flooded by spam

Julian Field mailscanner at ecs.soton.ac.uk
Tue Mar 4 18:10:16 GMT 2003


There have been previous discussions of this issue. Exim is now apparently
capable of checking recipient addresses against a file/database. Look in
the Exim docs for things to do with SMTP address/user authentication and
verification.

Can anyone remember the Subject: line from the last time this was discussed?
For that matter, can someone put a FAQ together for this problem please?

At 17:53 04/03/2003, you wrote:
>Hello,
>
>We are using MailScanner in a gateway (RH AS 2.1) for 7 other mail servers.
>As MailScanner deals with spam I wish it could handle a problem like ours:)
>It's a kind of mail flood, highly disturbing and making me to re-evaluate
>the mail gateway topology usefulness as I'm usin:
>
>Our University domain name is used abusively by some villains in the wild.
>They are mass mailing spam with From/Return fields forged with <random
>generated user name>@unitbv.ro.
>Daily, thousands bounced messages are hitting our gateway. It accepts them,
>scans them, then sends them internally (mailertables) to our domain server
>which in turn refuses them. The gateway root mailbox is flooded with
>postmaster notifies and returned messages sent also back to the Internet,
>etc.
>
>Either the IP address of the originating server is forged (less probable),
>or they are using a lot of relays, as they are always different. Something
>like:
>
>Return-Path: <sashadvrf at unitbv.ro>
>Received: (qmail 17532 invoked from network); 4 Mar 2003 13:56:42 -0000
>Received: from unknown (HELO unitbv.ro) (200.149.179.35)
>   by mail.theofficenet.com with SMTP; 4 Mar 2003 13:56:42 -0000
>Message-ID: <001510c8cc55$ace12883$17115632 at jfrcoog.fhp>
>From: <sashadvrf at unitbv.ro>
>To: <bigmaner at theofficenet.com>
>Subject: Improve Sense Of well Being
>310-3
>Date: Tue, 04 Mar 2003 23:38:17 -1100
>MIME-Version: 1.0
>Content-Type: text/html;
>         charset="iso-8859-1"
>X-Priority: 3
>X-Mailer: Microsoft Outlook Express 5.50.4522.1200
>Importance: Normal
>
>(of course IP 200.149.179.35 is far from our address space)
>
>Therefore it is not my hope, that the real spammer could be dropped, but it
>would be better to have the gateway refusing immediately such messages,
>after RCPT TO. Not starting a whole chain reaction.
>
>It seems that sendmail as set in the gateway host, is not able to do it even
>for its users:
>
>mail from:<dani at genie.unitbv.ro>
>250 2.1.0 <dani at genie.unitbv.ro>... Sender ok
>rcpt to:<nouser at gwm.unitbv.ro>
>250 2.1.5 <nouser at gwm.unitbv.ro>... Recipient ok
>data
>354 Enter mail, end with "." on a line by itself
>test
>.
>250 2.0.0 h24DukA07795 Message accepted for delivery
>
>(which could have to do with sendmail.cf modified by atMail, a webmail
>server installed on the gateway for another domain)
>
>The problem is, to have the gateway checking the user name even before
>accepting the message in the queue - perhaps off topic. Or checking the
>content (unitbv.ro not associated with our address space), again before
>accepting it into the queue(?).
>
>Well, any sugestions/help would be highly welcome, thank you!
>
>Radu IONESCU
>Systems Manager, TRANSILVANIA University Brasov

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list