Hackers Blamed For MessageLabs Spam Blunder 44
littlekorea writes "MessageLabs claims to have discovered that the systems of one of its customers were hacked by spammers after an entire block of MessageLabs IP addresses was blocked by antispam service SORBS. Customers of the managed email service had problems with outbound mail last week after MessageLabs' IP addresses were included in SORBS' block list. The Symantec-owned service provider has assured customers it has systems in place to prevent such incidents from happening again."
Re:Please don't use ANY blacklist (Score:3, Insightful)
and arrives at a recommendation ("do not use DNS-RBLs").
This entire analysis is spot on, but the reason blacklists are so popular is that they tend to work - you use one, the spam goes down, your users are happy. (Right up to the point where they discover a false positive that the RBL is blocking them from getting, anyway.)
In light of that, "do not use DNS-RBLs" is kind of throwing the baby out with the bathwater. The obvious middle ground, of course, is "don't use DNS-RBLs to make a binary accept/reject decision." Instead, use them as a weighted input to an overall spam score, such as is done by SpamAssassin or policyd-weight.
But then, that's generally more work. :-)
Re:This all sounds backwards (Score:5, Insightful)
Knowing how Messagelabs works myself, just to refine it, it probably went something like this.
Emailserver1 is setup to relay outbound through Messagelabs all of the email. /24 on their lame block list in response and because they suck as a service take forever to remediate bad blocks
Emailserver1 is compromised and used as a mail relay itself
Messagelabs receives spam generated by Emailserver1 and because all outbound email is filtered, they recognize it after a few hundred pieces of mail and begin to throttle/stop connections from the server
A few pieces of the hundred are delivered to destination recipients
SORBS places the entire Messagelabs
The answer to all this is Messagelabs IP ranges should never end up on SORBS' list because of what they are, an output pool for tens of thousands of people which is maintained by a company with a repuation. The fact SORBS feels it within their power to blacklist Messagelabs IP ranges shows how much power they feel that they have, power derived merely from the fact that some people use them.
This should prove to people who use SORBS why not to use them. It's SORBS fault, not Messagelabs. The whole idea of a list like SORBS is to be a well maintained list of "bad ip's". If they add Messagelabs' /24's to their list, this proves it is not well maintained. The act of sending a small number of spam emails is inherently unpreventable almost by definition, and ML has the infrastructure in place to protect against 99.9999% of it.