Content Security & Network security software GFI: FAXmaker - LANguard - MailSecurity - DownloadSecurity -----Original Message----- From: discuss-bounces(a)lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of List Mail User Sent: Friday, April 08, 2005 8:41 AM To: discuss(a)lists.surbl.org; jeffc(a)surbl.org Cc: track(a)plectere.com Subject: Re: [SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago. Called and left a polite message on voice mail - not open until tomorrow - Also, the US op. is a sales and tech support location only. It seem almost certain, that they didn't forge your email - but they are operating an open relay and using an illegal hostname for the HELO argument; Good reasons to believe the product is likely fundamentally flawed. Hell, the relay uses the name "passthrough" - certainly looks to be done on purpose. Maybe someone should LART zdnet using the gfi.com relay and point out the equivalence to them that way:) Paul Shupak track(a)plectere.com _______________________________________________ Discuss mailing list Discuss(a)lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com

1 0

Re: [SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago.
by List Mail User 08 Apr '05

08 Apr '05

Called and left a polite message on voice mail - not open until tomorrow - Also, the US op. is a sales and tech support location only. It seem almost certain, that they didn't forge your email - but they are operating an open relay and using an illegal hostname for the HELO argument; Good reasons to believe the product is likely fundamentally flawed. Hell, the relay uses the name "passthrough" - certainly looks to be done on purpose. Maybe someone should LART zdnet using the gfi.com relay and point out the equivalence to them that way:) Paul Shupak track(a)plectere.com

1 0

RE: [SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago.
by Matthew Wilson 08 Apr '05

08 Apr '05

What's even funnier is that GFI just announced yesterday they are building SURBL checking into their anti-spam software (which, by the way, is very widely used on Exchange servers in the USA). http://www.gfi.com/news/en/mes11launch.htm Matthew Wilson, MCSE (2003), MCSA-Messaging Network Administrator matthew(a)boomer.com Boomer Consulting, Inc. 610 Humboldt Manhattan, KS 66502 http://www.boomer.com 1-888-266-6375 x 17 > -----Original Message----- > From: discuss-bounces(a)lists.surbl.org > [mailto:discuss-bounces@lists.surbl.org] On Behalf Of List Mail User > Sent: Friday, April 08, 2005 12:46 AM > To: discuss(a)lists.surbl.org; spamassassin(a)dostech.ca > Cc: track(a)plectere.com; postmaster(a)gfi.com; abuse(a)gfi.com > Subject: Re: [SURBL-Discuss] Forge SURBL mail from gfi.com, > just minutes ago. > > >... > > > >List Mail User wrote: > > > P.S. I refused it, so I don't know what it was. I do know the > >> domain registration is false; There is no city named "San Gwann" > >> in the country of Malta. > > > >http://www.holidays-malta.com/locality_info/san_gwann.htm > > > > > Apparently not a "city" but a recognized "village"; I > guess it's like living in unincorparated parts of LA. Note > the company claims to be "GFI Software Ltd" and sell > anti-spam, anit-virus and email products. > Did anyone actually receive the email? Was it just directed