Mailing List SIMS@mail.stalker.com Message #14077
From: Howard Shere <hshere@greendragon.com>
Subject: Re: Spam Attack?
Date: Wed, 17 Dec 2003 14:52:09 -0600
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Microsoft Outlook Express Macintosh Edition - 4.5 (0410)
>>Received: from [61.11.84.56] (HELO asia) by watervalley.net (Stalker SMTP
>>Server 1.8b8) with ESMTP id S.0076377894 for <riddell_41@flashmail.com>;
>>Tue, 16 Dec 2003 03:09:27 -0600
>
> That's very disturbing.
>
> I know you are a contender for the largest SIMS site in the world,
> but is there any hope at all of turning up the logging all the way
> for SMTP and the router to capture the details on these? I see that
> your MX is now listed at SpamCop, but unfortunately SpamCop has gone
> insane and is no longer yielding any useful information with their
> listings.

contender?

I think I am the undefeated champion.

Our setup changed a few months ago and SIMS now sends all mail out through a
linux machine running postfix. This allows us to filter all outgoing mail to
stop sending spam to the internet (in theory).

We use header_checks and body_checks to discard (i.e., not generate a
bounce) and we have now discarded 450,000+ of these stupid messages (which
are all the same...some human grth horm thing)

We will try changing to kx100.net = error and see what that does to our
bandwidth and processing. I was under the impression that it would generate
a bounce message in our mail queue and make SIMS unhappy, but if it won't
then it is better than the discard on the way out system.

>
> My top suspicion is that you have a cracked account that is (in this
> case) being abused by someone on a DSL line in India. Hunting that
> down  really requires deep logging, because you have to capture the
> AUTH part of the session to know for sure that this is happening. If
> you have POP-before-SMTP relay access turned on, you also need to
> look at POP sessions. Spammers in the past couple of months have
> taken to attacking machines that relay for authorized users by
> running password-guessing attacks, most visibly on role accounts like
> 'postmaster.'

This is what we thought as well, but I turned of AUTH advertising and SMTP
after POP.

Does AUTH work even if it is not advertised? Could that be the problem?

>
> If all of these are coming from particularly scummy parts of the net
> (61.0.0.0/8 unfortunately qualifies, as does most other space
> allocated via APNIC) from which you get nothing you want, you can
> probably safely just wall those areas off from your network.
> Blacklisting them in SIMS won't work if they are hitting a cracked
> account, you would need to use whatever you use as a firewall to
> block packets aimed at port 25  from the source networks. If ignoring
> large chunks of Asia is not feasible, you might still get some
> success from blocking smaller chunks around the bad actors that you
> can identify, for example 61.11.0.0/17 is DishnetDSL in India, a
> network that sources a lot of bad traffic and almost certainly no
> mail that you want.

I understand and I am trying to avoid that, but I may have no choice.

_________________________________________________________________________
New Game For MacOS 8.6, 9, and X --> http://lastcontact.greendragon.com/
_________________________________________________________________________
Howard Shere       |  Green Dragon Creations  |  Water Valley Interchange
President          |  301 N. Main St.         |  P.O. Box 70
Software Sculptor  |  Water Valley, MS 38965  |  Water Valley, MS 38965
                   |  hshere@greendragon.com  |  hshere@watervalley.net
                   |  www.greendragon.com     |  www.watervalley.net
                   |  1-662-473-4225          |  1-662-473-9209

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster