gnhlug-discuss digest, Vol 1 #296 - 15 msgs

Bruce Dawson jbd at codemeta.com
Wed Jan 22 11:30:41 EST 2003


This is happening to the servers hosting GNHLUG. Same scenario - every 
2 hours or so and all from john at ... And he seems to come from open relays.

I've had to firewall out some of the relays he's been using, but he's still
chewing up megabytes/day in log files. I'll have to put another disk on that
system soon.

If this happens much longer, I'm going to have to get out the baseball bat.

> Subject: OT: More Spam
> From: Paul Iadonisi
> To: Greater New Hampshire LUG
> Date: 22 Jan 2003 01:26:32 -0500
> 
>   So I have a bunch of domains, many of which I don't currently use. 
> Some, I haven't even told anyone about, so there's no way anyone can
> know that I can (or expect to) receive email at them.  Early Tuesday, I
> did my occasional check of my sendmail logs and found something I had
> missed.  
>   Since January 11 about every two hours, someone connects to my
> sendmail port and checks for about 30 random email address (presumably
> with the 'rcpt to:' smtp command).  It's been getting slightly more
> frequent, now at about every hour and forty minutes.  The 'mail from:'
> value is always john at domain.name where domain.name varies at every
> attempt.  The source ip also varies, but I'm not sure how to determine
> if it's spoofed or not.  It's highly likely that the domain name is
> spoofed.
>   Well, since I only host a few email accounts, none of john@'s guesses
> have had a hit, so no spam has actually been received.  Rather than hunt
> down a bunch of IPs through arin.net and friends (though I did check one
> of them -- surprise, surprise, it's in China), I figured I'd set up
> sendmail virtual hosting to capture anything to my domain and direct it
> to a single valid email address so that I can have a little more to go
> on.
>   Lo and behold, the spammer isn't spamming...at the moment at least. 
> The attempt came in an hour and forty minutes after the last one like
> clockwork.  And, as expected, there were no 'User unknown' messages in
> my maillog, but no email actually got delivered (yes, I did test it).
>   Looks like I found an email address harvester.  What I'm wondering,
> now, is how do you defend against this crap?  As a temporary solution,
> since I don't currently use the domain for anything, I've set my mx
> record to 127.0.0.1, but I can't obviously do that with a domain that is
> in use.  (And from a legal or ethical perspective, would it be better to
> just remove the mx record altogether?)
>   I'm just so fed up.  I'm beginning to think that Barry Shein of The
> World is right: however depressed we are about spam, we need to be more
> depressed.  The spammers are winning.  I've been looking at various spam
> defenses, argued about open relays, talked about to-rbl-or-not-to-rbl
> until I've been blue in the face.  Spamassassin does about 11,000
> checks.  That's absurd!
>   Anyhow, I'm hoping someone on this list can offer some help in
> tracking this low-life down.  There's probably not to much time left as
> he's used domain names beginning with a through g and I expect that once
> he gets from h through z done, it might stop.  Still, that probably
> gives me about two weeks, given the current frequency.  Anybody out
> there have experience tracking spammers?


-------------------------------------------------
This mail sent through IMP: www.milessmithfarm.net



More information about the gnhlug-discuss mailing list