[pvrusb2] FW: [admin] MTA change at isely.net mail server

Freeh Sophia freehsophia at gmail.com
Fri Aug 26 10:16:51 CDT 2011 

Everyone:

Since about June 21st, another spammer out there has been relentlessly
attacking the pvrusb2 mailing list using a type of attack I had not
previously seen.  As far as I can he has not succeeded and the list has
stayed uncorrupted.  But I am seeing a constant stream of bounce
notifications every time he tries.  The really annoying thing is that
he's attacking the system by fraudulently using my domain (isely.net) in
the from field and the MTA has been accepting these as legit - and then
I get the backscatter when the post attempt fails due to the sender not
actually being subscribed.

This sort of attack is obvious because *nobody* has any business posting
messages from the "outside" to isely.net with a "from" field of
isely.net.  But up until now I've not tried to fend off this sort of
thing.  And unfortunately now that I'm looking into this, it appears
that the Courier MTA doesn't have a means to block specifically named
domains from the outside while still allowing those same domains from
the "inside".  Thus if I tell Courier to block isely.net, then I can't
send e-mail either.

This is in fact the sort of attack that SPF can stop.  The isely.net
domain has been publishing an SPF record for years but the domain's MTA
has never been set to enforce it.  Well that just changed.  I've tried
to make the settings as forgiving as possible, but if the spammer keeps
getting his crap accepted by my MTA I'm going to crank up the
aggressiveness on this filter.

If you don't know what SPF is, I encourage you to look here for more
info:

http://www.openspf.org/

The reason I mention all this here is that if you post to this list, if
your ISP is publishing SPF, and it is misconfigured, then there's a very
real chance now that the MTA at isely.net will reject the message.  I
hope that doesn't happen, but if it does I apologize in advance.  You
can thank all those spamming jackasses out there for forcing this upon
us all.

If you find that you can't send e-mail to the isely.net domain any
longer, you should still be able to reach me at my pobox.com address
(isely (at) pobox (dot) com) - while that still ultimately goes to the
same inbox, the message takes a different route, via pobox.com, and that
path I've verified as working correctly.  If I'm told about a specific
issue like this, I will try to solve it here - but my options will be
limited if the root cause is really at the other end :-(

Back to normal pvrusb2 traffic...

  -Mike


-- 

Mike Isely
isely @ isely (dot) net
PGP: 03 54 43 4D 75 E5 CC 92 71 16 01 E2 B5 F5 C1 E8


Freeh Sophia
Marketing GmbH
Emanuelstr. 3,
10317 Berlin
Deutschland
Telefon: +49 (33) 5310967
Email: freehsophia at gmail.com
Site: http://flug.airego.de/

More information about the pvrusb2 mailing list