Summary: Sendsys Spam

From: MacDonell, Dennis <DennisMacDonell_at_auslig.gov.au>
Date: Mon, 07 Sep 1998 12:55:26 +1000

Hi all,

There has been some interest in this problem, and I am afraid I haven't had
enough time to look into nn to find out what exactly I can do or can't do.
But I'm sure you will find something in this lot of messages that will set
you on the right track. I would like to thank all those who replied with
solutions, and all those who enquired as to the results of the query.

The original question:
We experienced some sort of "news sendsys" spam on friday night. I was
wondering how and/or what the rest of the community did about these
things

And here are the replies:

(1) That's the result of a bunch of news.admin.net-abuse.* terrorists who,
after realizing that their cancelwar was going nowhere, took to issuing
supersedes of all posts in those groups; in a rather hapless attempt
to mailbomb the victims, those supersedes contained a Control: sendsys
header. (Sendsys was originally used to make Usenet maps, but it's now
mostly useless. Sites responding to sendsys requests are considered to
be poorly configured.)

If the problem is that your users (or yourself) are *receiving* a bunch
of sendsys messages (as a result of posting or crossposting to a targeted
newsgroup), your best defense is to procmail them out. I've been hit here,
and it hasn't amounted to more than a trickle.

If the problem is that your news server is *sending* them, then you'll
want to tell it to drop all sendsys requests.

Hope this helps,

  Rich
rich_at_alcor.concordia.ca

(2) We ran into that and set our control.ctl file to just drop
them. Later I read some posts about it in the news.software.nntp
newsgroup and saw that that was indeed the consensus on how to handle
it. The sendsys messages are a holdover from when uucp was much more
prevalent on networks than it is today. I believe (knowledge getting
foggy here) that there were some uucp applications that used sendsys to
discover a local news setup when it was needed.

Ann Cantelow
cantelow_at_athena.csdco.com

(3) Your best bet is to disable processing sendsys messages in the
appropriate
config file.

Lance A Brown
brown9_at_niehs.nih.gov

(4) We have been receiving 1000s of sendsys spam for the past few weeks. I
commented the mail ACTION in our INN site/sendsys script, we already
don't automatically process sendsys...

NOTES:
. modify samples/sendsys (disable mail ACTION)
. cp -p samples/sendsys site
. cd site
. make install
. /usr/local/news/bin/ctlinnd reload all "new sendsys"

CODE:
----------------------------
BLAH BLAH
SUBJECT="Sendsys reply from `innconfval pathhost`"
case ${ACTION} in
mail)
### Comment out email due to 1000s of bogus sendsys requests. rjackson
8/24/98
### export FROM MAILCMD SUBJECT ARTICLE
### (
### echo "${FROM} posted a sendsys requesting your newsfeeds file."
### echo ''
### echo 'To reply, do the following:'
### echo " ${MAILCMD} -s \"${SUBJECT}\" ${FROM} <${NEWSFEEDS}"
### echo ''
### echo 'The full article was:'
### cat ${ARTICLE}
### ) | sed -e 's/^~/~~/' | ${MAILCMD} -s "sendsys by ${FROM}"
${NEWSMASTER}
    ;;
logit)
    ${WRITELOG} ${LOGFILE} "sendsys by ${FROM}; reply skipped" <${ARTICLE}
    ;;
BLAH BLAH
----------------------------

-- 
Regards,
Richard Jackson
rjackson_at_portal.gmu.edu
(5) It's happening in the US as well. :-(  I got back from vacation last
week to discover that someone had been using my system (among others)
to send the things.  I've removed sendsys from my news software, so 
it's not going anywhere, but I'm still seeing error messages that 
indicate that they're still trying.  My log files aren't showing 
anything abnormal, so I can only assume that some outside party is
either posting it via one of the systems I normally get news feeds
from, or is spoofing them to put it into my NNTP queue.  Unfortunately
I haven't found anything to suggest where its coming from.  If I had,
I'd start by contacting the sys admin people at the system where it
originates.  
Kathryn Smith
KSMITH_at_LL.MIT.EDU        
(6) I long ago disabled processing of such messages.
Anthony Talltree
aad_at_nw.verio.net
(7) We were both victim and conduit of the sendsys SPAM.  On Friday, August
14
I saw numerous syslog messages on our news server caused by being out of
process slots.  Investigating, I found my machine clogged with invocations
of sendmail caused by receiving sendsys control messages from parts unknown,
and the sendsys output was being sent to numerous e-mail addresses.  I
opened a ticket with our network service provider, but he wasn't able
to help with determining the source of the sendsys (he wanted to do
traces at the IP level in the router, which is not helpful).
So, I disabled sendsys processing on my machine by renaming the file
NEWSPATH/bin/control/sendsys to something else.  This eliminated the ability
of the perptrator to use my machine to send the SPAM to his victimes.  I
also
disabled some code in parsecontrol to prevent my news admin account
from receiving e-mail telling me that the sendsys command was invalid.
The following Tuesday, August 18, I received several reports that someone
on my machine was initiating sendsys commands.  I found that the IP address
38.11.197.220 was the originator of the attack and opened a ticket with
psi.net to have the perpetrator shot down.  We let him stay on long enough
to determine that he was using the normal NNTP POST procedure to inject the
control messages into the net.  I put temporary nnrp.access restrictions on
the IP address blocks in Dallas and Ft. Worth, TX where he was originating,
and modified the source for for INN inews.c and nnrpd post.c to prevent the
processing of messages containing the Control: header, the Supersedes:
header, and any Subject line beginning with the string "cmsg".  (The
same guy was attacking net-abuse newsgroups by using the Supersedes: header
to replace the content of postings he didn't like.)  This appears to be
effective for blocking the initiation of the attack.
Peter Olson
PETER_at_delphi.com
------------------------------------------------
Dennis Macdonell           |
Systems Administrator      |
AUSLIG                     | "Any idiot can face 
em: mcdonell_at_auslig.gov.au | a crisis - its this 
ph:  02 6201 4326          | day-to-day living
fax: 02 6201 4377          | that wears you out"
------------------------------------------------

Received on Mon Sep 07 1998 - 02:56:43 NZST