« Good food with an unappetizing name | Main | Tech Tip: SQL Injection Attacks by Example »

December 19, 2004

Spam blacklists as denial-of-service attacks?

I'm a big believer in spam blocklists - I use several myself - as well as other proactive efforts to limit spam. This is a really big problem, and there is inevitable collateral damage too, but a new one is emerging: blacklisting email forwarders.

AOL members can mark any email as spam, and this black mark gets attached to - among other things - the source IP address. If too much "spam" comes from one IP address, it can get blacklisted for a time. For direct injection or open-relay spam, this is fine, but what about email that is merely forwarded through a mail server at the user's request?

I host a small number of email accounts on my servers, with a few being forwarded elsewhere. If these go to AOL accounts and are reported as spam, it gets credited to my server. Eventually my server could get blacklisted, and I've not done anything even remotely wrong.

This hasn't happened to me, but it does happen to others: at one email forwarder I know of positively forbids any forwarded email from being reported to Spamcop (which apparently considers the last IP address in the header as the "source", much like AOL does). They have been blacklisted several times, and they will now cancel the accounts of anybody who does reports them.

I guess the moral of the story is to be careful how you're reporting spam: if you're forwarding email through somebody else's server, improper spam reporting can very well lead to the whole server being considered "a spam source" (it's not hard to construct a denial-of-service attack on this basis).

Posted by steve at December 19, 2004 05:38 PM

Trackback Pings

TrackBack URL for this entry:
http://www.unixwiz.net/mt/trackback/18

Comments