Posts by AustinTX

Mailgun has even bigger problems

Recapping what I wrote here on El Reg a week or so ago is the problem I had with Mailgun SMTP, a freemium email relay service:

Your account is associated with one of Mailgun's SMTP relay servers when you sign up. Many other Mailgun customers share that server with you. Your local SMTP server relays all outgoing email to Mailgun's server, and typically, all of your incoming email comes from the relay too. If your email traffic starts getting blackholed, you can ask Mailgun's staff to switch you to another at random, which may have a better reputation than the one you had.

If you are a spammer looking to avoid being identified and trick others into paying for your deliveries, you just need to find domains which are served by Mailgun SMTP relay servers. Probably, you'll harvest this from header information in other email traffic you're collecting. Another possibility is spamming many domains with "Delivery Status Notification" turned on and looking to see if Mailgun servers convey the response. I'm not really sure. If you sign up for a bunch of Mailgun accounts, request switches, ect., you'll likely manage to acquire accounts with one of each SMTP servers which they offer. Then, all you need to do is send a payload of spam FROM one of your accounts that shares the SMTP relay server with this victim TO their local SMTP server, addressed to various addresses from your spamming list.

Since email servers like Postfix, treat an SMTP relay/gateway as a trusted peer on the local network, it does not consider email which is injected this way to be relay mail. It treats it with the same trust as your workstation or whichever local machine you send your email from. The victim's SMTP server re-sends the spam email back OUT through Mailgun under it's own reputation and quota. It skips local spam filters because since when do you scan "outgoing" email submitted by a trusted peer for spam? And so the spammer uses up your 10K free quota, and then your paid quota if you have one. It doesn't require your victim's login credentials, as Mailgun has given you your own. And, if there's any way to stop this exploit in configuration, I don't know what that is. If you take the SMTP relay server off your Postfix "local networks" list, then while it won't accept mail from there, nor will it send there any more either.

I provided Mailgun staff with every detail I had, log entries, copies of the spammer's incoming emails (which the spammer had stuffed with as many to: cc: and bcc: addresses as possible), but they pigheadedly refused to understand. I was scolded for running an open relay and they said there was no indication one of their other customers was doing anything. Oh, please! The emails I'd captured had all the headers and session data. I get the feeling one of their staff is dirty and exploiting customers who rarely use up their monthly quotas.

My workaround is to block incoming email from Mailgun, at our firewall. Our MX configuration now advertises our cable modem IP address for directly incoming email traffic. Also, Delivery Status Notification has been disabled, though that means legitimate folks won't get address bounce messages.

So Tone Deaf

Chrome User: "You're grabbing our credentials and logging us into your previously-optional services without our consent or control! The only indication is an easily-overlooked color change to the "user" icon in the corner!"

Google: "What? Yes! You're welcome! We care deeply about our users and their safety, so we made a visible indicator that you were still logged in, in case you were sharing your device with someone else. Now they can log you out and then log themselves in separately! Keeping their browsing history separate from yours, and thus more accurate."

Joys of Using 3rd Party SMTP Server

I use Mailgun for some community/volunteer organizations. We can send enough emails free for our purposes (newsletter, forum activity) or pay very little for a few additional thousands now and then.

When you sign up for Mailgun's services, you are assigned one of their half-dozen or so SMTP servers. We use Mailgun only to send out email, and not to receive it, but we are still tied to a fixed SMTP server at a particular IP address, as it is the one we must send out through. Since it is our "relay" or "gateway" address, Postfix considers that IP to be a "trusted" peer "within our network", but worse, it is treated as "trusted" mail which does not get filtered. Email is still received from that address, which is normal because most customers use it for mail both ways.

The problem is that we share that SMTP server with many other Mailgun users, and some of those other users are spammers.

Imagine my joy upon finding one day that the server was spooling a enormous amount of email, OUTGOING email, and none at all was being delivered... We had used up our free 10k ration at Mailgun somehow, which was refusing to deliver for the rest of the month!

I tracked the problem down to a small number of incoming emails, each with hundreds of "To:" recipients coming FROM mailgun, through our system, and then going back out through Mailgun, but thereby using our allotment and reputation.

I don't know how the spammers matched our domain with that particular SMTP server, but it probably isn't too hard for spammers to apply for multiple accounts on Mailgun until they have one with each of the available servers. Then, they just work through a long list of domain names until they find one which accepts relay. I could do the very same, and masquerade as any other Mailgun users if I shared their SMTP gateway. Using the email deliveries they were paying for after i'd burned through their free quota. I just need to know which SMTP gateway they were assigned, and exploit it. Anyone could grep their own server logs for email coming from Mailgun and collect a valid domain and SMTP gateway. It's practically a password to use someone else's account!

Sadly, Mailgun Support was no help, and blamed ME for the loophole. They wouldn't even investigate whom among their other users was sending spam through me, which should be a trivial task. They essentially defended the spammer and scolded me for running an open relay. But it's not an open relay. My local SMTP server rejects relay and blacklist email all day long. But it just CAN'T reject email from that particular Mailgun SMTP server, by design of Postfix!

I never found any proper solution to configuring Postfix, and had to resort to a firewall rule blocking all incoming traffic from our own SMTP relay server. We continue to accept email directly from the senders (except for China, Russia and all the other squirrely sources that hit our local blocklists).

Never!

IPv6 is all who-knows-how it works all-behind-the-scenes and I have no way of knowing if a hostile entity is punching straight through my firewalls or even re-routing my traffic because he knows the IPv6 secrets and my stupid SOHO router merely "supports" it.

A few important details left out

And at what power level is the most concentrated radio waves? Minute fractions of a microvolt? Oh My! They could power their whole civilization with that!

Let's call him Jacob, for no particular reason...

I was part of a team replacing Dell motherboards for that lovely swollen capacitor issue which they denied for another decade. One member was in such a hurry to be free for lunch that he crammed the CPU into the socket and slapped down the restraint without bothering to match the pins properly. It wouldn't close properly so he opened it up again (we were all standing there, waiting for him), observed all of the squashed pins, said in his nonchalant professor expert voice "Hmmmm, how did that happen?!". He didn't come back after that day.

Life Aboard A Colony

I don't think there's anything improbable about a colony ship heading out for a multi-generation trip to another star. In the event that we can build such self-contained colonies in the future, it will come after we've fully matured the technology of inhabiting ones orbiting here within the solar system. Thousands, or millions of them. People living inside will already be accustomed to spending their whole lives inside one colony, just as people still grow up, age and die without ever leaving their county or shire. Sustainability will be the way of life for everyone. It won't change their lives much if the colony is orbiting Earth, Mars, among the asteroids or coasting through interstellar space.

However, no-one is going to be traveling inside a big lump of raw rock. Imagine the energy required to move such inert mass, and consider that it's probably just a big pile of loose rubble. A mountain of unprocessed asteroid rock is just a waste. Instead, spacecraft colonies will protect themselves inside a shell of already-processed and refined resources, and lots and lots of water ice. Every bit of that will be useful to maintaining life and propulsion.

He didn't make 28K pirate copies. He merely infringed trademark.

Another lesson in how the law is not the same as right, fair or moral...

Since the program is provided free of charge, M$'s $25 fee is for duplication and shipping of that free software on a CD. It only works by burning it onto a boot CD. You can pay them to make you a disc, make your own disc, or you can have the kid next door to do it for you. Or anyone else.

Making the discs seem official was a dumb move though. And it seems more like they should have calculated his time based on how much he profited from the discs ($0). Or how much M$ provably "lost" in sales rather than assuming the maximum physically possible. [That's kind of funny, actually, assuming that all of the discs would surely be used. Not a good endorsement of M$... :D ]

I'm sure it comes down to the construction of the law, BUT I take a dim view of letting "victims" declare damages without providing any proof.

On the other hand, I wonder if the judge did him a favor charging him with $700k of pirate software instead of 28k instances of trademark infringement?

Illuminati Online

I worked for this semi-famous ISP, io.com, launched with money won from a lawsuit against the U.S. government. Their parent company's equipment had been seized and wrecked, based on a false claim that they were training hackers. It was just a role playing game, ya know. You rolled your dice to see if you'd "hacked" the "mainframe", etc.

Their mail cluster wasn't up to snuff and stopped delivering throughout the business day. Nothing but angry customer calls and our lies to them about "nothing we see on our end". Similar problem with newsgroups, which they gave up hosting in-house and outsourced. Their servers and fileshares weren't really set up with reasonable permissions, and you could literally telnet in, without a password, and browse customer's files. This even continued for some years after they had supposedly "hardened" so they could offer network security. Those servers were just a bunch of middling Pentium machines in cheap beige plastic cases sitting on shelves. The original modem pool was literally a bunch of 14.4 modems on a rack.

The above is an abbreviated account, you can visit this archival copy of their old website at io.fondoo.net if you like. Lots of pics!

Just give everyone free opt-out anonymity service.

This has been suggested before and I think it's the best solution. Flip everyone's contact details to anonymized, with the option to switch it off.

Ransomware which sets up LAMP servers?

I can't fathom how spreadsheets from someone's workstation drive ended up in a public-accessible web folder on a server. Unless the company used a central server and web interfaces for it's document storage? Or perhaps the visible documents were placed there by extortionists to prove that they'd hacked their network and were rummaging around... ?

Whoopsy Daisy

OK then, FINE. I *may* have brought down a big U-shaped robotic tape storage vault by feeding it a cassette which I'd just dropped on the floor. In all fairness, no-one actually told me why the vault had to be shut off the next day so someone could go inside and cut out a wad of tape which was jamming one of the readers.

Internet Of Spying Devices

See, I understand the part where Ring and other IoT device hawkers spy on their customers to produce statistics to sell to other, more shadowy players.

What I don't abide in is how they lobotomized their devices so thoroughly that they don't merely send stats from the devices - the devices have to send out a signal and receive instructions from the server on how to ring the bell. That's pathetic!

Using generic Chinese Foscam clones

I have their internet access cut off at the router so they can't call out or be reached from outside. Likewise, all of my embedded/IOT-like things are restricted to communicating with specific IP addresses on the LAN. Namely, my workstation and my web server where I run ZoneMinder to record activity.

The assumption that it's matter

Note that all they know is that these are regions which exhibit naked gravity without detectable source. Since matter is associated with gravity, they call it "dark matter". It's just as likely that it's something that gravity does on it's own. My own pet theory is that it's a displaced gravity field caused by the matter pulled into black holes.

Google no longer lists my business either

Despite having a google+ site and getting JUNK MAIL from google addressed to my business, they took my business location off of the map and it's a struggle to "trick" google into getting it to come up in search. There was one month that I kept getting phone calls from various people pretending to be customers who would chat a bit about my services and then ask if it was a home business or not... and then abruptly hang up on me. Google has also told me to "just create a new google+ page and re-list my business". Yeah, but I can't use my current business name then, idiots. Who's going to do business with "Linden Consulting2"?

Unique packet patterns

Live iplayer streams could be made identifiable by manipulating packet lengths. They would initially be set at a particular, unusual length. After a set interval, they would change to another. And another. It would be a unique pattern like a serial number. One even could sniff encrypted packets and simply measure them by size and note the pattern. This would tell the spy exactly what program was being watched.

I'd go with the Ethernet option, but the Faraday cage works, too. One might be able to confuse the spy by playing two separate iplayer streams at the same time.