More SPAM?

Julian Field mailscanner at ecs.soton.ac.uk
Fri Nov 7 15:28:49 GMT 2003 

There is a facility provided in CustomConfig.pm that will achieve much the 
same.
It uses a config file defining IP addresses and the maximum number of 
messages per hour to accept from them, along with a default value for all 
other IP addresses.
If an IP sends you more than x messages per hour, it is blocked at the 
sendmail MTA level for the rest of that hour.
The block is removed after an hour by a cron job.

This should stop you getting swamped with tens of thousands from a rogue IP.

At 15:06 07/11/2003, you wrote:
>Hi,
>
>We've had those compromised Windows also and it really put a high load
>(and big backlog) on our MS servers.
>
>I wrote a Perl script that watches my maillog every 5 minutes (root's
>crontab) and if there are more than 80% of incoming mail from one IP
>address it blocks it in ipchains/iptables, stops MS and sendmail,
>removes all undelivered mail containing that IP address from the spool
>directories, restarts MS (and sendmail) and sends an email to our
>security group about it.
>
>It works fine on our RH 7.3 and 9 systems.
>
>If anyone is interested, I can post it.
>
>Denis
>Le ven 07/11/2003 à 09:43, Jeff A. Earickson a écrit :
> > Hi,
> > I too have noticed a that a lot more spam is getting thru in the
> > past month or two (my setup: RBL+, spamcop, spamhaus, local lists
> > for sendmail RBL; SA 2.60 and razor within MS 4.24-5; more procmail
> > rules downstream via junkfilter).
> >
> > One trend that I find alarming is spam trojans that get installed on
> > Windoze desktop clients when people click on these "free" downloads
> > from porn sites.  We have had a half-dozen machines on campus this
> > semester that have had trojans that spew spam to the world.  The remote
> > spammers connect to their trojans via irc or http, and then dump the
> > stuff either directly back out or via our mail server.  They can move a
> > lot of email this way real quick, from lots of machines, and it is hard
> > to stop.  When we get a report from spamcop or other victims, we have 
> to kill
> > the port connection and block the MAC address in DHCP when we can
> > find the machine.  Laptops drive us nuts with this problem.
> >
> > Our Windoze guru carefully examined one student machine that we
> > kept having problems with (XP, fully patched, NO password set, doh!).
> > Two randomly named dlls kept appearing in the process list after bootup.
> > These guys could not be shut down, unloaded, permissions changed, nothing;
> > not even when booted in safe mode.  We couldn't even ftp them off
> > the box to examine them elsewhere (always "text busy").  If their
> > registry keys were removed, they came right back.
> >
> > If we put this box on a network with a sniffer running, we would see
> > a short (encrypted) http connection coming from someplace in Eastern
> > Europe a few minutes later, followed shortly thereafter by connections
> > from all over the planet, and then the thing would start spewing spam
> > bigtime.
> >
> > This hack was a real professional piece of work.  We wanted to poke
> > more, but the student wanted his machine back.  He had to reformat the
> > hard drive and reinstall the OS before we let him back on the network.
> >
> > I think this is the direction spam is going -- lots of hijacked
> > PC's, very distributed spam output.  True criminal activity by pros. Ugh.
> >
> > --- Jeff Earickson
> >     Colby College
> >
> > On Fri, 7 Nov 2003, Devon Harding - GTHLA wrote:
> >
> > > Date: Fri, 7 Nov 2003 09:09:59 -0500
> > > From: Devon Harding - GTHLA <DHarding at GILATLA.COM>
> > > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: More SPAM?
> > >
> > > I thought I was the only one.  The SPAM has increased drastically in
> > > these last two months.
> > >
> > > Currently running MS 4.23-5 and SA 2.60
> > >
> > > What can be done to reduce incoming spam?
> > >
> > > -Devon
> > >
> > > -----Original Message-----
> > > From: Errol Neal [mailto:sysadmins at ENHTECH.COM]
> > > Sent: Thursday, November 06, 2003 10:13 AM
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: More SPAM?
> > >
> > > Is it just me, or has anyone else been having more spam make it through
> > > the
> > > MailScanners recently?
> > >
> > >
> > > Errol Neal
> > >
>--
>Denis Beauchemin, analyste
>Université de Sherbrooke, S.T.I.
>T: 819.821.8000x2252 F: 819.821.8045

-- 
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654

More information about the MailScanner mailing list