I'm helping a small ISP in SF get started (I convinced them to use Debian instead of NT :>), and I think we're having a problem with someone using our site for spamming. Unfortunately, I'm not quite savy enough about the problem to be exactly sure what's going on, but I (and the many people having to put up with the spam) would like it to stop.
The system's running qmail-1.01 (We've been thinking of switching to exim, so if that will help, feel free to suggest it.), and we first noticed the problem when postmaster started received a number of failed delivery messages from qmail-send. These messages have continued up to the present. At first we just thought it was someone generating random addresses to send spam to until we got a complaint indicating that spam was appearing to originate from the ISP. I'd appreciate any help in diagnosing and stopping this (an RTFM would be fine). I've reproduced a bit of suspicious log and one of the bounces below. If you need any other info to track down the problem, let me know and I'll send it via private email. There are many of these in the daemon.log which I suspect might be related: Aug 6 15:47:18 inside tcp-env[7395]: connect from 205.232.65.5 Aug 6 16:31:11 inside tcp-env[7490]: connect from relay3.smtp.psi.net And here's a sample bounce message (note that there is in fact no user named [EMAIL PROTECTED], and I trimmed the content a bit): From: [EMAIL PROTECTED] Subject: failure notice To: [EMAIL PROTECTED] Date: 1 Aug 1997 17:19:47 -0000 Hi. This is the qmail-send program at inside.fatnet.net. I tried to deliver a bounce message to this address, but the bounce bounced! <[EMAIL PROTECTED]>: 204.216.57.10 does not like recipient. Remote host said: 550 <[EMAIL PROTECTED]>... User unknown Giving up. --- Below this line is the original bounce. Return-Path: <> Received: (qmail 19391 invoked for bounce); 1 Aug 1997 17:19:45 -0000 Date: 1 Aug 1997 17:19:45 -0000 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: failure notice Hi. This is the qmail-send program at inside.fatnet.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <[EMAIL PROTECTED]>: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message. Return-Path: <[EMAIL PROTECTED]> Received: (qmail 19388 invoked from network); 1 Aug 1997 17:19:45 -0000 Received: from inet1.inetworld.net (204.216.57.10) by inside.fatnet.net with SMTP; 1 Aug 1997 17:19:45 -0000 Received: from sam (dialin218.inetworld.net [206.245.248.47]) by inet1.inetworld.net (8.8.4/8.6.12) with SMTP id KAA04627; Fri, 1 Aug 1997 10:18:25 -0700 (PDT) Message-Id: <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] To: Date: Fri, 01 Aug 1997 10:13:27 PDT Subject: $5000 Credit Card, Low APR This message is being brought to you by EMAIL BLASTER 2.5 software. If you would like a FREE copy of this software or any of our other HOT programs ABSOLTELY FREE call our FAX ON DEMAND number at 213-960-7822. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [[...obnoxious sales pitch deleted...]] For more info,send an email to my autoresponder, [EMAIL PROTECTED] Dr. David Alan -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .