Network Abuse Information

SMTP Server abuse

Software: GeoList Pro
Author: www.earthonline.com

SPECIAL UPDATE:
03/08/99 GeoList Pro is being pulled from distribution. Details can be
found at EarthOnline's Site. (Use the URL above).
  ------------------------------------------------------------------------
Jump to Updates Usefull Links

Original Posting: 03/03/98

A few words from the authors of the program... (with a few of my comments):

"GeoList Professional, the first of it’s kind in targeted email
verification. The program, created with a internal name list, queries
Internet mail servers to validate for a matching email address. Internet
Service Providers (ISP's), may not have seen this type of email
verification, and may presume it to be bulk email." (maybe because it's an
abusive and a non RFC way of doing it? What happened to using VRFY ?)

"It is important that you realize: Using multi-threaded products like
GeoList to query mail servers across the Internet is not a standard
practice." (looks like they are admitting it is abusive!)

"Most ISP's mistake this activity as sending multiple messages through
their servers." (Maybe this is due to the poor programming?)

"The result of complaints to your ISP usually leads to the loss of your
account. In no way is GeoList Professional relaying any messages through
any servers, it is only validating email addresses which is a standard
feature built into most email servers, but rarely used." (Umm you might
want to re-check the RFC to see the "proper" way to VRFY an email address!)

Then they go on to say that you need to accept the use policy of a few
sites that house email addresses but do not mention that they should abide
by the use policy of the domains they scan.

  ------------------------------------------------------------------------

Here is a break-down of what the program does and some info on how to help
prevent your server from being abused

Effects: Connects to SMTP server and "pretends" to be sending a message. It
uses a dictionary of names to add to a domain to see if it generates an
error. If it does not it "assumes" it is a valid email address.

Signature: The email address it uses when it connects to the SMTP server
was first seen as "savior@savings.com" and has now been seen as
info@savings.com. In a newer version it has been changed to
tandy@whynot.com.

New Problem: In the newer version the makers of the software have "Hard
Coded" over 4200 domains into the program to be used for scanning. This
invites it's users to abuse those 4200+ domains with their poorly written
software.

Example from SMTP log:

02:24 16:22 SMTPD(00360110) [209.86.182.86] MAIL FROM:<info@savings.com>
02:24 16:22 SMTPD(00360110) [209.86.182.86] RCPT TO:<arne@954access.net>
02:24 16:22 SMTPD(00360110) [209.86.182.86] RCPT TO:<arnie@954access.net>
02:24 16:22 SMTPD(00360110) [209.86.182.86] ERR 954access.net invalid user <arnie@954access.net
02:24 16:22 SMTPD(00360110) [209.86.182.86] RCPT TO:<arnold@954access.net>
02:24 16:22 SMTPD(00360110) [209.86.182.86] ERR 954access.net invalid user <arnold@954access.net
02:24 16:22 SMTPD(00360110) [209.86.182.86] RCPT TO:<aron@954access.net>
02:24 16:22 SMTPD(00360110) [209.86.182.86] ERR 954access.net invalid user <aron@954access.net
02:24 16:22 SMTPD(00360110) [209.86.182.86] RCPT TO:<art@954access.net>
02:24 16:22 SMTPD(00360110) [209.86.182.86] RCPT TO:<arthur@954access.net>
02:24 16:22 SMTPD(00360110) [209.86.182.86] ERR 954access.net invalid user <arthur@954access.net
02:24 16:22 SMTPD(00360110) [209.86.182.86] RCPT TO:<artin@954access.net>
02:24 16:22 SMTPD(00360110) [209.86.182.86] ERR 954access.net invalid user <artin@954access.net
02:24 16:22 SMTPD(00360110) [209.86.182.86] RCPT TO:<artur@954access.net>
02:24 16:22 SMTPD(00360110) [209.86.182.86] ERR 954access.net invalid user <artur@954access.net
02:24 16:22 SMTPD(00360110) [209.86.182.86] RCPT TO:<ash@954access.net>
02:24 16:22 SMTPD(00360110) [209.86.182.86] ERR 954access.net invalid user <ash@954access.net
02:24 16:22 SMTPD(00360110) [209.86.182.86] RCPT TO:<attila@954access.net>
02:24 16:22 SMTPD(00360110) [209.86.182.86] RCPT TO:<aubert@954access.net>
02:24 16:22 SMTPD(00360110) [209.86.182.86] ERR 954access.net invalid user <aubert@954access.net
02:24 16:22 SMTPD(00360110) [209.86.182.86] RCPT TO:<audrey@954access.net>
02:24 16:22 SMTPD(00360110) [209.86.182.86] ERR 954access.net invalid user <audrey@954access.net

To block these attempts you will need to add the email address listed above
to a kill list to deny email coming from those addresses.

