More SPAM? - RESOLVED!!!

Ugo Bellavance ugob at CAMO-ROUTE.COM
Wed Nov 12 14:48:38 GMT 2003


> -----Message d'origine-----
> De : Devon Harding - GTHLA [mailto:DHarding at GILATLA.COM]
> Envoyé : Wednesday, November 12, 2003 9:46 AM
> À : MAILSCANNER at JISCMAIL.AC.UK
> Objet : Re: More SPAM? - RESOLVED!!!
> 
> 
> ORDB-RBL osirusoft.com spamhaus.org spamcop.net
> 
> But osirusoft.com times out a lot, so I don't think it's up.

It's been dead for a while.


Ugo
> 
> -Devon
> 
> -----Original Message-----
> From: Chris Trudeau [mailto:chris at TRUDEAU.ORG] 
> Sent: Wednesday, November 12, 2003 9:42 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: More SPAM? - RESOLVED!!!
> 
> Just out of curiosity, which RBLs are you using and are using 
> them within
> SpamAssassin OR within MailScanner?
> 
> CT
> 
> ----- Original Message ----- 
> From: "Devon Harding - GTHLA" <DHarding at GILATLA.COM>
> To: <MAILSCANNER at JISCMAIL.AC.UK>
> Sent: Wednesday, November 12, 2003 9:31 AM
> Subject: Re: More SPAM? - RESOLVED!!!
> 
> 
> Installed razor-agent-2.36 and whalla!!!
> 
> Example daily result:
> No MailScanner/SpamAssassin:            67 SPAM Messages
> MS/SA (2 RBLs)                          22 SPAM Messages
> MS/SA (4 RBLs)                          17 SPAM Messages
> MS/SA (4 RBLs) + Razor-agent             2 SPAM Messages
> 
> http://razor.sourceforge.net/
> 
> I think razor-agent should be in the MailScanner installation guides,
> otherwise I would not have found out about it if I didn't 
> subscribe to this
> mailing list.
> 
> -Devon
> 
> 
> -----Original Message-----
> From: Denis Beauchemin [mailto:Denis.Beauchemin at USHERBROOKE.CA]
> Sent: Monday, November 10, 2003 2:51 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: More SPAM?
> 
> Hello everyone,
> 
> David While has put my script on his website.  It is complete with a
> discussion board.
> 
> Great job David.
> 
> It is at:
> http://www.while.homeunix.net/spamstorm
> 
> Denis
> 
> Le ven 07/11/2003 à 10:06, Denis Beauchemin a écrit :
> > Hi,
> >
> > We've had those compromised Windows also and it really put 
> a high load
> > (and big backlog) on our MS servers.
> >
> > I wrote a Perl script that watches my maillog every 5 
> minutes (root's
> > crontab) and if there are more than 80% of incoming mail from one IP
> > address it blocks it in ipchains/iptables, stops MS and sendmail,
> > removes all undelivered mail containing that IP address 
> from the spool
> > directories, restarts MS (and sendmail) and sends an email to our
> > security group about it.
> >
> > It works fine on our RH 7.3 and 9 systems.
> >
> > If anyone is interested, I can post it.
> >
> > Denis
> > Le ven 07/11/2003 à 09:43, Jeff A. Earickson a écrit :
> > > Hi,
> > > I too have noticed a that a lot more spam is getting thru in the
> > > past month or two (my setup: RBL+, spamcop, spamhaus, local lists
> > > for sendmail RBL; SA 2.60 and razor within MS 4.24-5; 
> more procmail
> > > rules downstream via junkfilter).
> > >
> > > One trend that I find alarming is spam trojans that get 
> installed on
> > > Windoze desktop clients when people click on these "free" 
> downloads
> > > from porn sites.  We have had a half-dozen machines on campus this
> > > semester that have had trojans that spew spam to the 
> world.  The remote
> > > spammers connect to their trojans via irc or http, and 
> then dump the
> > > stuff either directly back out or via our mail server.  
> They can move a
> > > lot of email this way real quick, from lots of machines, 
> and it is hard
> > > to stop.  When we get a report from spamcop or other 
> victims, we have to
> kill
> > > the port connection and block the MAC address in DHCP when we can
> > > find the machine.  Laptops drive us nuts with this problem.
> > >
> > > Our Windoze guru carefully examined one student machine that we
> > > kept having problems with (XP, fully patched, NO password 
> set, doh!).
> > > Two randomly named dlls kept appearing in the process 
> list after bootup.
> > > These guys could not be shut down, unloaded, permissions changed,
> nothing;
> > > not even when booted in safe mode.  We couldn't even ftp them off
> > > the box to examine them elsewhere (always "text busy").  If their
> > > registry keys were removed, they came right back.
> > >
> > > If we put this box on a network with a sniffer running, 
> we would see
> > > a short (encrypted) http connection coming from someplace 
> in Eastern
> > > Europe a few minutes later, followed shortly thereafter 
> by connections
> > > from all over the planet, and then the thing would start 
> spewing spam
> > > bigtime.
> > >
> > > This hack was a real professional piece of work.  We 
> wanted to poke
> > > more, but the student wanted his machine back.  He had to 
> reformat the
> > > hard drive and reinstall the OS before we let him back on 
> the network.
> > >
> > > I think this is the direction spam is going -- lots of hijacked
> > > PC's, very distributed spam output.  True criminal 
> activity by pros.
> Ugh.
> > >
> > > --- Jeff Earickson
> > >     Colby College
> > >
> > > On Fri, 7 Nov 2003, Devon Harding - GTHLA wrote:
> > >
> > > > Date: Fri, 7 Nov 2003 09:09:59 -0500
> > > > From: Devon Harding - GTHLA <DHarding at GILATLA.COM>
> > > > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > Subject: Re: More SPAM?
> > > >
> > > > I thought I was the only one.  The SPAM has increased 
> drastically in
> > > > these last two months.
> > > >
> > > > Currently running MS 4.23-5 and SA 2.60
> > > >
> > > > What can be done to reduce incoming spam?
> > > >
> > > > -Devon
> > > >
> > > > -----Original Message-----
> > > > From: Errol Neal [mailto:sysadmins at ENHTECH.COM]
> > > > Sent: Thursday, November 06, 2003 10:13 AM
> > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > Subject: More SPAM?
> > > >
> > > > Is it just me, or has anyone else been having more spam make it
> through
> > > > the
> > > > MailScanners recently?
> > > >
> > > >
> > > > Errol Neal
> > > >
> -- 
> Denis Beauchemin, analyste
> Université de Sherbrooke, S.T.I.
> T: 819.821.8000x2252 F: 819.821.8045
> 




More information about the MailScanner mailing list