at me? > Another batch of attempts just occurred: > > Apr 7 22:22:26 mailhub postfix/qmgr[14119]: D6A9C6A44: > removed Apr 7 22:22:31 mailhub postfix/smtpd[24110]: connect > from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:32 mailhub > postfix/smtpd[24110]: NOQUEUE: reject: RCPT from > mailgate.gfi.com[80.85.99.13]: 450 <passthrough>: Helo > command rejected: Host not found; > from=<discuss-bounces(a)lists.surbl.org> > to=<track(a)plectere.com> proto=ESMTP helo=<passthrough> Apr 7 > 22:22:33 mailhub postfix/smtpd[24110]: lost connection after > RSET from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:33 > mailhub postfix/smtpd[24110]: disconnect from > mailgate.gfi.com[80.85.99.13] Apr 7 22:22:33 mailhub > postfix/smtpd[24110]: connect from > mailgate.gfi.com[80.85.99.13] Apr 7 22:22:34 mailhub > postfix/smtpd[24110]: NOQUEUE: reject: RCPT from > mailgate.gfi.com[80.85.99.13]: 450 <passthrough>: Helo > command rejected: Host not found; > from=<discuss-bounces(a)lists.surbl.org> > to=<track(a)plectere.com> proto=ESMTP helo=<passthrough> Apr 7 > 22:22:34 mailhub postfix/smtpd[24110]: lost connection after > RSET from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:34 > mailhub postfix/smtpd[24110]: disconnect from > mailgate.gfi.com[80.85.99.13] Apr 7 22:22:34 mailhub > postfix/smtpd[24110]: connect from > mailgate.gfi.com[80.85.99.13] Apr 7 22:22:35 mailhub > postfix/smtpd[24110]: NOQUEUE: reject: RCPT from > mailgate.gfi.com[80.85.99.13]: 450 <passthrough>: Helo > command rejected: Host not found; > from=<discuss-bounces(a)lists.surbl.org> > to=<track(a)plectere.com> proto=ESMTP helo=<passthrough> Apr 7 > 22:22:36 mailhub postfix/smtpd[24110]: lost connection after > RSET from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:36 > mailhub postfix/smtpd[24110]: disconnect from > mailgate.gfi.com[80.85.99.13] Apr 7 22:22:36 mailhub > postfix/smtpd[24110]: connect from > mailgate.gfi.com[80.85.99.13] Apr 7 22:22:37 mailhub > postfix/smtpd[24110]: NOQUEUE: reject: RCPT from > mailgate.gfi.com[80.85.99.13]: 450 <passthrough>: Helo > command rejected: Host not found; > from=<discuss-bounces(a)lists.surbl.org> > to=<track(a)plectere.com> proto=ESMTP helo=<passthrough> Apr 7 > 22:22:37 mailhub postfix/smtpd[24110]: lost connection after > RSET from mailgate.gfi.com[80.85.99.13] Apr 7 22:22:37 > mailhub postfix/smtpd[24110]: disconnect from > mailgate.gfi.com[80.85.99.13] > > > If they are legitimate, I certainly wouldn't want to > buy any anti-virus or anti-spam software from these people! > > They are running an open relay: > > % telnet mailgate.gfi.com 25 > Trying 80.85.99.13... > Connected to mailgate.gfi.com. > Escape character is '^]'. > 220 mailgate.gfi.com Microsoft ESMTP MAIL Service, Version: > 6.0.3790.1830 ready at Fri, 8 Apr 2005 07:43:44 +0200 helo > plectere.com 250 mailgate.gfi.com Hello [64.32.188.109] mail > from: <> 250 2.1.0 <>....Sender OK rcpt to: > <test(a)plectere.com> 250 2.1.5 test(a)plectere.com quit > 221 2.0.0 mailgate.gfi.com Service closing transmission > channel Connection closed by foreign host. > > Paul Shupak > track(a)plectere.com > _______________________________________________ > Discuss mailing list > Discuss(a)lists.surbl.org > http://lists.surbl.org/mailman/listinfo/discuss > > >

