Date: Fri, 31 Mar 2000 18:18:35 -0800 (PST) From: David Babler <dbabler@Rigel.orionsys.com> To: Robert Hough <rch@qserve.net> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Spam Message-ID: <Pine.BSF.4.21.0003311801430.3164-100000@Rigel.orionsys.com> In-Reply-To: <4.2.0.58.20000331144400.00c669a0@qserve.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 31 Mar 2000, Robert Hough wrote: > I'm trying to figure out how to stop some spam from hitting my site, and > have yet to figure it out. From the looks of things, it's like the spam > generator being used is basically hitting a mass bulk of my users in an > alphabetic approach. It's usually called a dictionary attack if they're just guessing names and is pretty inefficient (but hey, the contact is probably a raped Open Relay anyway, so what does the spammer care?). If the spammed addresses *are* real, then the list of recipients came either from one of those "5,000,000 Fresh Email Address" CD-ROMs or possibly a previous scan (connect to your sendmail and issue thousands of guessed VRFY usernames if you have that enabled). As to how to stop them, there's a couple of ways. One is to keep on top of your logs and when you see this start, ban the connecting IP either with an entry in sendmail's access database or in your firewall rules. The various realtime blackhole lists, vix.com, mail-abuse.org, orbs.org and so on can be used if the attacker is a known spam source or open relay, but that often takes a day or so to get new ones listed. > Any help would be appreciated in this matter, as this is getting really > annoying, and I'm not sure what the deal is. We are running sendmail 8.9.3 > currently, and yes, and upgrade is on my todo list. Sendmail 8.9.3 is perfectly capable of blocking this sort of thing using the access database feature or custom rules. You're also running sendmail 8.9.1 and 8.9.2 on your other mail hosts - sure they didn't relay the spam through one of your secondary hosts? -Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0003311801430.3164-100000>