Unknowns: It is unknown if the users have the ability to change those email
addresses used as the MAIL FROM as I have not run the program on any of my
machines (which requires registration). I have a good feeling it is not
changeable. If they do have that ability none of them have been smart
enough to change it yet, and if they don't it would have been alot wiser
for the makers to use their own domain instead of abusing someone else's
domain.(but then again they probably don't want to put up with the
complaints?!)

GeoList Features as quoted from the program help file:

"Geolist has incorporated special anti-blocking measure that will reconnect
your Internet provider when it detects that your current IP address is
being blocked from one of the search engines." (or domains maybe ? I would
consider this abuse features built in. If the IP was being blocked it was
probably for good reason)

"This software is to be used only in a lawful manner in compliance with any
laws, regulations or rules applicable to the user or use of the software.
Applicable laws vary according to country, state, province, territory, city
etc. It is entirely the responsibility of the user to know the applicable
laws pertaining to them. Laws can change. If you are uncertain, please
check with a competent attorney." (what about usage policy's that providers
have set on the use of their equipment? Didn't they design the software to
comply with the laws? If so why hard code over 4200 domains into the
program?)

  ------------------------------------------------------------------------

03/07/99 Preperations are being made to post some usefull links and
information on how to possibly combat this type of attack on SMTP server. I
feel there has been some good discussion in the list-serv regarding this.
There have been other discussions as well and may result in splitting the
list serv into two different subscriptions to make it easier for those
trying to communicate etc.

03/07/99 Many have asked what my motivation was for this site and for
notifying people.

       Basically to inform people of the problem and why it is
       happening. Many people had seen it happening and where
       clueless as to what was causing it. The owner of savings.com
       was taking the brunt of it as many thought it had something
       to do with him.

       In one case (prior to sending the message out) one ISP called
       us to report a user on our system that was trying to relay
       mail through his system with the program. He was unaware that
       in fact it was not trying to relay but instead scanning for
       valid email address (this was learned after contacting the
       user on our system to find out what he was doing). The reason
       that he called us was that the scanning was locking up his
       system and he was continously having to reboot the system so
       that his ISP could continue function.

       I felt this is a very abusive program and that those most
       likely to be affected by it (the domains hard coded into the
       program) should know about it.

       -paul

03/07/99 Many have asked for copies of the program etc. If you do a search
on HotBot or other search engines(I used HotBot) searching for the words
EarthOnline and Geolist will result in many lsitings of "many" sites that
are vendors or distributors of the product. Many of those sites have
downloads available and some of them contain older versions of the program.
I would reccomend this as your best solution for finding a copy of the
program if needed.

03/04/99 It appears they now have a version glp34.exe and the glp33.exe is
no longer available. This new version requires you to enter a email address
instead of using it's default (from what I can tell so far) They have also
encrypted the domain names that are hard coded into the program. (It would
appear they know they have a problem and are now trying to hide it, if not
why encrypt it?)

03/04/99 On 03-03-99 One of the machines I admin was hit with either the
same program or a different program and 75% of the log (which amounted to
20meg) was due to abuse by this program or similar program. The email
address used was random chars @MSN.COM. So either it's a different program
or they are using the new version.

03/04/99 A List_Serv has been setup for those that wish to discuss this
with others that have been abused by this program and others and discuss
ways to prent these attacks or trying to control them etc. To subscribe
send a email message to imailsrv@l8r.com with the following line:

subscribe smtpabuse your_name

Substituting your_name with your name of course.
  ------------------------------------------------------------------------
  Potentially useful links

   * Anti-Spam Recommendations for SMTP MTAs
   * The MAPS Dial-up User List (Formerly the ORCA DUL)
   * The Mail Abuse Prevention System (MAPS)
   * The Open Relay Behavior-modification System (ORBS)
   * The Forum for Responsible & Ethical Email (FREE)
   * The Coalition Against Unsolicited Commercial Email (CAUCE)
   * The Coalition Against Unsolicited Bulk Email (Australia)
   * The EUROCauce

Other Possible Usefull sites

   * http://www.spamfree.org/
   * http://www.abuse.net
   * http://spam.abuse.net

If anyone has links to other sites that would be usefull for others in
finding solutions to this problem and solutions for specific types of Email
Software please let me know.

If you wish to have a link removed please let me know.
  ------------------------------------------------------------------------

If you have any comments or would like additional information posted on
this site or know of similar programs feel free to email them to
prs@l8r.com. Depending on the response and feedback I may expand this site
to include other problem software or other network abuse notices.