[SC-Help] Re: confused
aukword666 at attglobal.net
Mon Jul 5 03:04:07 EDT 2004
Mike Easter wrote:
> Glenn Daniels wrote:
> > SI itself sports
> > a link to http://www.spamcop.net and appears to offer
> > to forward reports to user's SpamCop.net account.
> Where is that? I can't find that mentioned at the Giant website. Is
> that only seen from 'inside' SI? Presumably it/SI might want the SC
> submit addy as a notify. That /could/ work if SI didn't 'mess up' the
> item - ie if the headers from SI client to SC were followed immediately
> by the spamheaders and body, just as if it had been forwarded as an
Exactly. It appears on the "Report" window as a link at first.
After entering the registered SC email addy a checkbox for
submitting reports to SC is added under the box for SpamAbuse.org.
In trying to submit spam as attachments to the listed addy for
SpamAbuse.org, all are rejected as spam because the account
is Brightmail protected. No spams reported to SC through
SI are acknowledged, so they are not even generating
an "error encountered" or "spam received" autoresponder.
So it is unclear what if anything is sent.
> > To make matters worse, SI opens port 110 to
> > hackers who seem to know exactly how to attack
> > the vulnerability.
> What do you mean? 110 is your pop port. What kind of 'open' does SI
> do? Do you have something in some ZA Zone Alarm logs or something?
I mean, I may have finished sending/receiving email and during
a period when nothing should be coming/going I see a steady
flow of data I/O through the SI mailserver. SI "listens" on
port 110 and filters the incoming email as "localhost"
at 127.0.0.1 and passes the filtered mail to the email client.
Even after the mail client is closed, the SI mailserver still
reponds to probes on port 110. I use Sygate by way
of extensive positive experience with it, and the traffic log
records the unwanted activity I refer to.
Before installing SI, the system tested as completely
"stealthed" on all ports. After installing SI, the system
tested either as stealthed on all ports except 80 an 110,
which reported as "closed" but responding to probes,
or, all ports from 80 or 110 and up reported as closed
but responding to probes. The non-stealthed status
of the firewall was not anticipated, but was revealed
on testing the firewall after what I perceived was an
attack through the SI mailserver client.
I have restored the stealthed status of the ports
by use of additional firewall rules blocking traffic
at ports 80 and 110. Observing the unsolicited
traffic through the SI mailserver client, I thought
it might be some sort of autoupdate, but that did
not bear out. Although there was no serious harm
to the system, and there was no evidence of a
viral intrusion, a third port used by trojans was
rendered "closed" rather than stealthed.
Nor McAfee, nor Ontrack, nor Norton, nor
Avast! found any evidence of a viral intrusion or
trojan, but an additional scan using AdAware picked
up registry modifications in the shell menu entries
for .reg and .scr filetypes. Rather than the default
values of "Merge" and "Test", the defaults had been
changed to simply "Open". These mods could
make the system a bit more vulnerable to a virus
received as an email attachment with those
extensions. That AdAware defs picked up the
mods tells me that my experience is not unique:
It would appear that there is a network aware virus
in the environment capable of probing ports that
are not stealthed, and making changes in security of
the target machine to make it more vulnerable to
Anyway, Mike, these are just petty gripes, nothing
I meant to make a big issue of. The real "slap
in the face" wakeup call was finding out I had
probably bounced spams not to the originating
IP's but to forged "From:" addresses taken
from the spam forge's mailing list to be used as
the "sender" for that particular run. I seriously
expected SI to ignore that shammed "From:"
as SC does: "bounce" to me does not mean
deflect to a target of opportunity but send it
back from whence it came. SI did not make
it clear that that would never happen, and
that it does not is not acceptable.
Besides, it goes way off the mark: You were taking
exception to the OP's wanting the SC code for
use with SI, suggesting he might be confused. And
I am taking exception to that: the OP is not confused,
SI makes it appear that reports will be sent to SC,
where experience suggests things may not be as
they appear to be...
confused, but learning
More information about the SpamCop-Help