Mailing List SIMS@mail.stalker.com Message #7332
From: Tod Fitch <tod@LTFdesign.com>
Subject: Address harvesting and secondary servers (long post)
Date: Fri, 08 Dec 2000 08:20:35 -0800
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2
Sorry for the long post....

Background:
SIMS 1.8b8, secondary mail services are provided by barter with other users of SIMS.

What happened:
Some log file lines. Sorry about the length. I have added commentary:

19:14:31 1 SMTP-291(clipper.salem.mass.edu) SPAM? Recipient '<frank@ltfdesign.com>' rejected: user unknown
19:14:31 1 SMTP-290(clipper.salem.mass.edu) SPAM? Recipient '<rick@ltfdesign.com>' rejected: user unknown
19:14:31 1 SMTP-289(clipper.salem.mass.edu) SPAM? Recipient '<robert@ltfdesign.com>' rejected: user unknown
19:14:32 1 SMTP-292(clipper.salem.mass.edu) SPAM? Recipient '<gary@ltfdesign.com>' rejected: user unknown
19:14:33 1 SMTP-293(clipper.salem.mass.edu) SPAM? Recipient '<brian@ltfdesign.com>' rejected: user unknown
19:14:33 1 SMTP-293(clipper.salem.mass.edu) SPAM? The host is now on TempBanned list for the next 1200 seconds
19:14:34 1 SMTP-298([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:34 1 SMTP-299([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:35 1 SMTP-300([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:35 1 SMTP-301([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:36 1 SMTP-302([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:37 1 SMTP-304([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:38 1 SMTP-305([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:38 1 SMTP-306([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:40 1 SMTP-307([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:40 1 SMTP-308([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:40 1 SMTP-309([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:41 1 SMTP-310([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"

So far, so good. Now I have the number of SMTP lines to a relatively low value because that is all I usually need. So we now get:

19:14:41 1 SMTP too many (10) lines already opened
19:14:41 1 SMTP(tcp) Rejecting Connection from [134.241.251.2:42653], seq=244. 4/5
19:14:42 1 SMTP-311([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:43 1 SMTP-312([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:43 1 SMTP-313([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"
19:14:44 1 SMTP-314([134.241.251.2]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"

At which time my server stopped accepting new connections. Since the spammer could no longer connect to me, he connected to one of my secondary servers. That server has no knowledge of my individual accounts, so it simply queued the mail for forwarding. This resulted in:

19:14:53 1 SMTP-303(mail.laffeycomputer.com) SPAM? Recipient '<mike@ltfdesign.com>' rejected: user unknown
19:15:07 1 SMTP-315(mail.laffeycomputer.com) SPAM? Recipient '<chris@ltfdesign.com>' rejected: user unknown
19:15:09 1 SMTP-303(mail.laffeycomputer.com) SPAM? Recipient '<dan@ltfdesign.com>' rejected: user unknown
19:15:24 1 SMTP-315(mail.laffeycomputer.com) SPAM? Recipient '<ken@ltfdesign.com>' rejected: user unknown
19:15:25 1 SMTP-303(mail.laffeycomputer.com) SPAM? Recipient '<jeff@ltfdesign.com>' rejected: user unknown
19:15:25 1 SMTP-303(mail.laffeycomputer.com) SPAM? The host is now on TempBanned list for the next 1200 seconds
19:15:40 1 SMTP-315(mail.laffeycomputer.com) SPAM? Recipient '<jason@ltfdesign.com>' rejected: user unknown
19:15:40 1 SMTP-315(mail.laffeycomputer.com) SPAM? The host is now on TempBanned list for the next 1200 seconds
19:16:37 1 SMTP-316([216.162.115.3]) SPAM? Host is in the Blacklist, "The host is suspected in address harvesting"

And now my server has temp banned my secondary. (Unfortunately I neglected to put the secondary's new IP address into my client host list. Or maybe fortunately....)

Now the spammer apparently overloaded the input to my "first" secondary mail server and started coming through the second one. By now his name generator finally hit a spam trap address.

19:17:24 1 SMTP-317(mail.ninewire.com) SPAM? address <david@ltfdesign.com> is a SpamTrap address
19:17:24 1 SMTP-317(mail.ninewire.com) SPAM? Mail from '<root@clipper.salem.mass.edu>' rejected: SpamTrap

The Problems and Questions:
1) By virtue of overloading my server, the spammer used up resources at the secondary servers. I feel bad that I dumped that load on the secondaries. What  can/should I do to keep from dumping on the secondaries in the future.

2) Is there any way I can configure SIMS so that the secondary services I provide for others does not end up being a relay for a address harvesting event that overloads their connection limit? (I already use the mail-abuse.org blacklists to validate all connections received including that for mail for which I am providing secondary services.)

Thanks for the patience with the long post.

Tod Fitch

ps: Here is a copy of headers of the spam that was trying to be sent. The only real looking address in the spam is a web site. No phone number or mailing address.

X-Persona: <Blacklist>
Return-Path: root@clipper.salem.mass.edu
Received: from clipper.salem.mass.edu ([134.241.251.2] verified) by adsl-63-192-216-68.dsl.snfc21.pacbell.net (Stalker SMTP Server 1.8b8) with ESMTP id S.0000024494 for <michael@ltfdesign.com>; Thu, 07 Dec 2000 19:14:53 -0800
Received: (from root@localhost)
by clipper.salem.mass.edu (2.1.1/8.9.1/Execmail 2.1) id WAA26254;
Thu, 7 Dec 2000 22:14:48 -0500 (EST)
Date: Thu, 7 Dec 2000 22:14:48 -0500 (EST)
Message-Id: <200012080314.WAA26254@clipper.salem.mass.edu>
To: michael@ltfdesign.com
From: fred@free.com
Subject: "Best Deals on New Cars and Trucks"


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster