Re: spam to bogus users

To: JJ van Gorkum <jvg@knowzone.org>
Cc: debian-isp@lists.debian.org
Subject: Re: spam to bogus users
From: Håkon Alstadheim <hakon@alstadheim.priv.no>
Date: Sat, 15 Jul 2006 11:45:41 +0200
Message-id: <[🔎] 44B8B945.9050003@alstadheim.priv.no>
In-reply-to: <[🔎] 44B897D0.2020709@knowzone.org>
References: <[🔎] 200607141442.k6EEglfa007428@isp2dial.com> <[🔎] 44B897D0.2020709@knowzone.org>

JJ van Gorkum wrote:

John Kelly wrote:

Every day, I get mail delivery attempts to non-existent users like:

k2159jcd003343@isp2dial.com
k1mmcsoa007563@isp2dial.com
k1nardpb001747@isp2dial.com


These totally bogus user names are not a good dictionary attack.  I
don't know what the spammer is trying to accomplish, since delivery is
impossible.  The user portion almost looks like a mail queue message
id.

Anyone else seeing this?

Yep, Most effective is (if you are using exim4) check if the sender has
an MX record (from http://www.sput.nl/spam/ )


# There has to be an MX, except in case of DSN deny message = No MX for
envelope sender domain $sender_address_domain. See  http://www.sput.nl/spam/
       hosts   = ! : !+relay_from_hosts
       senders = ! :
       condition = ${if eq\
        {${lookup dnsdb{mx=$sender_address_domain}{$value}fail}}\
        {fail}\
       {yes}{no}}

This is actually quite bad. If a domain does not have an MX record, youare supposed to deliver mail to the domain itself. A test for whetherit is possible to mail the sender would be just to see if you find an Arecord or an MX record.

Reply to:

References:
- spam to bogus users
  - From: John Kelly <jak@isp2dial.com>
- Re: spam to bogus users
  - From: JJ van Gorkum <jvg@knowzone.org>

Prev by Date: Re: spam to bogus users
Next by Date: Re: spam to bogus users
Previous by thread: Re: spam to bogus users
Next by thread: Re: spam to bogus users
Index(es):
- Date
- Thread