2 1

Re: [SURBL-Discuss] ZDNet spamity calamity
by List Mail User 08 Apr '05

08 Apr '05

>... > >See www.oct17.com and www.october17.com for his contact information. > >> -----Original Message----- >>[snipped] Registration data for both domains lists stephen(a)Oct17.com as the "Administrative Contact" email. Paul Shupak track(a)plectere.com P.S. Despite feeling strongly about this, I'm not sure his personal accounts and domains are the proper forum - if shs(a)cnet.com works, it would seem to be "more" appropriate (i.e. this is a work issue, not a personal or family issue). Another reference "Stephen Howard-Sarin Vice President, CNET Networks / shs(a)cnet.com / 415.344.2000". (Note: telephone number works today!)

2 1

More on gfi.com (Re: Delivery Status Notification (Failure))
by List Mail User 08 Apr '05

08 Apr '05

A *really* good anti-spam/email company - an open relay and they bounce mail to both abuse@ and postmaster@. They are also listed in L2 of SPEWS. -------------------------------------------------------------------------------- >From MAILER-DAEMON Thu Apr 7 22:46:12 2005 From: postmaster(a)gfimalta.com To: track(a)Plectere.com Date: Fri, 8 Apr 2005 07:44:13 +0200 MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="9B095B5ADSN=_01C53B8BE76FEABE00007F02MAILFAXSRV.gfima" X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546 Subject: Delivery Status Notification (Failure) X-OriginalArrivalTime: 08 Apr 2005 05:48:27.0402 (UTC) FILETIME=[95FC9EA0:01C53BFE] This is a MIME-formatted message. Portions of this message may be unreadable without a MIME-capable mail program. --9B095B5ADSN=_01C53B8BE76FEABE00007F02MAILFAXSRV.gfima Content-Type: text/plain; charset=unicode-1-1-utf-7 This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. postmaster(a)gfi.com abuse(a)gfi.com --9B095B5ADSN=_01C53B8BE76FEABE00007F02MAILFAXSRV.gfima Content-Type: message/delivery-status Reporting-MTA: dns;MAILFAXSRV.gfimalta.com Received-From-MTA: dns;mailgate_old.gfi.com Arrival-Date: Fri, 8 Apr 2005 07:44:13 +0200 Final-Recipient: rfc822;postmaster(a)gfi.com Action: failed Status: 5.1.1 Final-Recipient: rfc822;abuse(a)gfi.com Action: failed Status: 5.1.1 --9B095B5ADSN=_01C53B8BE76FEABE00007F02MAILFAXSRV.gfima Content-Type: message/rfc822 -------------------------------------------------------------------------------- [snipped] Paul Shupak track(a)plectere.com

1 0

More on gfi.com
by List Mail User 08 Apr '05

08 Apr '05

Their SPF/TXT record lists a bunch of addresses including several from Rackspace (the same people who run the domain spamhaus.net), a few really from Malta, and a few from germany. The emails came from Vodaphone in Malta. Paul Shupak track(a)plectere.com

1 0

Forge SURBL mail from gfi.com, just minutes ago.
by List Mail User 08 Apr '05

08 Apr '05

Did anyone else just see forged mail with a "From:" line of "discuss-bounces(a)lists.surbl.org" coming from the IP 80.85.99.13, machine host name mailgate.gfi.com and using a HELO of "passthrough"? Paul Shupak track(a)plectere.com P.S. I refused it, so I don't know what it was. I do know the domain registration is false; There is no city named "San Gwann" in the country of Malta.

2 1

Re: More spams with Zdnet redirector
by J. Fowler 08 Apr '05

08 Apr '05

I posted to the CNET financial message boards on Yahoo and got this response: http://finance.yahoo.com/q/mb?s=CNET ==== Re: CNet supporting spammers NOT* *Folks, We're aware of the abuse, and are shutting down the URLs as we learn of them. We are NOT supporting spammers or phishers. Stephen Howard-Sarin VP, ZDNet.com ===

2 2

Re: [SURBL-Discuss] Re: More spams with Zdnet redirector
by List Mail User 08 Apr '05

08 Apr '05

>... > >On Thursday, April 7, 2005, 1:11:26 PM, J. Fowler wrote: >> I posted to the CNET financial message boards on Yahoo and got this response: > >> http://finance.yahoo.com/q/mb?s=CNET > >> ==== >> Re: CNet supporting spammers NOT* >> *Folks, > >> We're aware of the abuse, and are shutting down the URLs as we learn of them. We are NOT supporting spammers or phishers. > >> Stephen Howard-Sarin >> VP, ZDNet.com >> === > >Can you LART him with: > > http://www3.surbl.org/redirect.html > >Jeff C. >-- >"If it appears in hams, then don't list it." > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > Old email: Stephen Howard-Sarin <shs(a)cnet.com> Paul Shupak track(a)plectere.com

1 0

Re: [SURBL-Discuss] Re: More spams with Zdnet redirector
by List Mail User 08 Apr '05

08 Apr '05

>... > >I posted to the CNET financial message boards on Yahoo and got this response: > >http://finance.yahoo.com/q/mb?s=CNET > >==== >Re: CNet supporting spammers NOT* >*Folks, > >We're aware of the abuse, and are shutting down the URLs as we learn of them. We are NOT supporting spammers or phishers. > >Stephen Howard-Sarin >VP, ZDNet.com >=== > >_______________________________________________ >Discuss mailing list >Discuss(a)lists.surbl.org >http://lists.surbl.org/mailman/listinfo/discuss > That sounds a lot like "after the first million or so emails are sent we block the redirector for that URL". It seems to be exactly the same as running an open relay and cutting off access *after* someone complains. Now, of course the same spammer can use the site again tomorrow, with a new domain and a $10 investment. The only safe way to operate a redirector is exactly like running a mail server - Only those clients/domains listed *in advance* can be allowed: Anything else is "supporting spammers"! How many of you would run an open SMTP relay and only blacklist a machine or domain *after* you learn about it sending "abusive" emails? (That's probably why he's a VP, not an engineer.) Paul Shupak track(a)plectere.com

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss April 2005