> Anyone have any ideas/suggestions as to what other steps could be
> done?
Disallow SMTP connects *to* (as opposed to *through*) their
firewall? You did seem to indicate that it is the firewall that is
being used to relay, not the server....
Of course, it's possible that what they have isn't an open SMTP
relay, in the classic sense, but an open proxy that someone is using
to hide the origin of some SMTP traffic. Note that in *this* case,
it can be used just as freely to hide the origin of other sorts of
traffic, such as intrusion attempts.
If the firewall/proxy cannot be configured so that its public
interface will only accept traffic for the private network, it is a
nuisance and a hazard to the rest of the Internet.
There are a couple of different organizations which "black hole"
spammers and spam relays. Basically, when someone complains to them
about a relaying system, they will typically send a warning to
postmaster@...[*], and initiate a test to see if the system can be
exploited as a relay. If the test comes up positive, the system is
added to their DNS server as a known relay.
Subscribing sites typically point their mail servers at the black
hole DNS servers, so that when they look for MX records or try to
confirm a reverse-lookup, most requests get forwarded to "real"
authoritative DNS servers, but systems in the blackhole database
returns some known bad address like 127.0.0.2.
[*] The warning email will usually lay out the complaint, the
procedure for requesting a re-test (pass and you are taken out of the
blackhole database), and pointers to resources on blocking relaying
on different server software -- or links to webpages containing this
information.
Of course, there are several such blackhole groups, and the longer
the relay is up, the greater the chance of being listed in more than
one of them....
David Gillett
On 13 Jun 2001, at 12:03, rac wrote:
> Hi fellow geeks:
>
> I rarely post here and only do so if I have an issue that I've not seen
> very much on. The issue is one of my customers having a mail spammer that
> won't stop. This person is using the firewall as a mail relay spamming
> others while showing the source address of the spam as the firewall's IP
> address.
> One of the solutions I have suggested to them is to put in deny rules
> blocking all of the known IP addresses that he/she is coming from. They
> eventually have entered rules blocking a whole class A sub-net because the
> spammer keeps changing his IP address. They also have been on the "Black
> Hole" spammers list since April and can't do enough to get off of it. BTW,
> has anyone ever heard of the "Black Hole" spammers list? I have heard of
> others but not this one.
>
> I have checked into the vulnerabilities list and their NT mail server is up
> to date on patches.
>
> Anyone have any ideas/suggestions as to what other steps could be done?
>
> regards,
> RAC
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
