IP Spoofing question..

dugan at passwall.com dugan at passwall.com
Tue Oct 1 00:08:12 PDT 2002


On Mon, Sep 30, 2002 at 06:23:42PM -0700, Ron Wickersham wrote:
> On Mon, 30 Sep 2002, Christopher Wagner wrote:
> 
> ---snip---
> 
> > Problem:
> > I've received a complaint from spamcop.net saying I've been operating an
> > open relay, however the abuse.net clearing house spam relay test shows I'm
> > not an open relay.  So, I'm obviously puzzled.
> 
> i got a similar notice from spamcop (and so did lots of others).  someone
> is mad at them and is sending notices that are bogus.   if you're not an
> open relay (and it certainly sounds so) then ignore the message.


Though this is still possible, I will add my experience to this...

About 3-4 weeks ago (perhaps longer) I found out that I was accidentally
reporting my ISP (sonic.net) and my associate's machine (acting as my
backup MX relay) as being spaming hosts.

For about 3+ months, I used the spamcop services. Over the first month,
I checked messages carefully when processing and found spamcop was smart
in their processing. They were able to decipher my ISP and MX relay as
not hosts that should be reported upon.

Since I had 1 month of "good hits" I just made the assumption that my
ISP and backup MX relay would not be included. MISTAKE!

After blindly reporting on my ISP (sonic.net) and my friend's box
*backup MX relay) my friend's box was place on the black hole list.

ACK!

I contacted spamcop and worked through with them to "undo" the improper
assignment as to being a spammer, and also tried towork through to undo
the false reports I placed against my ISP. 

All is as well as it can be. However, I made a guess:
"Something has changed at spamcop"

Processing of requests seems to be more aggressive than it was before.
Now I see (just to test) about 1 in 3 messages would falsely report
my ISP or my associate. I dont used spamcop so much anymore. I am sure I
could be more interactive and actually review each and every host for
reporting like I am supposed to,, but that is a lot of work. I'll
probably go with spamassasion and/or procmail for filtering and
autodeletion.

The moral of the story? Perhaps you have a user on your network who has
started reporting on your mail system due to the guess I had for changes
at spamcop. (This was just a guess - the thought that there have been
changes at all.)

-ME

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
  Campus IT(/OS Security): Operating Systems Support Specialist Assistant



More information about the talk mailing list