Need help diagnosing (*stopping*) a spam problem.
I'm helping a small ISP in SF get started (I convinced them to use
Debian instead of NT :>), and I think we're having a problem with
someone using our site for spamming. Unfortunately, I'm not quite
savy enough about the problem to be exactly sure what's going on, but
I (and the many people having to put up with the spam) would like it
to stop.
The system's running qmail-1.01 (We've been thinking of switching to
exim, so if that will help, feel free to suggest it.), and we first
noticed the problem when postmaster started received a number of
failed delivery messages from qmail-send. These messages have
continued up to the present. At first we just thought it was someone
generating random addresses to send spam to until we got a complaint
indicating that spam was appearing to originate from the ISP.
I'd appreciate any help in diagnosing and stopping this (an RTFM would
be fine). I've reproduced a bit of suspicious log and one of the
bounces below. If you need any other info to track down the problem,
let me know and I'll send it via private email.
There are many of these in the daemon.log which I suspect might be
related:
Aug 6 15:47:18 inside tcp-env[7395]: connect from 205.232.65.5
Aug 6 16:31:11 inside tcp-env[7490]: connect from relay3.smtp.psi.net
And here's a sample bounce message (note that there is in fact no user
named lois@fatnet.net, and I trimmed the content a bit):
From: MAILER-DAEMON@inside.fatnet.net
Subject: failure notice
To: postmaster@inside.fatnet.net
Date: 1 Aug 1997 17:19:47 -0000
Hi. This is the qmail-send program at inside.fatnet.net.
I tried to deliver a bounce message to this address, but the bounce bounced!
<4f0lk6t9@INETWORLD.NET>:
204.216.57.10 does not like recipient.
Remote host said: 550 <4f0lk6t9@INETWORLD.NET>... User unknown
Giving up.
--- Below this line is the original bounce.
Return-Path: <>
Received: (qmail 19391 invoked for bounce); 1 Aug 1997 17:19:45 -0000
Date: 1 Aug 1997 17:19:45 -0000
From: MAILER-DAEMON@inside.fatnet.net
To: 4f0lk6t9@INETWORLD.NET
Subject: failure notice
Hi. This is the qmail-send program at inside.fatnet.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<lois@fatnet.net>:
Sorry, no mailbox here by that name. (#5.1.1)
--- Below this line is a copy of the message.
Return-Path: <4f0lk6t9@INETWORLD.NET>
Received: (qmail 19388 invoked from network); 1 Aug 1997 17:19:45 -0000
Received: from inet1.inetworld.net (204.216.57.10)
by inside.fatnet.net with SMTP; 1 Aug 1997 17:19:45 -0000
Received: from sam (dialin218.inetworld.net [206.245.248.47]) by inet1.inetworld.net (8.8.4/8.6.12) with SMTP id KAA04627; Fri, 1 Aug 1997 10:18:25 -0700 (PDT)
Message-Id: <199708011718.KAA04627@inet1.inetworld.net>
From: kefera@sekmet.com
To:
Date: Fri, 01 Aug 1997 10:13:27 PDT
Subject: $5000 Credit Card, Low APR
This message is being brought to you by EMAIL BLASTER 2.5 software. If you would like a FREE copy of this software or any of our other HOT programs ABSOLTELY FREE call our FAX ON DEMAND number at 213-960-7822.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[[...obnoxious sales pitch deleted...]]
For more info,send an email to my autoresponder,
sonofre@answerme.com
Dr. David Alan
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: