[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

How do I find the source of the spammers?



Hi,

This post is probably a bit off topic, but maybe one of you can give
me a pointer in the right direction.

I'm looking after the servers of an ISP, and someone is using us for
bulk mailouts.

I get a lot of mail in postmasters mailbox about it. I can't seem to
find how it's getting in though!

Here's a chunk from my logs:

logfile.3.gz:06/17/1997 06:42:38: [m0wdNiA-000AM5C] Failed
TO:<hobbes@interlink.no> ERROR:(ERR101) unknown host
logfile.3.gz:06/17/1997 07:03:12: [m0wdNiA-000AM5C] Failed
TO:<hobbie@wbb.com> ERROR:(ERR101) unknown host
logfile.3.gz:06/17/1997 07:03:13: [m0wdNiA-000AM5C] Failed
TO:<hobbes@pop.compuserve.com> ERROR:(ERR101) unknown host
logfile.3.gz:06/17/1997 07:03:13: [m0wdNiA-000AM5C] Failed
TO:<hobbes@mixcom.comoct> ERROR:(ERR101) unknown host
logfile.3.gz:06/17/1997 07:03:13: [m0wdNiA-000AM5C] Failed
TO:<hobbes@interlink.no> ERROR:(ERR101) unknown host
logfile.4.gz:06/16/1997 08:23:55: [m0wdNiA-000AM5C] Received
FROM:33700558@compuserve.com HOST:203.20.112.1 [199.174.230.27]
PROTOCOL:smtp PROGRAM:in.smtpd
ORIG-ID:<95640251452285.GAA01245@compuserve.com> SIZE:6337

The last entry is the first reference to this piece of mail in my
logs! Is it possible for someone to use their compuserve account to
send mail to my daemon that instructs it to run the bulk mailout?

the host 203.20.112.1 is one of my servers.

If so, how do I stop it?

More importantly, how can I find if it's one of the 800 clients who
has an account on this server, so I can close their account and send
them elsewhere?

And then how do I prevent it happening again?

I guess that if there's a clueful person who knows the answer to this
one then they'll probably want to email me personally, so that the
solution is not advertised to the spammers. Then again I guess we'd
all like to know how to do this.

I'm using smail from the 1.3 distribution. Perhaps I should be using
another mail-daeomn. Or is there a way that I can restrict things in
smail? The documentation for smail is (or was anyway) pretty woeful!

This is rather urgent as I see it!

John Foster

System Administrator (in training!?)
Net-Trek/Cynergy



--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .


Reply to: