lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0407080543540.1767@forced.attrition.org>
From: jericho at attrition.org (security curmudgeon)
Subject: denial of service on ISN list 

: ---------- Forwarded message ----------
: Date: Thu, 08 Jul 2004 10:17:46 +0100
: From: lsi <stuart@...erdelix.net>
: To: isn-owner@...rition.org
: Cc: full-disclosure@...ts.netsys.com
: Subject: [Full-Disclosure] denial of service on ISN list
:
: I can't subscribe to ISN because their mail server thinks my mail server
: is a spammer.  I can report that Pipex are one of the largest ISPs in
: the UK, and that this server might be used by hundreds of thousands of
: people.

For any large ISP, a single abusive customer has never caused an entire
ISP to be blacklisted or blocked from reaching attrition.org .. the ISP
not responding to complaints and not doing anything to resolve the abuse
has.

The block had nothing to do with Joe Random sending a ton of spam. It has
to do with Pipex ignoring my complaints to abuse@ and/or postmaster@ and
opting not to track down the spammer for *weeks*, while spam kept flowing
from the same person, via the same mail relay (62.241.160.193).

They opted not to care, they had no issue with the activity of their
customer, they didn't want to lose a few bucks and kick the person from
their service. If you support a company like that, keep paying them, and
keep getting denied by this mail server. If you feel that they DO care
these days (considering the block was added 02-02-03) then a polite mail
to attrition.org would likely cause me to move them to the probation area
and get a fun little # in front of their entry.

: I put it to ISN that your system allows people to be kicked off the
: list.  All I need to do is fake some spam from my enemy's SMTP to the
: list, and you block the entire server.  When another of Pipex' 100,000
: subscribers attempts to join, they are blocked too.  Not good.

You also need to fake the ISP not caring, fake them not responding to
complaints for weeks at a time, and faking hundreds of pieces of spam
through that same relay each day.. then the DoS would be effective. If you
can manage that attack, then yes, ISN is succeptible to a DoS attack as
you describe. Further, not to burst your bubble, mail has been getting
to/from some pipex customers just fine. They use another pipex relay
apparently (whirlwind.systems.pipex.net).

: > <isn-request@...rition.org>: host forced.attrition.org[66.80.146.7] said: 553
: >     5.3.0 - 780 spammer or relay pengo.systems.pipex.net ESMTP Postfix (in
: >     reply to MAIL FROM command)

The mail to "isn-owner" was a cute gesture, but you *knew* mail to
anything at attrition.org would bounce, so why bother?

In the future, at least contact someone at attrition.org (from an
alternate account of course, even a disposable hotmail.com address) since
we handle the mail list for ISN. Failing that, mail the ISN moderator
(wk@....org, who's mail doesn't route through attrition.org) and ask him
if something can be done, instead of whining to an arbitrary list.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