Annoying Spam Problem

Mike Bilow mikebw at colossus.bilow.com
Sat Mar 18 06:29:05 EST 2000


We have had this happen with two different domains of ours.  It is a
difficult problem, since what is coming in to you are the bounces
resulting from the undeliverable spam.  It is very, very hard to filter
these since they are really legitimate messages (since the spam did
bounce) and they are being sent to you by the victims, not the spammer.

There is no technical way to stop the spammer sending out mail claiming to
be you.  They just pick some real domain to defeat anti-spam measures that
would disallow mail from fake domains, and it happened to be yours.  When
they send their mail, they are just putting your address into the sender
envelope during the SMTP exchange.  Other than the fact that it is your
domain they are misappropriating, these messages do not go through your
machine in any way.  If the messages are successfully delivered, you never
seen the messages at all.

Only when the spammer has attempted to send to an invalid mailbox or to
someone who has good anti-spam filtering at the SMTP level are you going
to get a bounce.  Most likely, the real spammer is exploiting open relay
machines all over the world, and it is there machines which are flooding
you with bounces.  Depending upon the scale of the operation, you might
get thousands of messages from hundreds of different relays.

The most effective defense at this point is to identify some common
characteristic in the mail and define a filter based upon that.  For
example, as of Sendmail v8.9, you can define a ruleset that will process
message headers during the DATA phase.  We commonly do this to block any
message which has some clearly spam-like header associated with it, such
as "To: friend at public.com" or "Subject: Accept All Major Credit Cards." 
Another possibility would be a common characteristic in the "Message-ID"
line.  There is no magic bullet here, but rather you will have to craft
something which is closely related to your particular offending messages.

-- Mike


On Thu, 16 Mar 2000, Jon wrote:

> Hi All,
> 
> I have a really big problem, somehow a spamer in Turkey has been sending out
> email broadcasts (mainly to turkey) looking for female employee's for some
> sort of female prostituting / movie business.  The mail headers state that
> the spam is coming from: ihlas.net, ihlas.net.tr, mailhub.ihlas.com.tr,
> cougar.ihlas.net.tr
> 
> The Problem:
> The reply address, and the undeliverable mail is being sent to snp at snp.com
> -- my company!!!! (Don't flame me, but we do Microsoft, Novell, Cisco, and
> Linux work)  I have the feeling that this was an arbitrary decision, made by
> whoever the spamer is.  
> 
> That mailbox (snp at snp.com) was our general mailbox, for the whole company.
> You can  imagine our surprise when we came tuesday morning to find 450
> undelivered pieces of porn spam in everyone's mailbox.  Luckily my boss has
> a pretty good sense of humor.  
> 
> Is there anything we can do??! (Relaying isn't turned on.)
> 
> Jon
> 
> ps We now have over 5000 mails in the snp at snp.com box
> --------------------------------------------------------------
> jon at snp.com
> ghia at ccs.neu.edu


-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).



More information about the Discuss mailing list