Re: Having been open relay for a moment (summary)

To: debian-security@lists.debian.org
Subject: Re: Having been open relay for a moment (summary)
From: Anton Zinoviev <anton@lml.bas.bg>
Date: Wed, 9 Oct 2002 10:41:29 +0300
Message-id: <[🔎] 20021009074129.GA4818@lml.bas.bg>
In-reply-to: <[🔎] 20021008123615.GC25664@lml.bas.bg>
References: <[🔎] 20021008123615.GC25664@lml.bas.bg>

Thanks to all who replied.  I decided to make a summary of the replies
as some of them were private.

On 8.X.2002 at 15:36 Anton Zinoviev wrote:
> 
>    1. The spammers continue attempts to use lml.bas.bg as a relay.  As a
>       result exim generates about 50Mb log files per hour.  How I can
>       stop exim from logging messages like ".... refused relay to ..."?

Reports to relevant ISPs can be made if there is only a small number
of IP/netblocks.  (Unfortunately this is not my case.)  The local
firewall can be used.  Postfix is a good alternative of exim.

>    2. It is possible that in the queues of exim there are still some
>       spams.  How can I remove them?

In order to look at the queue: 

	exim -bp (the same as mailq)

To look at the header, body of the waiting messages:

	exim -Mvh <serial>
	exim -Mvb <serial>

To remove a message:

	exim -Mrm <serial>

If there is a common pattern in the waiting spam, then use (something
different can be used instead of the first line):

	mailq | grep <identifying item> | 
		awk 'NF>=3 {print $3}' | xargs exim -Mrm

To remove a message and send error message to the sender:

	exim -Mg <serial>

To do the same with all waiting messages as normal messages usually
are delivered immediately:

	cd /var/spool/exim/msglog; exim -Mg *

After that command the contents of /var/spool/exim/{db,msglog,input}
can be wiped as exim automaticaly recovers anything it needs.  In
order to avoid frozen messages I used `killall exim'.

>    3. In the log-files of exim I have a huge list of e-mail addresses
>       of spammers (such as adam2971007@yahoo.com).  Can I do something
>       useful with them?

No, they are random and have nothing with the spammers.

>    4. It seams to me that spammers ought to pay ordb.org for their
>       service.  A few years ago when I had similar problem ordb gave
>       me enough time to fix the problem.  Why don't they do the same
>       now?  As humans we can make mistakes.

Ordb.org doesn't give their lists of relays to anyone,
<http://ordb.org/faq/#zone_transfer>.  Spammers have their own
automated scans.  Most of the servers in the base of Ordb.org are
already abused open relays.

Sincerely, Anton Zinoviev

Reply to:

References:
- Having been open relay for a moment
  - From: Anton Zinoviev <anton@lml.bas.bg>

Prev by Date: Current Exploits
Next by Date: Re: Fwd: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution
Previous by thread: Re: Having been open relay for a moment
Next by thread: Fwd: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution
Index(es):
- Date
- Thread