Mailing List SIMS@mail.stalker.com Message #12927
From: Global Homes Webmaster <webmaster@globalhomes.com>
Subject: Re: how'd this get through?
Date: Fri, 2 May 2003 11:01:32 -0700
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Mailsmith 1.5.4 (Blindsider)
On 05/01/03 at 23:19, Charles Mangin opined:

> another question for you and the list, though on a different tack:
>
> i have a couple of spammers (or the same one, using different relays)
> trying a really extensive "dictionary attack" every hour or so on my
> server. they try to send in batches of about 50 from different IPs in
> the same couple of /16 blocks, so i've already blackholed both blocks -
> though they got auto-blocked after the first 3 or 4 bad addresses in
> each batch.
>
> i figured the blackholing, plus a couple of increasingly nasty emails
> to the admin contacts at the ISPs (one in greece and the other in
> italy, i think) with a week's worth of log traces would have gotten
> somebody the hint that their attempts are futile. but no, the attempts
> contine, if anything with increased regularity - it's been almost a
> month and they're not even through the 'A's in their lists.

The first rule of fighting spam: Most spammers are not terribly bright.
Your spammer may or may not actually be watching his logs to know that
you're rejecting his spewage. Even if he is, he probably doesn't care
since, for the most part, it doesn't impact his system. He's using other
peoples network resources to deliver his spewage.

The admins of the networks that he's abusing as relays are a different
story. In my experience, abuse complaints to Italian and Greek net admins
usually fall on deaf ears. I don't even try any more. If I see more than
one or two spams coming through the same net block in that part of the
world, it will almost certainly be blacklisted on my SIMS server for 4-6
months (depending on my mood at the time).

> so... my question is, what can i do, past blackholing them? their
> messages all bounce, and nothing is getting through to an end-user, but
> they're still filling up my logs with their failed spam. it's still
> taking bandwidth to/from my server to receive and bounce all these
> messages, and i pay by the bandwidth i use.

This is one reason why spam is so insidious -- it uses the victims'
resources. In this case, though, it's not really using all that much of
your bandwidth. Since you've got the IP blocks blacklisted, the connection
attempts are being rejected before anything is actually sent to your
server. A rejection message is sent to the sending MTA as part of an SMTP
response. Any bounce message sent back to the sender will be generated and
sent by the other MTA, using its own cpu and bandwidth, not yours.

> i'm considering asking my ISP to block the netblocks at their router,
> which they'll probably do for me, if they can show the same kinds of
> spam on their own servers (these guys are pretty adamant about spam,
> and i'm catching on as to why)

Blocking at your or your ISP's router or firewall is the next line of
defense after blacklisting on the mail server. It will certainly be more
effective in that the unwanted traffic is not allowed into your network to
begin with.

--
                   Christopher Bort | cbort@globalhomes.com
            Webmaster, Global Homes | webmaster@globalhomes.com
                      <http://www.globalhomes.com/>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster