From owner-freebsd-isp Fri Mar 31 18:18:45 2000 Delivered-To: freebsd-isp@freebsd.org Received: from Rigel.orionsys.com (rigel.orionsys.com [205.148.224.9]) by hub.freebsd.org (Postfix) with ESMTP id 59CC837B798 for ; Fri, 31 Mar 2000 18:18:41 -0800 (PST) (envelope-from dbabler@Rigel.orionsys.com) Received: from localhost (dbabler@localhost) by Rigel.orionsys.com (8.9.3/8.9.3) with ESMTP id SAA51124; Fri, 31 Mar 2000 18:18:36 -0800 (PST) (envelope-from dbabler@Rigel.orionsys.com) X-Envelope-From: dbabler@Rigel.orionsys.com X-Envelope-To: freebsd-isp@FreeBSD.ORG X-Envelope-Host: freebsd.org. Date: Fri, 31 Mar 2000 18:18:35 -0800 (PST) From: David Babler To: Robert Hough Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Spam In-Reply-To: <4.2.0.58.20000331144400.00c669a0@qserve.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 31 Mar 2000, Robert Hough wrote: > I'm trying to figure out how to stop some spam from hitting my site, and > have yet to figure it out. From the looks of things, it's like the spam > generator being used is basically hitting a mass bulk of my users in an > alphabetic approach. It's usually called a dictionary attack if they're just guessing names and is pretty inefficient (but hey, the contact is probably a raped Open Relay anyway, so what does the spammer care?). If the spammed addresses *are* real, then the list of recipients came either from one of those "5,000,000 Fresh Email Address" CD-ROMs or possibly a previous scan (connect to your sendmail and issue thousands of guessed VRFY usernames if you have that enabled). As to how to stop them, there's a couple of ways. One is to keep on top of your logs and when you see this start, ban the connecting IP either with an entry in sendmail's access database or in your firewall rules. The various realtime blackhole lists, vix.com, mail-abuse.org, orbs.org and so on can be used if the attacker is a known spam source or open relay, but that often takes a day or so to get new ones listed. > Any help would be appreciated in this matter, as this is getting really > annoying, and I'm not sure what the deal is. We are running sendmail 8.9.3 > currently, and yes, and upgrade is on my todo list. Sendmail 8.9.3 is perfectly capable of blocking this sort of thing using the access database feature or custom rules. You're also running sendmail 8.9.1 and 8.9.2 on your other mail hosts - sure they didn't relay the spam through one of your secondary hosts? -Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message