[PLUG-TALK] Why ISPs Reject Spam Reports?

Keith Lofstrom keithl at kl-ic.com
Tue Mar 8 23:25:00 UTC 2016


On Tue, Mar 08, 2016 at 11:16:11AM -0800, Rich Shepard wrote:
> Because I'm curious why ISPs with abuse@ addresses
> reject spam reports because they contain spam (really?)
> or malware I tried a web search.
> Could not find a single hit addressing that subject.
> 
> Has anyone here insight into this behavior? 
> If so, please share it with us.

Welcome to a recent nightmare of mine.  My server
hosts a few open source projects with mailing lists
using the Mailman mailing list software.  Recently,
my IP address got flagged as a spam source by the
Realtime Blackhole List at abuse.net .  The culprit
was the default configuration of Mailman. 

If a mail for the list comes from a non-subscribed
email address, Mailman can send an email back to 
that email address saying "your email address is
not subscribed".  However, if the email comes from
a different IP address than the email address in
the header, Mailman will send this helpful message
to the header address, because it does not know
what the actual source IP address is.

This behaves like an "open relay" - a spammer can send
mail to a default-configured Mailman site, where it
will bounce to the address they put in the header.

So, abuse.net blacklisted my IP address in August
2015.  They did not let me know.  I discovered the
problem two weeks ago, while debugging outbound mail
blockage to an abuse.net protected address.  It took
almost a week to get useful debug information from them.
When they eventually told me the actual time of the
"crime", I was able to dig through my August 11, 2015 
mail logs and find the transaction that caused it,
then work my way back to the Mailman vulnerability.

--- A problem with Mailman:

The recommended default for the General notification
options question: "Send mail to poster when their
posting is held for approval?" is yes.  This option
should be "no" to prevent relaying.

It is theoretically possible for the postfix mail
server (which feeds Mailman) to match the email domain
address to the IP address.  However, small organizations
like mine may have many domain names attached to one
IP address, while large organizations may have many
IP addresses connected to one domain name.  I don't
know how postfix could figure that out, accurately,
without using a lot of network bandwidth and adding
a lot of delay.

But then, my setup is 10 years old, and there are
probably better ways to set up Postfix and Mailman.

Keith

-- 
Keith Lofstrom          keithl at keithl.com



More information about the PLUG-talk mailing list