A technical correction: The netra, which resolves to graphnet.com, was the victim even though we have an MX record pointing elsewhere. I have locked the doors, it won't happen again on that machine -- its a firewall and I put in a rule to prevent off-campus smtp connections. The spammer kept hitting us while my attention was drawn to an unrelated outage with a major customer. Eventually he stopped hitting us and moved on. Meanwhile our real public mail server is vulnerable because it runs Netscape mail (netra runs solaris 2.4 until SunSoft gets our copy of 2.5.1 application server off back order; ditto an old sendmail). We consulted Netscape server support, they said their version of sendmail is vulnerable even in the very latest version of Messaging Server (which replaces mail server). Netscape has a nice web interface for mail but we will have to put a real sendmail machine in front or get rid of Netscape mail. Any opinions on whether this warrants a CERT advisory ? Someoone should post to bugtraq or something so the world knows -- and puts pressure on Netscape. Dana Hudes Graphnet p.s. Thanks to all who offered to help and/or e-mailed various statute citations. This seems a bit beyond the Teaneck police, does it go to FBI? Secret Service? Postal Inspectors? FCC? State Police? Interpol? Who has jurisdiction?
On May 5, 1997 at 13:01 dhudes@graphnet.com (Dana Hudes) wrote:
Folks, Over the weekend someone decided to use our (Graphnet/globalis.net) mail server for sending spam. We are in the process of dealing with this and some internal network outages all at once. FYI, our mail server is running the very latest Solaris 2.5.1 + patches but the software is Netscape Mail server which replaces Sendmail with its very own. I thought they claimed it could not be used for transit mail but apparently either the claim was false or I misunderstood.
Our small staff is strained to capacity working on these issues this monday morning. Please, stop sending mail to postmaster@graphnet.com and attacking us You are making the problem worse by flooding us with mail. Please do not blackhole us we have never been a problem before with this and thought we had taken preventative measures. Obviously these measures failed but we are working with Netscape to understand why their sendmail version allowed this to happen.
Don't shoot me, I'm one of the good guys.... We want to take action with law enforcement to find and prosecute the spammer for denial of service attacks and theft of services. Pointers to appropriate law enforcement agencies appreciated, also tips on tracking the source down. Ditto applicable NJ and US statutes. I assume not every spam comes from cyberpromo using one's server for transit mail.
Dana Hudes Senior Network Engineer Graphnet