[ngw] spammer infiltration

Morris Blackham mblackham at gw.novell.com
Wed Feb 5 00:59:09 UTC 2014


One other thing that may help deter a AUTH spam attack.   With GW 2014 GWIA will not advertise on a EHLO that it supports AUTH LOGIN unless the connection has been encrypted with STARTTLS.
 
Heads up to all the NGW admins.   This may cause a few calls from your POP/IMAP users if they aren't using SSL for SMTP in their client account settings.  So they must use SSL/STARTTLS for SMTP in order to Auth when sending.
 
--Morris
 

>>> Jeff Lay <jlaynovl at gmail.com> 2/4/2014 3:48 PM >>>
Alex (et al)
 
We get a fair number of tech support calls on this, so those of us in NTS
feel your pain that it can sometimes take a while to track down the
culprit(s) on these kinds of problems.  Because of that, I wrote up a
request asking for some fixes/enhancements to GWIA and the Engineering guys
gave us most of the stuff on our wish list.  So, the changes that are
planned for 2014 GWIA to help with spam detection are:
 
1. The GWIA log will now show both the IP address and GroupWise userID for
every successful SMTP AUTH, where in the past it would only log the userID,
so hopefully that will make it easier to find and block problem IP
addresses.
 
2. For every outbound message, the GWIA log will now include the actual
GroupWise userID of the authenticated sender, where in the past we only
logged the "From" information, which was easily spoofed in the message file
and didn't give you any indication as to which GW account the spammer was
using to send.  So now if you think your GWIA is sending spam, you can just
do a quick search of log files and if you see 2000 messages sent by user
"jsmith" you know where the problem is and can disable that account.
 
3. Lastly, we have officially canonized the /disallowauthrelay switch, so
that you can either A) prevent relay completely or B) in the event that
your GWIA is being used to send spam from a compromised account, you can
add that switch and restart GWIA and nobody (including the spammer) will be
able to relay off of GWIA while you find the problem user account.
 
I hope that helps,
 
-Jeff
 
 
 
On Wed, Jan 8, 2014 at 9:15 AM, Alex Hargrove <ahargrove at cgresd.net> wrote:
 
> Hi Jeff-
>
> Are you able to expound on this at all?
>
> Thanks!
> Alex
>
> >>> On 1/6/2014 at 1:39 PM, Jeff Lay <jlaynovl at gmail.com> wrote:
> > All,
> >
> > Just FYI - We're expecting some enhancements to the Windermere (GW 2014)
> > GWIA that will help prevent this kind of thing and also make it easier to
> > track down the compromised account if somehow a spammer gets through
> with a
> > valid password.
> >
> >
> > On Fri, Dec 13, 2013 at 5:19 PM, Jeffrey Sessler
> > <jeff at scrippscollege.edu>wrote:
> >
> >> AOL can be very hard to get off of, and they do some very wacky things
> >> with email.
> >>
> >> Check your reputation in Cisco's/Ironport Senderbase
> >> http://www.senderbase.org/
> >> It's probably the largest feed of data by customers. If you send email,
> >> it's likely that senderbase is tracking you. Senderbase will also tell
> you
> >> what other SBLs the IP (or range of IPs) are on.
> >>
> >> I think reputation score is one of the best ways at preventing unwanted
> >> email. Something like 95% of the 2 million messages we get a week are
> >> dropped based on reputation score. The 500 response from out Ironport is
> >> classic - something like - "Sorry, you reputation score is so low we
> don't
> >> want to talk to you."
> >>
> >> Jeff
> >>
> >> >>> Kathy Tyler  12/13/13 1:17 PM >>>
> >> We weren't on blacklists either - it was our IP reputation score.  As a
> >> matter of fact, Comcast was blocking us but when I submitted a ticket to
> >> them, they said they weren't blacklisting us.  But it was this IP
> >> reputation score that they were using.  I used -
> >> https://www.senderscore.org/.  I saw our lowered score.  Once we
> removed
> >> the compromised workstation, our reputation repaired itself with no
> >> intervention from.  It took about 3-4 days.
> >>
> >> Can't you get the headers off of an undeliverable message to give AOL?
> >>
> >> Kathy
> >>
> >>
> >> -----Original Message-----
> >> From: ngw-bounces+kathy.tyler=northmemorial.com at ngwlist.com [mailto:
> >> ngw-bounces+kathy.tyler=northmemorial.com at ngwlist.com] On Behalf Of Kim
> >> Geiger
> >> Sent: Friday, December 13, 2013 12:53 PM
> >> To: 'NGWList'
> >> Subject: Re: [ngw] spammer infiltration
> >>
> >> Users are still having delivery problems after I found a killed the SMTP
> >> bot on my network.  Seems we're blacklisted at some locations, even
> though
> >> we're not listed on any of the big blacklists.
> >>
> >> So I have to submit the headers of an outgoing message that bounced to
> >> make my case that I'm not a spammer.  I guess I've never needed to do
> such
> >> a thing with GroupWise before; it seems there is no way.  A message
> doesn't
> >> *get headers until it's routed out.
> >>
> >> Any idea how  I can give AOL, et al., what they demand?
> >>
> >> --
> >> Kim Geiger
> >> WKAR Radio & Television, WKAR.org
> >> East Lansing, Michigan
> >> 517-884-4766
> >>
> >>
> >> _______________________________________________
> >> ngw mailing list
> >> ngw at ngwlist.com
> >> http://ngwlist.com/mailman/listinfo/ngw
> >> _______________________________________________
> >> ngw mailing list
> >> ngw at ngwlist.com
> >> http://ngwlist.com/mailman/listinfo/ngw
> >>
> >>
> >> _______________________________________________
> >> ngw mailing list
> >> ngw at ngwlist.com
> >> http://ngwlist.com/mailman/listinfo/ngw
> >>
> >>
> > _______________________________________________
> > ngw mailing list
> > ngw at ngwlist.com
> > http://ngwlist.com/mailman/listinfo/ngw
>
> _______________________________________________
> ngw mailing list
> ngw at ngwlist.com
> http://ngwlist.com/mailman/listinfo/ngw
>
_______________________________________________
ngw mailing list
ngw at ngwlist.com
http://ngwlist.com/mailman/listinfo/ngw
 


More information about the ngw mailing list