From owner-freebsd-questions  Sun Oct 20 09:12:20 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA28280
          for questions-outgoing; Sun, 20 Oct 1996 09:12:20 -0700 (PDT)
Received: from mail.webspan.net (mail.webspan.net [206.154.70.7])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA28274
          for <questions@FreeBSD.ORG>; Sun, 20 Oct 1996 09:12:14 -0700 (PDT)
Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) 
          by mail.webspan.net (8.7.5/8.7.3) with ESMTP id MAA25505;
          Sun, 20 Oct 1996 12:11:58 -0400 (EDT)
Received: from orion.webspan.net (localhost [127.0.0.1]) by orion.webspan.net (8.7.5/8.7.3) with ESMTP id MAA23068; Sun, 20 Oct 1996 12:10:54 -0400 (EDT)
To: Nadav Eiron <nadav@barcode.co.il>
cc: "Timothy P. Layton, Sr." <tlayton@global-sol.com>, questions@FreeBSD.ORG
From: "Gary Palmer" <gpalmer@FreeBSD.ORG>
Subject: Re: HELP !!! I have a mail hacker. 
In-reply-to: Your message of "Sun, 20 Oct 1996 17:33:29 +0200."
             <Pine.BSF.3.91.961020172724.12781A-100000@gatekeeper.barcode.co.il> 
Date: Sun, 20 Oct 1996 12:10:54 -0400
Message-ID: <23066.845827854@orion.webspan.net>
Sender: owner-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Nadav Eiron wrote in message ID
<Pine.BSF.3.91.961020172724.12781A-100000@gatekeeper.barcode.co.il>:

> On Sat, 19 Oct 1996, Timothy P. Layton, Sr. wrote:

> > Help !!!
> > 
> > my mail host is receiving a couple thousand messages per night 
> > from a ficticous user at a fake domain.
> > 
> > I looked in the maillog and found what domain the messages where
> > coming from.  
> > 
> > Can I reject all mail from a single domain, and can I take it even 
> > further by refusing any type of connection from a domain ??

Sorry, missed the orig. message.

My first step would be to contact the postmaster(s) responsible for
the source of the trouble, and if it continues after that message,
look at setting up a firewall at some downstream router (possibly your
gateway, if you have access to it)

As an aside, does anyone know anything about a mail faker (seemingly a
bulk mail faker) which leaves its signature as `Homicide' in the
message ID field? Hosts under my control have been attacked at least
twice with this, the mail going somwhere else (perhaps fortunately),
but using one of the local servers as a first (supposedly untraceable)
hop. It's getting quite annoying.

Gary
--
Gary Palmer                                          FreeBSD Core Team Member
FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info