Re: Having been open relay for a moment
Anton Zinoviev <anton@lml.bas.bg> writes:
> 1. The spammers continue attempts to use lml.bas.bg as a relay. As a
> result exim generates about 50Mb log files per hour. How I can stop
> exim from logging messages like ".... refused relay to ..."?
Any patterns in the attackers? One of the options is that it's a small
select group of IP#s or netblocks repeatedly hitting you; if so, you can
form a few reports to relevant ISPs, and/or dump them all in a firewall
chain. (If not, you're screwed :8)
> 2. It is possible that in the queues of exim there are still some
> spams. How can I remove them?
How big are your queues? You might find the -Mvb (view bodies), -Mvh (view
headers), -Mrm (guess) options useful - again, find a way to identify these
things, involving find, grep and then
| awk 'NF>=3 {print $3}' | xargs exim -Mrm
to remove them by exim-message-id.
> 3. In the log-files of exim I have a huge list of e-mail addresses of
> spammers (such as adam2971007@yahoo.com). Can I do something useful
> with them?
Very little, I would've thought. Chances are those are either
a) victims' addresses;
b) generated semi-random crap (look for adam297100*8*, et seq).
In the (rather smaller) logs I get, I see semi-random looking email
addresses bearing no resemblance to the real world; the only thing I do
*occasionally* see is a slight overlap of a few letters with usernames that
have originated on this box.
Attempted relaying to `user@asdfdf.asfdfds' isn't likely to do anyone any
good.
I'd say you should analyse them and look what's most likely to be valid -
and if any, report them (preferably in patterns) to relevant sysadmins. If
it means the account was going to be used as e.g. a spam return mailbox,
they can take pre-emptive action to block it, assuming you do your sums
right.
> 4. It seams to me that spammers ought to pay ordb.org for their
> service. A few years ago when I had similar problem ordb gave me
> enough time to fix the problem. Why don't they do the same now? As
> humans we can make mistakes.
Dunno. Take it up with ordb.org is all I could suggest there.
~Tim
--
<http://spodzone.org.uk/>
Reply to: