Mailing List SIMS@mail.stalker.com Message #6368
From: Tod Fitch <tod@LTFdesign.com>
Subject: Re: spam via mx secondary
Date: Sun, 2 Jul 2000 09:57:01 -0700
To: SIMS Discussions <SIMS@mail.stalker.com>
I am not real sure what is happening here, but I will give it a try.... My comments embedded within your original post.

Tod Fitch

At 12:00 PM +1000 7/2/00, Nick Quinn wrote:
hi,

I have just installed SIMS 1.8b8:

 >10:23:20 1 SMTP-768(postoffice.telstra.net) SPAM? Recipient'<MuratSex@email.tc>' rejected: sending host is blacklisted

 > 10:23:21 1 SMTP-788([203.50.1.76]) SPAM? Host is in the Blacklist

 > 10:23:21 2 SMTP-788([203.50.1.76]) SPAM? Host is banned for another 402 seconds


When my SIMS 1.8b8 rejects mail because of RBL lookup it logs which server (DUL, RELAY, etc.) it found the miscreant in. I don't see that here so I assume you have either placed 203.50.1.76 in your blacklisted hosts list (unlikely) or (as confirmed by the last line above) the host is being placed in the black list because it has tried multiple times in a short interval to send you mail to a unknown user.

As of 1.8b8, SIMS has a anti-"account name harvesting" feature where attempts to detect good mail account names by sending mail to random names and seeing which ones work triggers adding the sending host to the local blacklist. This sounds like what happened. (I don't remember the exact setup but basically SIMS remembers the time and host for each attempt to send mail to an unknown account. Too many attempts in too short a time triggers the blacklisting. After a period of no problems, the host is removed from the blacklisting.)


"postoffice.telstra.net" is our secondary mx server!

"MuratSex@email.tc" does not exist (we own and operate the domain "email.tc".

"203.50.1.76" is "postoffice.telstra.net"

it appears that we have chosen a "bad" secondary.

what will happen when we become available after an outage? will we reject our own mail?

later I noticed:

 >10:23:57 1 SMTP-806(mts1.internic.net) SPAM? Recipient '<MustafaSexBomb@email.tc>' rejected: sending host is blacklisted
 > 10:23:59 1 SMTP-808([198.41.1.234]) SPAM? Host is in the Blacklist
 > 10:23:59 2 SMTP-808([198.41.1.234]) SPAM? Host is banned for another 100 seconds

looks a bit like they are using both our secondary mx and internic.net (internic.net= 198.41.1.234), or is this what is called "spoofing"?

...'spose its a bad time of the year to be asking our colonial brethren :-)


I ran into a problem after an outage where my secondary was added to the local black list because there were a number of occurrences of mail to a unknown user that it tried to forward in short amount of time. My solution was to add the secondary mail server's IP address to the client hosts list.

I hope this helps.

Tod Fitch

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster