Well, I of all people should know about the evil that spammers can cause. But,
we recently installed a test mail server and (intentionally) didn't lock it down.
After all, it's on a slow link (56k) and unlikely anyone will stumble across it.
This morning, it happened. A spammer connected to our mail server to send out
his wares. They connected at 2:30AM (timed intentionally to make minimize the chances
of getting caught early on), and in 2 hours attempted to send out about 34,000 E-mails
(out of about 50,000 that we estimate they wanted to send), in chunks of 50.
How did they find our mail server? It's pretty interesting, actually.
Apparently, they had used another mail server originally. As soon as they got caught,
they took the last E-mail address they had delivered to, took the username, and turned
it into a domain name, and looked up the MX record. For example, if the last name had
been "[EMAIL PROTECTED]", they would have looked up the MX record for "declude.com". It
happened to be a different domain that we use as a spamtrap that was used.
They initially made 5 different TCP/IP connections, and apparently kept those 5
TCP/IP connections open the whole time. They would list 50 recipients, send the
message, then tell IMail they were ready to start over again. That's extremely
efficient.
The good news is that only about 5% of the spam that made it into our mail server
went out. The spammer was coming from a dialup line with an IP listed in DUL, and the
message was caught by our heuristic spam detector, so the few people who did get the
spam also got a clear warning that it was spam. Had we set up our software to hold
the E-mail (which we did once we noticed what was going on), the E-mail would not have
gone out, but the spammer would have thought the messages were delivered.
So what should you do? If at all possible, lock down your mail server. Set it
to "Relay for addresses", and use SMTP AUTH for people who don't come from your list
of known IP addresses. It's a free and simple (but inconvenient for many) way to
prevent spammers from hijacking your mail server.
We are also thinking of writing a program to detect a spam attack and
automatically hold E-mail once more than X E-mails comes through from the same IP
address within Y minutes. That would let you run an open relay without leaving
yourself open for abuse (and, would have the added benefit of making the spammer think
his mail got out, doing minimal damage to you while doing maximum damage to the
spammer). If we go ahead and do this, our plan is to offer it for free. Spammers
that follow the rules are a nuisance, spammers that steal (and deny) service are
another thing altogether.
-Scott
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
