OT: More Spam

Paul Iadonisi pri.nhlug at iadonisi.to
Wed Jan 22 01:26:32 EST 2003 

  So I have a bunch of domains, many of which I don't currently use. 
Some, I haven't even told anyone about, so there's no way anyone can
know that I can (or expect to) receive email at them.  Early Tuesday, I
did my occasional check of my sendmail logs and found something I had
missed.  
  Since January 11 about every two hours, someone connects to my
sendmail port and checks for about 30 random email address (presumably
with the 'rcpt to:' smtp command).  It's been getting slightly more
frequent, now at about every hour and forty minutes.  The 'mail from:'
value is always john at domain.name where domain.name varies at every
attempt.  The source ip also varies, but I'm not sure how to determine
if it's spoofed or not.  It's highly likely that the domain name is
spoofed.
  Well, since I only host a few email accounts, none of john@'s guesses
have had a hit, so no spam has actually been received.  Rather than hunt
down a bunch of IPs through arin.net and friends (though I did check one
of them -- surprise, surprise, it's in China), I figured I'd set up
sendmail virtual hosting to capture anything to my domain and direct it
to a single valid email address so that I can have a little more to go
on.
  Lo and behold, the spammer isn't spamming...at the moment at least. 
The attempt came in an hour and forty minutes after the last one like
clockwork.  And, as expected, there were no 'User unknown' messages in
my maillog, but no email actually got delivered (yes, I did test it).
  Looks like I found an email address harvester.  What I'm wondering,
now, is how do you defend against this crap?  As a temporary solution,
since I don't currently use the domain for anything, I've set my mx
record to 127.0.0.1, but I can't obviously do that with a domain that is
in use.  (And from a legal or ethical perspective, would it be better to
just remove the mx record altogether?)
  I'm just so fed up.  I'm beginning to think that Barry Shein of The
World is right: however depressed we are about spam, we need to be more
depressed.  The spammers are winning.  I've been looking at various spam
defenses, argued about open relays, talked about to-rbl-or-not-to-rbl
until I've been blue in the face.  Spamassassin does about 11,000
checks.  That's absurd!
  Anyhow, I'm hoping someone on this list can offer some help in
tracking this low-life down.  There's probably not to much time left as
he's used domain names beginning with a through g and I expect that once
he gets from h through z done, it might stop.  Still, that probably
gives me about two weeks, given the current frequency.  Anybody out
there have experience tracking spammers?
-- 
-Paul Iadonisi
 Senior System Administrator
 Red Hat Certified Engineer / Local Linux Lobbyist
 Ever see a penguin fly?  --  Try Linux.
 GPL all the way: Sell services, don't lease secrets

More information about the gnhlug-discuss mailing list