Another tool I use to combat this, I look through the logs for large number of mails coming from one or a specific set of IP's. I then deny those IP's from access.
In conjunction with this, I will be eventually configuring the deny access IP list in our firewall, (ISA server), which when some one tries to access from an IP on that list, it will be answered either through a web page or email explaining why access is denied, at what steps to take rectify the situation. John Tolmachoff, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA� 92835 714-578-7999, ext. 104 [EMAIL PROTECTED] www.reliancesoft.com � -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Thursday, October 18, 2001 11:29 AM To: [EMAIL PROTECTED] Subject: Re: NOABUSE:[IMail Forum] Spam Problem >I'm getting a bunch of returned email, with FROM addresses of the original >email various @yahoo.com addresses, and the original TO addresses all >@aol.com addresses, obviously somebody is hihacking my server. Not that obvious. If you are getting the bounce messages, then your E-mail address was used in the "MAIL FROM" in the SMTP envelope. They may or may not have used your server. >How do I get it stopped before I get my IP's banned? It is impossible to prevent them from using a fake return address at your domain, just as it is impossible to prevent someone from putting your physical address as the return address on an envelope sent via regular mail. >I have set IMAIL SMTP Security Relay settings to "Relay for local hosts >only". Then spammers can send mail through your server -- you must use "No mail relay" or "Relay for Addresses". Otherwise, spammers can pretend to have accounts on your domain, and easily send mail. >What I want to do is allow about 40 hosted domain accounts to send >email. They all have their own dialup/whatever accounts so I thought it >best to verify their FROM address. Ah, but then spammers can use the same FROM address, no? >Here is a message from aol with the returned spam, these will come from >different FROMs: > >Reporting-MTA: dns; rly-zd02.mail.aol.com >Arrival-Date: Thu, 18 Oct 2001 14:13:05 -0400 (EDT) > >Final-Recipient: RFC822; [EMAIL PROTECTED] >Action: failed >Status: 2.0.0 >Remote-MTA: DNS; air-zd01.mail.aol.com >Diagnostic-Code: SMTP; 250 OK >Last-Attempt-Date: Thu, 18 Oct 2001 14:13:26 -0400 (EDT) Unfortunately, this doesn't provide any useful information. It shows the address the E-mail was (likely) sent to, but it doesn't have the headers of the original E-mail. -Scott --- Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for IMail. http://www.declude.com Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
