Re: [Exim] Tarpit SPAM trap

To: "I. Forbes" <iforbes@zsd.co.za>
Cc: debian-isp@lists.debian.org, exim-users@exim.org, abuse@aol.com
Subject: Re: [Exim] Tarpit SPAM trap
From: Nigel Metheringham <Nigel.Metheringham@VData.co.uk>
Date: Thu, 02 Mar 2000 09:38:43 +0000
Message-id: <E12QS4B-000160-00@rioja.localnet>
In-reply-to: Message from "I. Forbes" <iforbes@zsd.co.za> of "Thu, 02 Mar 2000 11:08:20 +0200." <E12QRgx-0003Kq-00@janus.localnet>

[I am somewhat concerned about the size of the cc list - in that it 
covers several lists - but for now have let it stand since this is more 
than just an exim issue]


iforbes@zsd.co.za said:
> We send copies of this spam  to abuse@aol.com on a daily basis.  The
> only response I have ever had from AOL is from an  autoresponder.
> Sometimes we send copies to the relay machine  admins, usually
> "abuse@<domain>" bounces and sometimes  "postmaster@<domain>" bounces
> too.  I have never had a reponse  from any of them. 

This is culpable idiocy.  Just because AOL are bit does not mean they 
can trample on everyone else in the world.  However I guess the problem 
of launching legal action against a US entity from ZA would make legal 
a difficult option.   Are these messages coming direct from AOL modem 
space, or through their mail systems - if the latter I would think 
there is sufficient evidence to get their mail mail systems on the 
Vixie RBL which tends to make even giants think twice.

There needs to be social/legal action taken here since it is not a 
technical problem.


However technical workrounds are:-

  - refuse at SMTP level all messages to the forged spam sender address
    this can be done within a vanilla exim, or I guess you would need to
    hack qmail's receiver [I don't really know qmail well enough to 
comment]

However you will still get piles of messages to abuse@/postmaster@ that 
domain from the slightly more clued - and there isn't a good way of 
handling that other than maybe an autoreply (make sure it works right 
or you will live to regret it).

The Teergrube solution is *not* in any way a solution to your problem - 
don't even consider it.  Remember that the machines sending you these 
bounces and complaints are probably innocently of any proper 
involvement in this spam run.  There are also likely to be thousands of 
them, so when you say...

> This will cause the spaming host to go down, as any operating
>   system has a limit on open sockets. 

the system it will take down is *your* system.

Also DOSing the relays is likely to bring you into problems of legality.

Remember if you have another machine (or even just an IP) on your 
external internet AS then you could put up exim on that box as an 
emergency measure and point the domain being hit at that system - at 
least then you can refuse a pile of the stuff quicker than you can 
reconfigure your complete mail system.  This specialist handler would 
reject the crud and pass the rest on to your standard MTA config.

	Nigel.
-- 
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham                  Nigel.Metheringham@VData.co.uk ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]

Reply to:

Follow-Ups:
- Re: Mudslicking to counter SPAM (was TARPIT)
  - From: Michael Koehne <kraehe@copyleft.de>

References:
- Tarpit SPAM trap
  - From: "I. Forbes" <iforbes@zsd.co.za>

Prev by Date: Tarpit SPAM trap
Next by Date: Re: Tarpit SPAM trap
Previous by thread: Tarpit SPAM trap
Next by thread: Re: Mudslicking to counter SPAM (was TARPIT)
Index(es):
- Date
- Thread