From the wiki: "Joe job victims may lose website hosting or network connectivity due to complaints to their Internet service providers, and even face increased bandwidth costs (or server overload) due to increased website traffic. The victim may also find his or her email blacklisted by spam filters." Original Message From: Michael Segel Sent: Tuesday, May 2, 2017 1:36 PM To: li...@lazygranch.com Cc: Kevin A. McGrail; Matteo Cazzador; postfix users Subject: Re: Trace spam activity on mail server
I got what you were saying. What you’re talking about is known as a Joe Job. And its harder to do because its easier to spot fake headers these days. So while its possible, its highly improbable and if it were done, it wouldn’t be on a single RBL. As to RBL services… yes, over time, some get dropped because they become stale and aren’t being maintained. Some have nut jobs running them. Trend Micro doesn’t fit in to those categories. I agree to using TLS as a way to harden the security, but depending on the web mail server … YMMV. There’s a reason why the RBLs don’t provide the ‘evidence’. Spammers are cockroaches, but they also learn from their mistakes. Right now I’m working on my new server and its set up as my secondary MX. Already I have spammers hitting this machine and it looks like they are bypassing my primary server altogether. You are correct, the owner of the Netblock is ultimately responsible. So you should be able to get a new net block and let Digital Ocean worry. > On May 2, 2017, at 3:07 PM, li...@lazygranch.com wrote: > > My point was some prankster and/or whitelist service could spam the honeypot > with your credentials forged. That is a great way for a white list service to > get customers. > > Without knowing the setup of the honeypot, it could be spoofed. These RBLs > shoot first and ask questions later. > > Anyway, destroying the spamrl.com customer base one customer at a time works > for me. A google search will find plenty of false positive complaints. > > Requesting a new IP just leaves the problem for the next owner. I managed to > free up a block of Digital Ocean IP space by convincing one RBL that they > were wrong regarding the IP space. Granted Digital Ocean should have done > that. > > I never used any customer list nor scraped email addresses. > > The reality is these RBLs aren't bug free, and they never provide evidence of > spamming. They prefer you go on a wild goose chase. Mind you any time I > report a hack, I provide log data. That is how it should be done. > > Two easy things to harden your server: > 1) no web mail > 2) all accounts use TLS > > > > Original Message > From: Michael Segel > Sent: Tuesday, May 2, 2017 9:02 AM > To: Kevin A. McGrail > Cc: li...@lazygranch.com; Matteo Cazzador; postfix users > Subject: Re: Trace spam activity on mail server > > First, honey pots aren’t an issue and spoofing an IP address is fairly easy > to pickup. > > As to spam is in the eye of the beholder, if you go back to my questions… > > You’ll see that I asked about the OP’s mail list. > > Free clue… if you purchased a list of potential customers… you’re a spammer. > If you scraped email addresses. You’re a spammer. > > > If you just moved the the IP block, request a new block. Or a new ISP. > > But I’d also make sure you’re running a clean shop too. > >> On May 2, 2017, at 10:00 AM, Kevin A. McGrail <kmcgr...@pccc.com> wrote: >> >> On 5/2/2017 10:56 AM, li...@lazygranch.com wrote: >>> Would a spammy email server only trigger one RBL? >> >> Sure. >> >> Spam is often in the eye of the beholder, people use different feeds, >> different policies, purposes, etc. >> >> I wouldn't discount it that it's an issue just because it's only on one RBL. >> I'm a public mirror for quite a few and the overlap is not as high as one >> might think. >> >> Regards, >> KAM >> >
