Distributed spammer attacks?

Mike Kercher mike at CAMAROSS.NET
Wed Nov 9 19:13:22 GMT 2005 

MailScanner mailing list <> scribbled on Wednesday, November 09, 2005 12:59
PM:

> Using milter-sender we are getting many of the following
> syslog entries.
> (addresses changed to protect the innocent)
> 
> Nov  9 04:25:03 server sendmail[26187]: jA9CP0Eb026187:
> Milter: helo=1.2.3.4 reject=550 5.7.1 HELO 1.2.3.4 claims to
> be us 'server.domain' [1.2.3.4], but the connection
> [220.184.102.95] is not us
> 
> Yesterday we received 2901 of these.  2586 are unique
> machines and the most any one hit was 6 times.
> 
> Here is a test session where I duplicated the abuse showing
> what others are doing.
> 
> I expect we are looking at a distributed spam network.  Has
> anyone else experienced this, and if so any thoughts about a
> solution?  The only thing I can think of to counter this
> would be a common dnsbl.
> 
> Vaughn
> 
> 220 1.2.3.4 ESMTP Sendmail 1.0/1.0; Wed, 9 Nov 2005 10:30:39
> -0800 HELO 1.2.3.4 250 1.2.3.4 Hello test [2.3.4.5], pleased
> to meet you mail from: <user at test> 550 5.7.1 HELO 1.2.3.4
> claims to be us '1.2.3.4' [1.2.3.4], but the connection
> [2.3.4.5] is not us
> 
> ------------------------ MailScanner list
> ------------------------ To unsubscribe, email
> jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/)
> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> Support MailScanner development - buy the book off the website!

I use milter-sender too and I also see this in my logs all the time.  I
suspect the spammers are trying to exploit an MX that is configured to allow
it's own IP address to relay (instead of 127.0.0.1).  I may be wrong.  I
don't worry about these entries since milter-sender is preventing the junk
from coming in.

Mike

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list