Re: Need help diagnosing (*stopping*) a spam problem.
On Aug 7, Rob Browning wrote
[ISP abused by spammers]
> I'd appreciate any help in diagnosing and stopping this (an RTFM would be
> fine).
I'm not really an expert on this, so I'll point you to a FM:
http://spam.abuse.net .
> I've reproduced a bit of suspicious log and one of the bounces below.
>
> There are many of these in the daemon.log which I suspect might be
> related:
>
> Aug 6 15:47:18 inside tcp-env[7395]: connect from 205.232.65.5
> Aug 6 16:31:11 inside tcp-env[7490]: connect from relay3.smtp.psi.net
psi.net. Yep. That's suspicious.
If it looks like all spam is originating from a small number of domains, a
stopgap measure is to block those domains from accessing your SMTP port by
using tcpwrappers (in netbase); see
http://spam.abuse.net/spam/tools/ipblock.html for details. Using
tcpwrappers's "PARANOID" setting (refuse service in case of name/address
discrepancy) is probably wise too.
Once you've done that, you can work on the real solution: disabling the use
of your system as a mail relay. See
http://spam.abuse.net/spam/tools/mailblock.html#relay for that.
As a service to the customers, you can try to make it harder for spammers to
harvest their addresses:
- disable whole system fingers ("finger @machine"); this can be done with
cfingerd.
- If you run identd, run it with "-n". This makes it send out UIDs instead
of account names.
and to validate addresses:
- Disable the "EXPN" and "VRFY" commands of SMTP; I don't know how to do
that.
When browsing with e.g. netscape, too much information is send out (select
"don't believe us" at www.anonymizer.com for a demo). You can stop this by
installing "squid" as a webproxy, and setting "http_anonymizer paranoid" in
/etc/squid.conf; make sure the users set the proxy (or make it transparent).
HTH,
Ray
--
Obsig: developing a new sig
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: