Date: Fri, 6 Feb 1998 11:09:16 -0800 (PST) From: David Babler <dbabler@Rigel.orionsys.com> To: "Darrin R. Woods" <dwoods@netgazer.com> Cc: isp@FreeBSD.ORG Subject: Re: spammer problem - help! Message-ID: <Pine.BSF.3.96.980206100358.11157D-100000@Rigel.orionsys.com> In-Reply-To: <3.0.32.19980206093450.006933b0@netgazer.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 6 Feb 1998, Darrin R. Woods wrote: > I have had a problem over the last month or so of someone using our > mailer-daemon to send spam email to myself as well as users on our net. > > My sendmail is running on freebsd and I've applied all of the spammer > patches that I can find. I've even added the hostname in the spammer db > file but our system still accepts mail from him. > Easiest block is on the domain 't-1net.com' - they are 100% spam and sell spam software and lists. The general place this check is made is in Claus Assman's 'check_mail' rule. However, since they are widely known (and blocked - and their domain name is currently 'on hold' from the InterNIC, they simply hijack mail servers around the web - as they did here with the Stafford Texas UU.net account. Complain to abuse@UU.net (might work, but don't hold your breath). Blocking the envelope's claimed domain, not the relay's IP or resolved name, might work until they change it (since it is forged anyway). The claimed envelope address is what is sent to the check_mail rule. How are you using your 'spammer db'? > How can I keep this guy and others from forging mail and making it look as > though it is coming from my mailer-daemon? > If you've applied the normal anti-relaying rules they can only send to *your* domain (and that's confirmed by my tests - see http://maps.vix.com/ar-test.html for a quick check on relay hijacking vulnerability) so they're just spamming you, so at least they aren't spamming the whole planet *through* you. If you've picked up the specific IP blocking rules (highly recommended), then you could also just block the specific dialup, though unless it's dedicated I'd expect to see a different IP each time. -Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980206100358.11157D-100000>