Without parsing through the log line by line I'm not quite how I would differentiate between 2 SMTP connections from a server sending legit mail vs. 2 connections from a spammer. I've just been using Log Analyzer to get some rough stats. Now, obviously if I see 500 connections come in from a single address, I'll dig into that a little deeper, but nothing that obvious has surfaced.
Is there a way to prevent my intercept server from bouncing the message back to the forged sender when it receives Unknown User from the corporate server? ----- Original Message ----- From: "Marc A. Funaro" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 11, 2004 11:12 AM Subject: RE: [IMail Forum] Bounce to forged From address blacklisted my server > Manually entering all of those addresses each day would be a > little much, I > think. I agree 100%. Is there any similarity in the IPs? Are they all on the same network? Perhaps blocking an entire subnet is in order? > -----Original Message----- > From: Dave Strzemienski [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 11, 2004 10:52 AM > To: [EMAIL PROTECTED] > Subject: Re: [IMail Forum] Bounce to forged From address > blacklisted my > server > > > They appear to be coming mostly from zombie machines. An machine at a > specific IP address will connect to my server, send spam to 10-or-so > (non)users and disconnect. I typically see close to 100,000 SMTP > connections per day to this server, but no single IP address > more than 2 or > 3 times. > > > Thanks, tho. > -Dave Strzemienski > > ----- Original Message ----- > From: "Marc A. Funaro" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, March 11, 2004 10:24 AM > Subject: RE: [IMail Forum] Bounce to forged From address > blacklisted my > server > > > can you determine the IP(s) that the dictionary attacks are > coming from? If > so, block them altogether? > > > > > -----Original Message----- > > From: Dave Strzemienski [mailto:[EMAIL PROTECTED] > > Sent: Thursday, March 11, 2004 10:12 AM > > To: [EMAIL PROTECTED] > > Subject: [IMail Forum] Bounce to forged From address blacklisted my > > server > > > > > > I recently set up an IMail/mxGuard/ClamAV server that sits in > > front of my > > corporate email server. > > It's been running for several days and has reduced the amount > > of incoming > > spam & viruses about 95% according to my users. > > > > But, I've now discovered that this new server is listed on > > bl.spamcop.net. > > > > As far as I can tell, this is how it happened: > > > > Spammer forges the Mail-From address on a piece of junkmail and > > dictionary-attacks my domains. > > My intercept server processes & attempts to forward the > > message to user(s) > > that don't exist on the corporate server. > > The corporate server informs the intercept server that the > > user(s) don't > > exist and does not accept the message. > > The intercept server bounces the message to the forged > > Mail-From address. > > The Mail-From address that was forged by the spammer is > > actually a Spam > > Trap. > > The Spam Trap server informs spamcop.net that my intercept > > server is sending > > messages with spam content. > > > > Is there anything I can do about this? > > > > I was going to set up a nobody alias, but I started receiving > > upwards of > > 10,000 messages a hour and my server slowed to a crawl. And > > that was just > > for one domain. > > > > Any help is appreciated! > > Dave Strzemienski > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
