ESP unwittingly used to send spam

Late last week I heard from someone at AOL they were seeing strange traffic from a major ESP, that looked like the ESP was an open relay. This morning I received an email from AOL detailing what happened as relayed by the ESP.

IronPort Open Relay Vulnerability
Systems Affected
IronPort A60 running software version 2.5.4-005. According to IronPort, later devices and software versions using the same filtering mechanisms are vulnerable.
Overview
In recent weeks, one or more rogue spammers have been using misconfigured IronPort A60s as open relays to send unsolicited emails for AOL users via open relay. It is important for IronPort device administrators to review their configuration to shore up any vulnerability to this web server exploit.
Diagnosis
A seemingly minor configuration mistake made years ago internally has been exploited over the last several weeks to send out massive amounts of unsolicited email to AOL users. The spam mail originated from an outside zombie server, apparently infected with remote mailing viruses (such as BackDoor.Servu.76) according to the IT contact at IP 66.139.77.16. <ESP> has a filter specifically designed to deliver email over IP ranges set for AOL only. However, it was listed before a filter designed to log and discard bounced emails coming in through the Internet-facing of the IronPort appliance.
Impact
We have received 6,500 customer complaints so far through the AOL feedback loop. As the IronPort devices are black boxes, we are unable to determine how many unsolicited emails were delivered across them. It is difficult to ascertain whether or not the rogue spammer(s) knew only AOL addresses were delivered using this exploit. It is important to note that only AOL addresses were delivered in our specific case due to the order of the filters.
Solution
The solution was simple: move the filter designed to log and drop bounce messages coming in from the Internet to the top of the filter list so it will run first, as other filters may direct the IronPort device to deliver the emails through this vulnerability.
Authors: Jake Lanza, Baigh Auvigne, Daniel Fox

Congrats to the ESP for noticing this so quickly and being on the ball to stop this leak so quickly.
The compromise was first noticed when email coming back through the AOL FBL did not match any mail sent by the ESP. Initially, the ESP contacted AOL to report a problem with the FBL, but in working with AOL employees determined the email was coming from the ESP’s IP addresses.
This highlights the need to not just process FBL emails, but also monitor them and react when there are emails in a FBL that you do not recognize.
Ironport has responded here.

Related Posts

Blogroll

I added a few blogs to my blogroll today.
Terry Zink works at Microsoft handling spam blocking issues for one of their platforms. His posts offer insight into how recipient administrators view spam filtering. He has a long, information dense series of posts on email authentication.
E-mail, tech policy, and more is written by John Levine, a general expert on almost everything internet, especially spam and abuse issues. He posts somewhat irregularly about interesting things he sees and hears about spam, abuse, internet law and other things.
Justin Mason’s blog contains information from the primary SpamAssassin developer. Like Terry’s blog, it gives readers some insight into the thought process of people creating filters.
Al Iverson’s blogs have been on my blogroll for a while now. His DNSBL resource contains information about various DNSBL and how they work against a single, well defined mail stream. His spam resource blog provides information about delivery and email marketing from someone who has been in the industry as long as I have.
Email Karma is Matt Verhout’s blog and contains a lot of useful delivery information.
No man is an iland provides practical information on marketing by email. Some of the information is delivery related, a lot more of it is solid marketing information. Mark often points to useful studies and information posted around the net.
MonkeyBrains has always entertaining and informative articles about delivery, email marketing and practical ways to make your email marketing more effective.

Read More

Update on Yahoo and the PBL

Last week I requested details about Yahoo rejections for IPs pointing to the PBL when the IP was not on the PBL. A blog reader did provide me with extremely useful logs documenting the problem. Thank you!
Based on my examination of the logs, this appears to be a problem only on some of the Yahoo! MXs. In fact, in the logs I was sent, the email was rejected from 2 machines and then eventually accepted by a third.
I have forwarded those logs onto Yahoo who are looking into the issue. I have also talked with one of the Spamhaus volunteers and Spamhaus is aware of the issue as well.
The right people are looking at the issue and Spamhaus and Yahoo are both working on fixing this.
Thanks for the reports and for the logs.

Read More

AOL and AIM mail

Earlier this week a question came up on a mailing list. The questioner recently started seeing an increase in rejections to @aol.com addresses. These rejections said

Read More