Archive for category Stupid

A low tech way to get a mail server blacklisted using victim’s own forums

As they say in the military, “If it’s stupid and it works, it isn’t stupid”.

This is a low-tech, labor-intensive way to get a victim’s email server blacklisted at a major public email service, using the victim’s own public forums. The email provider was very helpful in getting this sorted out, and it’s not clear that this “attack” is specific to them.

(This situation can also happen “accidentally” if a number of users subscribe to your forums,  change their minds and then report the notices as SPAM instead of unsubscribing from the forums. That doesn’t seem to be the case in this instance.)

  1. Sign up for a few free email accounts with a public email provider. Get as many as you can, perhaps at least 20. Get some friends to help you. More is better.
  2. Go to the victim’s public forum servers and use each email account to sign up for one (or in some cases more than one) forum account per public email account. This gives you 20-100 forum accounts. Let’s use 20 as the lower bound and 100 as the practical upper limit.
  3. As an alternative, if the forum doesn’t use opt-in confirmation, just subscribe a few hundred random people to get the forum notifications. Let them do the work for you.
  4. Set each forum account to send an email notification for every forum update, or as many as possible. Some forum systems allow you to “watch” individual threads, some allow you to “watch” the entire forum system, getting one email for every other users’ post.
  5. In a moderately large-ish forum system, there could be perhaps 1 update per minute, so 60 per hour – that’s now 60*20 accounts (1200) or even worst case 60*100 accounts (6000) emails per hour going out from the forums system, perhaps through the victim’s outbound SMTP server. Either way, the target public email system is seeing a lot of email coming from one domain or IP range very quickly.
  6. If the rate alone isn’t enough to get the forum or SMTP server blacklisted, then go into each of the public email accounts and mark ALL the forum notifications as SPAM. Or if you subscribed a few hundred random people to the notifications, they’ll do the work for you!
  7. The combination of high email rate combined with the 1200-6000 SPAM use complaints should be enough to get either the forum server or the victim’s outbound SMTP server blacklisted.

Note that each and every part of this situation is working as intended. It’s only when they are combined that that you get problems. (Unless the forum doesn’t do email address opt-in verification, in which it’s all on you.)

This “attack” depends on these things:

  1. lots of manual labor, either by yourself or with some friends, or even some random victims
  2. a forum system that allows one user to cause the system to send lots of email based on the behavior of many people
  3. a moderately busy forum system
  4. a public email system that is biased more towards rate-based and user complaints than message content
  5. a public email system that the victim’s user base depends on, as in “must communicate with users in that public email system”

Fortunately, this is relatively labor-intensive, and not amenable to automation.

Countermeasures are left as an exercise for the reader 🙂

Advertisements

Leave a comment

Stupid email disclaimers – they just won’t die

Every day I get email messages with really stupid disclaimers at the bottom. Some of the worst are from vendors that are sending me information or invites to events.

Stupid email disclaimers seem to have come into vogue in or about 2001 or so.  Many people, myself included, thought that this would be just a passing fad, and folks would realize how stupid these make you and your organization appear to rational people.

Hah. Nope.  Obviously too much faith in humanity going on here.

The folks at goldmark.org did a collection of these, and why they are stupid, back in 2001.  The Register, Slashdot and Slate also took pokes at the topic. Sadly, it appears that rational thought has given up and just decided to accept the status quo.

Disclaimers should have died a decade ago.

Starting this week, I’m going to post some of these disclaimers. The stupid, it burns. I’m torn on whether or not to release the company names with the disclaimers. Vote it he comments, if you dare.

Confidentiality Note: This e-mail, and any attachment to it, contains privileged and confidential information intended only for the use of the individual(s) or entity named on the e-mail. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that reading it is strictly prohibited (emphasis added). If you have received this e-mail in error, please immediately return it to the sender and delete it from your system. Thank you.

So, I’m prohibited from reading the email, to get to the bottom disclaimer to find out that I’m prohibited from reading the email?

Yup, you’re a vendor I’m adding to the blacklist, for excessive stupid. If every email your company sends looks like this, I wonder what your service contracts look like? Do you even have competent lawyers?

Leave a comment

%d bloggers like this: