[plug] [link] Please start using this

Shayne O'Neill shayne at guild.murdoch.edu.au
Mon Feb 3 15:17:37 WST 2003



On Sun, 2 Feb 2003, Peter J. Nicol wrote:

> Is there any evidence at all that this works?  ie, that spammers will respond in
> the way that the email suggest?  Are there any success stories?
>
> Sounds like a huge waste of time and resources to me.  Like a spammer cares if an
> email address is wrong.  They don't run mail servers, they steal them, or use
> throwaway accounts on free servers.

Aint that the truth. Recently I had the displeasure of having to eat my
words about "the guilds linux server will never be hacked" after an
outlandishly clever  hack on our server for the purposes of turning
relay=* on in the exim configuration.

About 5 in the arvo we had some sort of automatic scan sweep thru. It was
testing for the presence of "squirrelmail". The damn thig then pumped some
sort of wierd url into the machine that caused it to spit out the exim
config, about 2 seconds later another wierd url managed to somehow drop a
modified exim config into the system. Aprox 5 or six seconds later about
100 thousand (at the minimum, I was only alerted when the outgoing spool
became so big it ate the remaning space up on the 4gig root drive and sent
the machine into a tizzy) nigerian spams started relaying off the machine.

There seemed to be about 15-16 machines involved in the attack all
originating from brazil. This was a targeted professional attack for the
purposes of fraud.

I've reported it to the cops and the brazillian police. I've rebuild my
server, updated to the latest squirrelmail that doesnt seem to have the
problem , did a nessus scan and am confident the problem won't come back.

But I gotta tell you this attack is gonna cost the guild bux. It also
caused me to have to spend a good 20hr+ coffee fueled waste of time in
fixing this.

I still havent got the guild off all the open-relay blacklists yet,
although I emailed the Maps dudes and he said that apparently this sort of
hack-then-bounce caper has been on the rise (Apparently hundreds of sites
where hit with the squirrel vunerability. And yet I cant find any
reference to it, or even the vun on the net..) .

I'd just like 5 minutes alone with the evil bastards. I got plenty of
tolerance for skript kiddies who just deface a web page and go away. But I
got no time for fraudsters.

Shayne.



More information about the plug mailing list