At 04:35 PM 9/5/97 -0400, Jeremy Elson wrote:
The answer, of course, is that the mail really originated from a PSInet dialup, using IConNet.NET as a spam relay; the bottom Received: line is an utter forgery, presuambly added by the spam-mailing software. In fact, it's not even a very good forgery, because the supposed IP address of alt2.bethere.net is invalid (the 2nd octet is 756).
Yes, it seems that once a spammer finds your site (fs.iconnet.net, mine) they share it with others. What was a trickle (in April, when you got spammed) became a flood as the "disposable dial-ppp / third-party relay" technique became widespread. At the time we had approximately 15 "open" mail servers - but only one was ever abused - they either share with each other or have common sources/techniques of scanning for "open" servers. X-Disclaimer: if you're not interested in sendmail techniques to keep spam off your network, delete now. Anyway, we were able to dig up with a nice simple solution that solves some problems that ISPs have. The reason I'm posting is because it took a long time to find the solution and most sources of information (spam.abuse.net, etc) are aimed at small sites, not ISPs who provide mail-relay and MX backup for their customers. The solution is located at http://www.informatik.uni-kiel.de/%7Eca/email/check.html http://www.informatik.uni-kiel.de/%7Eca/email/rules/check.tar what we do now, with most help from Claus Aßmann's site: = We now have four files that control our anti-abuse sendmail (in order): 1. Spammer These user addresses can't send mail 2. SpamDomains These domains can't send mail 3. LocalIP These IP addresses can relay mail 4. RelayTo Mail destined to these domain names can go through Thus, our customers can use our mail servers to relay (#3), and anyone else must be sending to our customers (#4) or they get rejected. Plus we can block any spammer, customer or non-customer (#1,2). Now we only have to worry about our downstreams spamming, where we actually have leverage. Things that need work: . script to dynamically create localip file (point a program at your cisco and let it "sh ip bgp filter x" to get your list, which you can then edit) . merge spammer and spamdomains into one file with wildcards (*@*.b.com , user@*.c.com , *@port15.dial.d.net) . cidr and substring matching are not the same (you can take 10.1.0.0/17 and make 128 /24 entries, or one /16 entry and allow the other /17 through) I'm thinking of building on this and sharing my results with Claus and any other interested parties. Suggestions / Comments / Ideas please e-mail me. Thanks for your time. -Rod