 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
We have had this happen with two different domains of ours. It is a difficult problem, since what is coming in to you are the bounces resulting from the undeliverable spam. It is very, very hard to filter these since they are really legitimate messages (since the spam did bounce) and they are being sent to you by the victims, not the spammer. There is no technical way to stop the spammer sending out mail claiming to be you. They just pick some real domain to defeat anti-spam measures that would disallow mail from fake domains, and it happened to be yours. When they send their mail, they are just putting your address into the sender envelope during the SMTP exchange. Other than the fact that it is your domain they are misappropriating, these messages do not go through your machine in any way. If the messages are successfully delivered, you never seen the messages at all. Only when the spammer has attempted to send to an invalid mailbox or to someone who has good anti-spam filtering at the SMTP level are you going to get a bounce. Most likely, the real spammer is exploiting open relay machines all over the world, and it is there machines which are flooding you with bounces. Depending upon the scale of the operation, you might get thousands of messages from hundreds of different relays. The most effective defense at this point is to identify some common characteristic in the mail and define a filter based upon that. For example, as of Sendmail v8.9, you can define a ruleset that will process message headers during the DATA phase. We commonly do this to block any message which has some clearly spam-like header associated with it, such as "To: friend at public.com" or "Subject: Accept All Major Credit Cards." Another possibility would be a common characteristic in the "Message-ID" line. There is no magic bullet here, but rather you will have to craft something which is closely related to your particular offending messages. -- Mike On Thu, 16 Mar 2000, Jon wrote: > Hi All, > > I have a really big problem, somehow a spamer in Turkey has been sending out > email broadcasts (mainly to turkey) looking for female employee's for some > sort of female prostituting / movie business. The mail headers state that > the spam is coming from: ihlas.net, ihlas.net.tr, mailhub.ihlas.com.tr, > cougar.ihlas.net.tr > > The Problem: > The reply address, and the undeliverable mail is being sent to snp at snp.com > -- my company!!!! (Don't flame me, but we do Microsoft, Novell, Cisco, and > Linux work) I have the feeling that this was an arbitrary decision, made by > whoever the spamer is. > > That mailbox (snp at snp.com) was our general mailbox, for the whole company. > You can imagine our surprise when we came tuesday morning to find 450 > undelivered pieces of porn spam in everyone's mailbox. Luckily my boss has > a pretty good sense of humor. > > Is there anything we can do??! (Relaying isn't turned on.) > > Jon > > ps We now have over 5000 mails in the snp at snp.com box > -------------------------------------------------------------- > jon at snp.com > ghia at ccs.neu.edu - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
