[lug] semi-related: advice on making The Call?

D. Stimits stimits at idcomm.com
Thu Jun 13 16:01:08 MDT 2002 

I find it an interesting topic, and it will probably become a more
common topic in the future. It would be interesting to follow this as it
unfolds.

D. Stimits, stimits at idcomm.com

Bear Giles wrote:
> 
> Semi-related to tonight's topic, I've been having to make a large
> number of The Calls today - "Hey ******, why are you sending out
> spam with my domain name?!"  The response has been predictable:
> 
> First stage of denial:
> 
>   we don't send out mail for insurance quotes,
>   credit card processing, etc.
> 
> Second stage of denial:
> 
>   we aren't an open relay (whispered to someone else: "what's
>   an 'open relay'?"), usually combined with "why do you want
>   a non-work email account to forward the 'bounce message'?
> 
> Third stage of denial:
> 
>   We'll have our exchange guy look at it,
> 
> then finally a sheepish "it's been fixed now."  Yeah, right.  I'm
> sure the people who left the open relay in place and don't understand
> why I refuse to send the incriminating evidence to one of their
> possibly compromised accounts (if they've been cracked, not just
> relaying) can fix all of their security holes in a matter of an hour
> or so.  They just needed someone to point out that they should look
> in their own **** logs.
> 
> Yeah, right.  But they're MCSEs so they're the experts.
> 
> I don't want to hijack tonight's meeting, but I'm also at my
> wit's end here.  We all know that we need to have incidence response
> plans in place before The Call, but how do you deal with the clueless?
> (E.g., one company just hung up on me after skeptically taking down
> some of the keywords in the headers.  They didn't seem to realize
> that I'm already working with state and federal investigators and
> I need to have a definite response one way or the other - they deny
> the problem exists, they think they closed an open relay or cracked
> system, or they're working with their own investigators and I'll
> share my contact information with those investigators.)
> 
> (Okay, the "working with" is a slight exaggeration, since it's
> mostly forwarding additional information referencing an open
> complaint.  But I don't like seeing my domain name being dragged
> through the mud because some people are too dumb to know they
> have an open relay.)
> 
> Bear
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list