[73372] in North American Network Operators' Group
Re: Has postini been taken over?
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Fri Aug 20 02:13:02 2004
Date: Fri, 20 Aug 2004 11:43:01 +0530
From: Suresh Ramasubramanian <suresh@outblaze.com>
To: Hank Nussbacher <hank@mail.iucc.ac.il>
Cc: Ray Wong <rayw@rayw.net>, nanog@merit.edu
In-Reply-To: <5.1.0.14.2.20040820082538.05cfa820@mail.iucc.ac.il>
Errors-To: owner-nanog-outgoing@merit.edu
Hank Nussbacher wrote:
>
>> Postini does not originate or forward spam, they filter mail destined for
>> their customer domains. Some spam gets through their filters, because
>> spammers are smart and adaptively evil. It's really quite simple.
>>
Hank's issue is that he's got ports 25 and 80 blocked for some part of
his network. Those IPs are generating spam reports though they
shouldn't be. In the example he forwarded, the spam reached a user of
gci.net, for which postini provides MX services - who then reported the
email to Hank as spam from Hank's network.
What I can see happening is that Hank's port 25 filtering ACLs are being
bypassed somehow ...
maybe zombied machines on his network running ip masquerading and spam
sending proxies on unfiltered ports, or tunneling smtp requests out in
some other way
Or maybe he doesn't source filter addresses and a spammer controlled
machine on his network has two interfaces - one on hank's network [say a
throwaway dialup / broadband account], and another a much fatter pipe.
Packets (or rather in this case, junk mail) goes out through the fat
pipe with Hank's IPs spoofed into the source address.
I would recommend that Hank set up port blocks both inbound and
outbound, and also examine mrtg or other data that he may have about
that host. If possible, sniffing the traffic inbound and outbound to it
would also reveal a whole lot.
srs
