Re: Spammers hammering our mail servers

To: "Andrew Tait" <andrewt@cnl.com.au>
Cc: debian-isp@lists.debian.org
Subject: Re: Spammers hammering our mail servers
From: "I. Forbes" <iforbes@zsd.co.za>
Date: Tue, 5 Mar 2002 10:46:37 +0200
Message-id: <[🔎] 3C84A20D.6793.85F77A@localhost>
In-reply-to: <[🔎] 007001c1c329$9c346740$034e15cb@cnl.com.au>

Hello Andrew 

On 4 Mar 2002, at 14:06, Andrew Tait wrote:

> Every so often we have spammers hammering our mail servers (running Exim)
> attempting to relay messages. They fail of course, however they sit there,
> some times for several weeks, attempting e-mail address after e-mail
> address.

Are these spammers really trying to relay or are they trolling for 
addresses to spam by trying every name in a dictionary?

I get logs like these:

2002-03-05 06:30:53 verify failed for SMTP recipient 
sysmanager@desmat.co.za from <joe@nowhere.com
> H=lsanca1-ar14-113-104.lsanca1.dsl.gtei.net 
(mail.nowhere.com) [4.42.113.104]
2002-03-05 06:30:53 verify failed for SMTP recipient 
ash3@desmat.co.za from <joe@nowhere.com> H=ls
anca1-ar14-113-104.lsanca1.dsl.gtei.net (mail.nowhere.com) 
[4.42.113.104]
2002-03-05 06:30:54 verify failed for SMTP recipient 
jpeterson@desmat.co.za from <joe@nowhere.com>
 H=lsanca1-ar14-113-104.lsanca1.dsl.gtei.net (mail.nowhere.com) 
[4.42.113.104]
2002-03-05 06:30:54 verify failed for SMTP recipient 
poptart@desmat.co.za from <joe@nowhere.com> H
=lsanca1-ar14-113-104.lsanca1.dsl.gtei.net (mail.nowhere.com) 
[4.42.113.104]
2002-03-05 06:30:55 verify failed for SMTP recipient 
sfurman@desmat.co.za from <joe@nowhere.com> H
=lsanca1-ar14-113-104.lsanca1.dsl.gtei.net (mail.nowhere.com) 
[4.42.113.104]

> The two options I can see so far are either a program monitoring the
> rejectlog file to detect abuse, or an exim filter.

I don't have a solution for the above.  Maybe the solution is a patch 
to exim that causes an increasing delay after each verification 
failure.  This would have to be coupled to a configuration which 
limits the number of concurrent connections exim will accept from 
an IP address.  (Available via the smtp_accept_max_per_host 
directive).

Have you had a look at the exim documentation, web site and 
mailing list etc?

Regards

Ian


---------------------------------------------------------------------
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 21 683-1388  Fax: +27 21 674-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
---------------------------------------------------------------------

Reply to:

References:
- Spammers hammering our mail servers
  - From: "Andrew Tait" <andrewt@cnl.com.au>

Prev by Date: Re: Spammers hammering our mail servers
Next by Date: Load balancing web servers
Previous by thread: Spammers hammering our mail servers
Next by thread: Re: Spammers hammering our mail servers
Index(es):
- Date
- Thread