MailChimp 'working' to stop hackers flinging malware-laced spam from accounts Email newsletter distribution service MailChimp has promised to act on the abuse of accounts to send (frequently) malware-tainted spam. Security experts have been complaining with increasing frustration that the problem has been going on for months. MailChimp is widely used for sending newsletters, bulletins and in some cases …
I've been getting them: 10 in the past month, two only yesterday. I'd just blacklist their IPs but Let's Encrypt use them (mandrill.com / mandrillapp.com / mcsv.net / ROCKET SCIENCE GROUP are all MailChimp aliases).
List of delivery IPs here: https://mailchimp.com/about/ips/
I've been getting them: 10 in the past month
Likewise. In my case it's pretty easy to detect them - they all appear to be going to a webmaster@ address on one of my domains. And the only email that ever gets is spam so it's pretty much all being sinkholed.
What little gets past the various RBL/anti-virus scans on my firewall anyway.
The reason people have to resort to commercial mail services is because of the cartel that has a stranglehold on mail delivery. This might make domain operators start to treat all mail equally again and stop outright blocking mail based on out of date blacklists of other spurious methods.
My spam filtering is done by looking at the contents of the body and assigning a score to particular words. You can assign postive or negative scores for particular words and anything passing particular thresholds gets quarantined or deleted in the software i'm using.
The word "unsubscribe" has a very hefty positive figure on it which is only surmountable if it contains a lot of industry specific words.
Any executable files (exe, bat, vbs, etc) gets arbatarily deleted at the firewall as does any zip files containing any of the previously mentioned file types. Anything containing Macros is quarantined and marked as suspicious.*
Unsurprisingly, while all of our normal transactional mail arrives at it's destination unhindered very little spam or virus laden shit makes it to the end users.
* We're an office that should only receive word, excel and PDF files normally and so can afford to be picky. We're also a really, really big target for scammers due to holding lots of money in the bank so need to be rather more careful than average.
Unfortunately, "unsubscribe" and the referring "x-unsubscribe-address" header are not only easy to forge but even easier to misuse as address verificators. So you can bet on them showing up in anything you've never subscribed to. (You probably have after trying to unscrubscribe, of course... :( )
referring "x-unsubscribe-address" header are not only easy to forge
Pretty much *any* SMTP header is pretty trivial to forge - even if only by copying it from a legitimate email. The only reliable ones are ones added by *your* system.
And even those can be forged.
The problem with tagging 'usubscribe' as a word in possible spam message is that Usubscribe is required legally by all firms operating in Canada. (Might be the case in USA, too.)
Depends what you want to block. "Unsubscribe" means it's sent from a mailing list, and is therefore not a business email targeted to some specific user at my company. Then again, real spammers don't have "Unsubscribe" links.
Then again, real spammers don't have "Unsubscribe" links
Au contraire - some real spammers (what we used to call UCE) do as a way of checking that the SMTP address is real. If someone follows an unsubscribe link from your email you know (pretty much) that it's a real email address. And, as such, it's worth more to other spamming scum.
"Tainted messages sent through the MailChimp network are a particular problem because they will pass authentication checks."
Like hell they do. We block everything Mailchimp. We fired the last sales exec that tried to use them to circulate promotional email, and we consider any of our customer data shared with Mailchimp to be a breach under GDPR.
Mailchimp needs to die with as much noise as possible so the spam slinging retards in sales and marketing finally get the message.
Authentication Checks may mean checks of links in mail.
Mailchimp changes many links to point to list-manage.com, so real link is not visible. Enter zero-day links.
http://mainsleaze.spambouncer.org/october-2017-in-spamtraps-esps/
Be careful - Rocky Science Group do have some transactional customers, not just rump of Mandrill.
Exactly my experience. Mailchimp, mcsv and their countless aliases seem to have been sending out their customers' (unsolicitated) "newsletters" without any checks on legitimation for years. Honestly, I've hardly ever seen any legit mail from them going through or MXs - but tons of spam and a significant number of scamming attempts.
I've recently resorted to giving mailchimp originated messages a bit of an extra score in the spam filtering system. They get a higher score if it's from mailchimp and has the reply-to set to gmail, outlook.com, etc
There have been a couple of FPs but nothing compared to the number of messages flagged.
“It is unclear how spammers managed to gain access to MailChimp's systems"
Really? I thought it was perfectly clear. I regard MailChimp and those like them as spammers.
Come May I'll be making it clear to anyone I do business and who shows signs of thinking otherwise with that they do not have my permission to send any of my personal information, namely by email address, to MailChimp or any of the rest of the spamming industry.
Do as I did, years ago. Tell MailChimp to blacklist my email addresses from their system. This stops 3rd parties who've brought my email address from spamming me. And it works.
I also occasionally try to put my email address on mailing lists and they get rejected from MailChimp.
Depends what you want to block. "Unsubscribe" means it's sent from a mailing list, and is therefore not a business email targeted to some specific user at my company. Then again, real spammers don't have "Unsubscribe" links.
actually in Canada, all companies are supposed to have unsubscribe links in all email originiating from a business regardless of its content like (hey, want to go for lunch).
"Unsubscribe" means it's sent from a mailing list, and is therefore not a business email targeted to some specific user at my company
This is utterly wrong. One of my old email aliases was used to sign up for an IT conference. Since then I've had tons and tons of UCE ("unsolicited Commercial Email) sent to that address. Almost all of those UCE emails have an unsubscribe link (for all the good that does). And I very, very definately didn't consent to that alias being used for anything other than emails related to that specific conference but it got sold anyway.
Eventually I got that alias dropped and my spam level fell by 90%.
It worked really well for a small charity group to run a self managing mailing list.
I am open to an alternative with similar functionality. The real issue seems to be a lack of security combined with a lack of virus scanning. So they need to clean their act up before another system takes their market. There is an obvious need.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
