On Sat, 27 Dec 2003, Paul Vixie wrote:
today AOL thoughtfully supplied the following to postmaster@vix.com:
Did they really?
Peewee1isme@aol.com SMTP error from remote mailer after initial connection: host mailin-02.mx.aol.com [64.12.137.89]: 554-(RLY:B1) The information presently available to AOL indicates this 554-server is generating high volumes of member complaints from AOL's 554-member base. Based on AOL's Unsolicited Bulk E-mail policy at 554-http://www.aol.com/info/bulkemail.html AOL may not accept further 554-e-mail transactions from this server or domain. For more information, 554 please visit http://postmaster.info.aol.com.
this was in response to what the e-mail community refers to as a "trivial forgery", whose salient headers were:
Return-path: <ediva.clapplz@vix.com> Received: from port-212-202-52-233.reverse.qsc.de ([212.202.52.233] helo=1-online-poker-video.com) by mx01.qsc.de with esmtp (Exim 3.35 #1) id 1AQIw9-0000bF-00; Sun, 30 Nov 2003 05:11:58 +0100 Message-ID: <0d7b01c3b6f8$814916c5$da62d340@ifptblb> From: "Ediva Clapp" <ediva.clapplz@vix.com>
You didn't include much of the bounce, but from what you did include, I'm guessing this is similar to lots of spam bounces I've gotten. port-212-202-52-233.reverse.qsc.de originated the message (most likely via a trojan spam proxy/emitter thats infected it) and sent the spam through a local mail server, mx01.qsc.de. mx01.qsc.de is actually the system blacklisted by AOL. When it failed to deliver this spam to AOL, it tried returning it to the "sender", which likely landed the message in a catch-all email box at vix.com. Assuming that's what happened, this isn't AOL's fault at all.
them was "must scale indefinitely". a simple application of this principle toward anti-virus and anti-spam automated rejection notices is to ignore the envelope and ignore the header and just focus on the peer IP address:
To: postmaster@[212.202.52.233]
That too will bounce. I haven't checked, but I'd bet port-212-202-52-233.reverse.qsc.de (212.202.52.233) is an end-user running some flavor of Windows and does not run an SMTPd.
"don't make me stop this car, kids."
...and to all a good night.
When did this become SPAM-L? This sort of thing's been talked about on several of the "other spam lists" for a few weeks since some spamware app started using "local MX's" as relays, likely to circumvent DNSBLs and outbound 25/tcp blocking. We're all going to have to come up with patches or hacks to "rate-limit" outgoing email by originating IP, or things are really going to get ugly as ISPs start blacklisting each other's mail servers to stop this sort of relayed spam. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________