flooded by spam

Radu IONESCU iradu at UNITBV.RO
Tue Mar 4 17:53:55 GMT 2003 

Hello,

We are using MailScanner in a gateway (RH AS 2.1) for 7 other mail servers.
As MailScanner deals with spam I wish it could handle a problem like ours:)
It's a kind of mail flood, highly disturbing and making me to re-evaluate
the mail gateway topology usefulness as I'm usin:

Our University domain name is used abusively by some villains in the wild.
They are mass mailing spam with From/Return fields forged with <random
generated user name>@unitbv.ro.
Daily, thousands bounced messages are hitting our gateway. It accepts them,
scans them, then sends them internally (mailertables) to our domain server
which in turn refuses them. The gateway root mailbox is flooded with
postmaster notifies and returned messages sent also back to the Internet,
etc.

Either the IP address of the originating server is forged (less probable),
or they are using a lot of relays, as they are always different. Something
like:

Return-Path: <sashadvrf at unitbv.ro>
Received: (qmail 17532 invoked from network); 4 Mar 2003 13:56:42 -0000
Received: from unknown (HELO unitbv.ro) (200.149.179.35)
  by mail.theofficenet.com with SMTP; 4 Mar 2003 13:56:42 -0000
Message-ID: <001510c8cc55$ace12883$17115632 at jfrcoog.fhp>
From: <sashadvrf at unitbv.ro>
To: <bigmaner at theofficenet.com>
Subject: Improve Sense Of well Being
310-3
Date: Tue, 04 Mar 2003 23:38:17 -1100
MIME-Version: 1.0
Content-Type: text/html;
        charset="iso-8859-1"
X-Priority: 3
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
Importance: Normal

(of course IP 200.149.179.35 is far from our address space)

Therefore it is not my hope, that the real spammer could be dropped, but it
would be better to have the gateway refusing immediately such messages,
after RCPT TO. Not starting a whole chain reaction.

It seems that sendmail as set in the gateway host, is not able to do it even
for its users:

mail from:<dani at genie.unitbv.ro>
250 2.1.0 <dani at genie.unitbv.ro>... Sender ok
rcpt to:<nouser at gwm.unitbv.ro>
250 2.1.5 <nouser at gwm.unitbv.ro>... Recipient ok
data
354 Enter mail, end with "." on a line by itself
test
.
250 2.0.0 h24DukA07795 Message accepted for delivery

(which could have to do with sendmail.cf modified by atMail, a webmail
server installed on the gateway for another domain)

The problem is, to have the gateway checking the user name even before
accepting the message in the queue - perhaps off topic. Or checking the
content (unitbv.ro not associated with our address space), again before
accepting it into the queue(?).

Well, any sugestions/help would be highly welcome, thank you!

Radu IONESCU
Systems Manager, TRANSILVANIA University Brasov

More information about the MailScanner mailing list