OT: More Spam
bscott at ntisys.com
bscott at ntisys.com
Wed Jan 22 09:05:19 EST 2003
On 22 Jan 2003, at 1:26am, pri.nhlug at iadonisi.to wrote:
> Some, I haven't even told anyone about, so there's no way anyone can know
> that I can (or expect to) receive email at them.
They have an MX record, which is all the spam robots need.
> The source ip also varies ...
By how much? Are they all within the same netblock?
> ... I'm not sure how to determine if it's spoofed or not.
You can't really spoof the source IP address of a TCP connection. (Well,
you can, but the TCP handshake will never complete, making it rather
useless.) You can hijack someone else's IP address or machine, which has
much the same effect, as far as you're concerned. It leaves more evidence
at the other end, but that likely doesn't help you much.
> It's highly likely that the domain name is spoofed.
Almost certainly.
> Looks like I found an email address harvester. What I'm wondering, now,
> is how do you defend against this crap?
It depends.
Organizations who never (or rarely) communicate with anyone overseas often
just block any mail exchanger with an IP address in Asia.
There are systems out there that use heuristics to auto-detect harvesters
and auto-block IP addresses or netblocks. Sounds like overkill for your
situation.
If you suspect you might want to communicate with anyone you blacklist,
you could setup an auto-responder opt-in whitelist robot (just use caution
with combining such with mailing list subscriptions and other robots --
mail loops and PO'd postmasters can result).
> (And from a legal or ethical perspective, would it be better to just
> remove the mx record altogether?)
That is what I would do.
However, be aware that if a domain does not have an MX record, but does
have an A record, the RFCs say that a mail exchanger should try to connect
to the IP address of the A record.
> Anyhow, I'm hoping someone on this list can offer some help in tracking
> this low-life down.
All you can do to prosecute an attacker is to track the netblocks using
WHOIS and attempt to contact the operator of the systems/networks from which
the attacks originate.
> Anybody out there have experience tracking spammers?
news:net.admin.net-abuse.email (NANAE)
http://www.nanae.org
http://www.spamfaq.net
http://www.abuse.net (Network Abuse Clearinghouse)
http://www.cauce.org (The Coalition Against Unsolicited Commercial Email)
http://www.spamcop.net
http://www.spamhaus.org
--
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or |
| organization. All information is provided without warranty of any kind. |
More information about the gnhlug-discuss
mailing list