Re: Having been open relay for a moment (summary)

Wed, 09 Oct 2002 02:32:32 -0500 

Thanks to all who replied.  I decided to make a summary of the replies
as some of them were private.

On 8.X.2002 at 15:36 Anton Zinoviev wrote:
> 
>    1. The spammers continue attempts to use lml.bas.bg as a relay.  As a
>       result exim generates about 50Mb log files per hour.  How I can
>       stop exim from logging messages like ".... refused relay to ..."?

Reports to relevant ISPs can be made if there is only a small number
of IP/netblocks.  (Unfortunately this is not my case.)  The local
firewall can be used.  Postfix is a good alternative of exim.

>    2. It is possible that in the queues of exim there are still some
>       spams.  How can I remove them?

In order to look at the queue: 

        exim -bp (the same as mailq)

To look at the header, body of the waiting messages:

        exim -Mvh <serial>
        exim -Mvb <serial>

To remove a message:

        exim -Mrm <serial>

If there is a common pattern in the waiting spam, then use (something
different can be used instead of the first line):

        mailq | grep <identifying item> | 
                awk 'NF>=3 {print $3}' | xargs exim -Mrm

To remove a message and send error message to the sender:

        exim -Mg <serial>

To do the same with all waiting messages as normal messages usually
are delivered immediately:

        cd /var/spool/exim/msglog; exim -Mg *

After that command the contents of /var/spool/exim/{db,msglog,input}
can be wiped as exim automaticaly recovers anything it needs.  In
order to avoid frozen messages I used `killall exim'.

>    3. In the log-files of exim I have a huge list of e-mail addresses
>       of spammers (such as [EMAIL PROTECTED]).  Can I do something
>       useful with them?

No, they are random and have nothing with the spammers.

>    4. It seams to me that spammers ought to pay ordb.org for their
>       service.  A few years ago when I had similar problem ordb gave
>       me enough time to fix the problem.  Why don't they do the same
>       now?  As humans we can make mistakes.

Ordb.org doesn't give their lists of relays to anyone,
<http://ordb.org/faq/#zone_transfer>.  Spammers have their own
automated scans.  Most of the servers in the base of Ordb.org are
already abused open relays.

Sincerely, Anton Zinoviev

Reply via email to