Re: ** Forged spamming going on
alex@nac.net wrote: -> some luser off of AT&T DIalup is using mailme.com (my domain) for relaying -> mail: -> Received: from mailme.com (146.st-louis-71-72rs.mo.dial-access.att.net -> [...] -> He is sending thousands of emails to AOL users, who is then bouncing them -> to me. -> [...] -> Thinking about this, there is no solution; here are my options: -> -> 1) blackhole AT&T, which does nothing, since the mail is bounces coming -> from AOL. -> -> 2) blackhole AOL, which would fix my attack, but would break all -> legitimate mail from/to AOL. -> -> 3) temporarily blackhole mailme.com, which would prevent me from getting -> the bounces, but then I can't send/get legit mail. You forgot: 4) Deny relaying, which sendmail 8.9.1a will do by default (has worked great for us so far), and 5) Deny access to dial-access.att.net (and dialsprint.net, da.uu.net, pub-ip.psi.net, etc) which is what we're doing here just because we get so much spam directly from such dialup accounts these days. Anyone have a list of legitimate outgoing SMTP servers for the big dialup companies (UUnet, PSI, Concentric, AT&T, Sprint, etc)? So far I haven't had any complaints about blocking stuff like da.uu.net, but I'd like to make sure that legitimate email can still get through. -Robert Tarrall.- System/Network Admin E Central
On Mon, 21 Dec 1998, Robert Tarrall wrote:
alex@nac.net wrote: -> some luser off of AT&T DIalup is using mailme.com (my domain) for relaying -> mail:
You forgot:
4) Deny relaying, which sendmail 8.9.1a will do by default (has worked great for us so far), and
You didn't read the email thoroughly. A user dialed into ATT, sent thousands of emails to aol.com users, with a forged return-address of youarecool@mailme.com, which AOL bounces back to youarecool@mailme.com, which is a domain I own. Relaying on my machines has no bearing on this.
5) Deny access to dial-access.att.net (and dialsprint.net, da.uu.net, pub-ip.psi.net, etc) which is what we're doing here just because we get so much spam directly from such dialup accounts these days.
Still wouldn't fix it, as AOL is the one sending me the mails (bounces).
Anyone have a list of legitimate outgoing SMTP servers for the big dialup companies (UUnet, PSI, Concentric, AT&T, Sprint, etc)? So far I haven't had any complaints about blocking stuff like da.uu.net, but I'd like to make sure that legitimate email can still get through.
That still wouldn't fix this problem, but I may do this seperately.
-Robert Tarrall.- System/Network Admin E Central
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Atheism is a non-prophet organization. I route, therefore I am. Alex Rubenstein, alex@nac.net, KC2BUO, ISP/C Charter Member Father of the Network and Head Bottle-Washer Net Access Corporation, 9 Mt. Pleasant Tpk., Denville, NJ 07834 Don't choose a spineless ISP; we have more backbone! http://www.nac.net -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
On Mon, 21 Dec 1998, Robert Tarrall wrote:
[...] A user dialed into ATT, sent thousands of emails to aol.com users, with a forged return-address of youarecool@mailme.com, which AOL bounces back to youarecool@mailme.com, which is a domain I own.
Relaying on my machines has no bearing on this.
Someone did this to me about six months ago, and yes, there's nothing you can do to prevent the bounces from coming your way. I used sendmail 8.9.1's access feature to cause *me* to bounce mail sent to the forged from address with code: 550 No such user; forged header address used by spammers It didn't help me in the AOL case; they don't appear to be watching for double-bounces. It did help with recipients who tried to reply to the forged from address. Stephen
On Mon, Dec 21, 1998 at 09:07:29AM -0700, Robert Tarrall wrote:
4) Deny relaying, which sendmail 8.9.1a will do by default (has worked great for us so far), and 5) Deny access to dial-access.att.net (and dialsprint.net, da.uu.net, pub-ip.psi.net, etc) which is what we're doing here just because we get so much spam directly from such dialup accounts these days.
If it's a forgery and the mail is not touching NAC.NET servers, neither step is useful, although relaying should be shut off and SMTP access denied from ISP dialup banks as a general rule. -- Steve Sobol [sjsobol@nacs.net] Part-time Support Droid [support@nacs.net] NACS Spaminator [abuse@nacs.net] Proud resident of Cleveland Heights, Ohio, the coolest place on earth. http://www.ClevelandHeights.com
On Mon, 21 Dec 1998, Robert Tarrall wrote:
alex@nac.net wrote: -> some luser off of AT&T DIalup is using mailme.com (my domain) for relaying -> mail: -> Received: from mailme.com (146.st-louis-71-72rs.mo.dial-access.att.net -> [...] -> He is sending thousands of emails to AOL users, who is then bouncing them -> to me. -> [...] -> Thinking about this, there is no solution; here are my options: ->
You forgot:
4) Deny relaying, which sendmail 8.9.1a will do by default (has worked great for us so far), and
I almost said that, but then I read the header he posted. This wasn't a case of relaying...it's just "from address forgery". The same problem I posted about a week or two ago. Some moron sends out a few hundred thousand messages relayed through a variety of 3rd parties, claiming to be from idontexist@yourscrewed.com...yourscrewed.com being your domain. When the 3rd party relays fail to deliver tens of thousands of messages because the spammer bought a 3rd rate address list full of bogus addresses, guess where the bounces go?
5) Deny access to dial-access.att.net (and dialsprint.net,da.uu.net, pub-ip.psi.net, etc) which is what we're doing here just because we get so much spam directly from such dialup accounts these days.
And if you use a service like iPass, this becomes highly inconvenient for your customers unless you've setup a relay after pop3 hack. ----don't waste your cpu, crack rc5...www.distributed.net team enzo--- Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or Network Administrator | nestea'd...whatever it takes Florida Digital Turnpike | to get the job done. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key________
participants (5)
-
alex@nac.net
-
Jon Lewis
-
Robert Tarrall
-
Stephen Stuart
-
Steven J. Sobol