[pvrusb2] [admin] MTA change at isely.net mail server

Mike Isely isely at isely.net
Fri Jul 8 12:24:34 CDT 2011 

Everyone:

Since about June 21st, another spammer out there has been relentlessly 
attacking the pvrusb2 mailing list using a type of attack I had not 
previously seen.  As far as I can he has not succeeded and the list has 
stayed uncorrupted.  But I am seeing a constant stream of bounce 
notifications every time he tries.  The really annoying thing is that 
he's attacking the system by fraudulently using my domain (isely.net) in 
the from field and the MTA has been accepting these as legit - and then 
I get the backscatter when the post attempt fails due to the sender not 
actually being subscribed.

This sort of attack is obvious because *nobody* has any business posting 
messages from the "outside" to isely.net with a "from" field of 
isely.net.  But up until now I've not tried to fend off this sort of 
thing.  And unfortunately now that I'm looking into this, it appears 
that the Courier MTA doesn't have a means to block specifically named 
domains from the outside while still allowing those same domains from 
the "inside".  Thus if I tell Courier to block isely.net, then I can't 
send e-mail either.

This is in fact the sort of attack that SPF can stop.  The isely.net 
domain has been publishing an SPF record for years but the domain's MTA 
has never been set to enforce it.  Well that just changed.  I've tried 
to make the settings as forgiving as possible, but if the spammer keeps 
getting his crap accepted by my MTA I'm going to crank up the 
aggressiveness on this filter.

If you don't know what SPF is, I encourage you to look here for more 
info:

http://www.openspf.org/

The reason I mention all this here is that if you post to this list, if 
your ISP is publishing SPF, and it is misconfigured, then there's a very 
real chance now that the MTA at isely.net will reject the message.  I 
hope that doesn't happen, but if it does I apologize in advance.  You 
can thank all those spamming jackasses out there for forcing this upon 
us all.

If you find that you can't send e-mail to the isely.net domain any 
longer, you should still be able to reach me at my pobox.com address 
(isely (at) pobox (dot) com) - while that still ultimately goes to the 
same inbox, the message takes a different route, via pobox.com, and that 
path I've verified as working correctly.  If I'm told about a specific 
issue like this, I will try to solve it here - but my options will be 
limited if the root cause is really at the other end :-(

Back to normal pvrusb2 traffic...

  -Mike


-- 

Mike Isely
isely @ isely (dot) net
PGP: 03 54 43 4D 75 E5 CC 92 71 16 01 E2 B5 F5 C1 E8

More information about the pvrusb2 mailing list