You could set up a special gateway dedicated only to them. Put it on a timer
so it only runs during the day.
But you really have to solve the problem or help them to do that. Maybe they
would hire you as a consultant to do just that.
Presumably, you could check the logs to determine the originating IP and
track the source down that way. If not, then use process of elimination -
what is left on at night?
-d
----- Original Message -----
From: "Matti Haack" <[EMAIL PROTECTED]>
To: "Len Conrad" <[email protected]>
Sent: Tuesday, March 28, 2006 4:58 AM
Subject: Re[2]: [IMail Forum] SMTP-Relay / Auth only FROM valid email
Adresses
We are a SERVICE Provider, so we
want to provide a good service to our customers. After the first issue
from them, they cleaned up all Maschines, but the proplem reappered
two wekks later.
Maybe it is some mobile device which gets attached to their network.
So Yes, I shut down their service weeks ago. They told me, they
corrected the problem, I reactivated the account and after two weeks
it happend again... Unfortunatly they can't send from their DUP
Provider, as they force them to use the providers free eMail
Adress.
The main Problem is that this spammings normaly happens during night
time. So
I am looking for a method to prevent them (and other customers) to
start this again. When we detect it (kiwi-Syslog sends alarm), it is
normally
to late and our queue is filled with bounces which has to be removed
manually.
To mitigate this problem, I made a small script wich monitors the queue
size and send alarm messages, if the queue grows unusual.
As the from adress is faked to, we got masses of bounces. - And the
sender has no
idea what he did...
So do you have any Idea how to force users to a special "from:"
domain? Technical, not idiological...
With best regards
Matti Haack
I have some problem with the way IMAL (8.x) handles SMTP-Auth email. A
customer from us seems to have a compromised host, which sends Spam
evry two weeks or so trough their local gateway
tell them that you will not relay outbound mail that has been
submitted to their system without SMTP AUTH.
Since they are spamming you from a trusted IP, you show them your
logs and shut them off until they fix their system. In the meantime,
their own gateway can send directly to Internet and shift the problem
onto them.
- which is relayed over our IMAIL Server.
Their Mail server requires no authentification for their local hosts
to send mail
I'd be surprised if a mail-bot/trojan in a compromised machine is
doing SMTP AUTH to submit spam to their mail server. Their mail
server is more likely doing relay for addresses.
Len
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
-
Matti Haack - Hit Haack IT Service Gmbh
Poltlbauer Weg 4, D-94036 Passau
+49 851 50477-22 Fax: +49 851 50477-29
http://www.haack-it.de
Dieses Dokument ist ausschliesslich fuer den Adressaten bestimmt.
Jegliche Art von Reproduktion, Verbreitung, Vervielfaeltigung,
Modifikation,
Verteilung und/oder Publikation dieser E-Mail-Nachricht ist untersagt,
soweit dies nicht ausdruecklich genehmigt wurde. Jegliche Haftung fur
Ansprueche, die aufgrund der Kommunikation per E-Mail begruendet
werden koennten, ist ausgeschlossen, soweit der Haftungsausschluss
gesetzlich zulaessig ist.
-- Ausgehende E-Mail wurde auf Viren gescannt --
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
