Re: Having been open relay for a moment

To: debian-security@lists.debian.org
Subject: Re: Having been open relay for a moment
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: Tue, 08 Oct 2002 13:44:40 +0100
Message-id: <[🔎] 864rbxcd6v.fsf@potato.vegetable.org.uk>
Reply-to: debian-reply@stirfried.vegetable.org.uk
In-reply-to: <[🔎] 20021008123615.GC25664@lml.bas.bg> (Anton Zinoviev's message of "Tue, 8 Oct 2002 15:36:15 +0300")
References: <[🔎] 20021008123615.GC25664@lml.bas.bg>

Anton Zinoviev <anton@lml.bas.bg> writes:

>    1. The spammers continue attempts to use lml.bas.bg as a relay. As a
>    result exim generates about 50Mb log files per hour. How I can stop
>    exim from logging messages like ".... refused relay to ..."?

Any patterns in the attackers? One of the options is that it's a small
select group of IP#s or netblocks repeatedly hitting you; if so, you can
form a few reports to relevant ISPs, and/or dump them all in a firewall
chain. (If not, you're screwed :8)

>    2. It is possible that in the queues of exim there are still some
>    spams. How can I remove them?

How big are your queues? You might find the -Mvb (view bodies), -Mvh (view
headers), -Mrm (guess) options useful - again, find a way to identify these
things, involving find, grep and then
        | awk 'NF>=3 {print $3}' | xargs exim -Mrm
to remove them by exim-message-id.

>    3. In the log-files of exim I have a huge list of e-mail addresses of
>    spammers (such as adam2971007@yahoo.com). Can I do something useful
>    with them?

Very little, I would've thought. Chances are those are either
a) victims' addresses;
b) generated semi-random crap (look for adam297100*8*, et seq).

In the (rather smaller) logs I get, I see semi-random looking email
addresses bearing no resemblance to the real world; the only thing I do
*occasionally* see is a slight overlap of a few letters with usernames that
have originated on this box.

Attempted relaying to `user@asdfdf.asfdfds' isn't likely to do anyone any
good.

I'd say you should analyse them and look what's most likely to be valid -
and if any, report them (preferably in patterns) to relevant sysadmins. If
it means the account was going to be used as e.g. a spam return mailbox,
they can take pre-emptive action to block it, assuming you do your sums
right.

>    4. It seams to me that spammers ought to pay ordb.org for their
>    service. A few years ago when I had similar problem ordb gave me
>    enough time to fix the problem. Why don't they do the same now? As
>    humans we can make mistakes.

Dunno. Take it up with ordb.org is all I could suggest there.

~Tim
-- 
<http://spodzone.org.uk/>

Reply to:

References:
- Having been open relay for a moment
  - From: Anton Zinoviev <anton@lml.bas.bg>

Prev by Date: Having been open relay for a moment
Next by Date: Re: Report on last cmd
Previous by thread: Having been open relay for a moment
Next by thread: Re: Having been open relay for a moment
Index(es):
- Date
- Thread