Re: How do I find the source of the spammers?
At 12:21 -0500 on 6/21/97, Vebj¯rn Forsmo wrote: John Foster [EMAIL PROTECTED] writes: snip If so, how do I stop it? There is a set of patches for Sendmail that allow it to do this, you can use BlackMail as a spam-filter, or install qmail (http://www.qmail.org/) which has a reasonable amount of configurability fo stopping spam, and also several patches that further improves this ability. (Checking if the envelope-from address is valid through DNS or simply blocking an ip-range.) Point your browser to www.sendmail.org and there you will find pointers to several good configuration changes to sendmail that will allow you to control who uses your server to relay mail. Butch Butch Kemper | Free sound advice available Brazos Internet Consulting Group | 95% sound and 5% advice 409-361-2324 | Refunds cheerfully provided -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: How do I find the source of the spammers?
John Foster [EMAIL PROTECTED] writes: The last entry is the first reference to this piece of mail in my logs! Is it possible for someone to use their compuserve account to send mail to my daemon that instructs it to run the bulk mailout? Yes. It is very easy to use a standard mailhost as a relay if it doesn't have any kind of relay-access-control. If so, how do I stop it? There is a set of patches for Sendmail that allow it to do this, you can use BlackMail as a spam-filter, or install qmail (http://www.qmail.org/) which has a reasonable amount of configurability fo stopping spam, and also several patches that further improves this ability. (Checking if the envelope-from address is valid through DNS or simply blocking an ip-range.) More importantly, how can I find if it's one of the 800 clients who has an account on this server, so I can close their account and send them elsewhere? Install iplogger. This will give you entries in the syslog for all connection attemts made to your machine, like: Jun 21 16:42:53 blight tcplogd: smtp connection attempt from yme.mo.hiMolde.no And then how do I prevent it happening again? Install access-control-lists for relaying on your current MTA, or switch to qmail. -- Vebjorn Forsmo [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 80 13 6B 4B 7C 83 B7 DC 5C 9C A8 AE C0 AD 22 F4 2048/00952325 1995/05/13 To err is human, to forgive is Not Company Policy. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: How do I find the source of the spammers?
The problem of relaying can be solved by restricting access to the local subnet. However, that would irritate some good customers. Suppose I am traveling with my laptop and want to read and answer my email. I don't want to pay for a toll call to the dialup because I can hook up via ethernet or my brother says 'go ahead and use my local dialup account'. There is a way to fix this for the ISP who thinks it's worth the trouble. You could set up a web page that requires a password or have them login via telnet. This would validate the IP the customer is at and you could allow in.smtp because you know who to 'counsel' if you get a spam complaint. I suppose that you could require the telnet connect to stay active in order to accept mail for relaying. They would have to switch to the telnet and hit a key within n(60?) seconds before sending or the connect to smtp would be refused. Hopping between open telnet and mailer programs is easy for Windows or Linux users. The apache approach has several possibilities. Maybe a javascript (ugh) would be sufficient to tell the server you are still valid from the IP. If somebody does this, they should share it freely. Most of the spam comes from 'borrowed' mail servers. On Fri, 20 Jun 1997, John Foster wrote: Hi, This post is probably a bit off topic, but maybe one of you can give me a pointer in the right direction. I'm looking after the servers of an ISP, and someone is using us for bulk mailouts. I get a lot of mail in postmasters mailbox about it. I can't seem to find how it's getting in though! Here's a chunk from my logs: logfile.3.gz:06/17/1997 06:42:38: [m0wdNiA-000AM5C] Failed TO:[EMAIL PROTECTED] ERROR:(ERR101) unknown host logfile.3.gz:06/17/1997 07:03:12: [m0wdNiA-000AM5C] Failed TO:[EMAIL PROTECTED] ERROR:(ERR101) unknown host logfile.3.gz:06/17/1997 07:03:13: [m0wdNiA-000AM5C] Failed TO:[EMAIL PROTECTED] ERROR:(ERR101) unknown host logfile.3.gz:06/17/1997 07:03:13: [m0wdNiA-000AM5C] Failed TO:[EMAIL PROTECTED] ERROR:(ERR101) unknown host logfile.3.gz:06/17/1997 07:03:13: [m0wdNiA-000AM5C] Failed TO:[EMAIL PROTECTED] ERROR:(ERR101) unknown host logfile.4.gz:06/16/1997 08:23:55: [m0wdNiA-000AM5C] Received FROM:[EMAIL PROTECTED] HOST:203.20.112.1 [199.174.230.27] PROTOCOL:smtp PROGRAM:in.smtpd ORIG-ID:[EMAIL PROTECTED] SIZE:6337 The last entry is the first reference to this piece of mail in my logs! Is it possible for someone to use their compuserve account to send mail to my daemon that instructs it to run the bulk mailout? the host 203.20.112.1 is one of my servers. If so, how do I stop it? More importantly, how can I find if it's one of the 800 clients who has an account on this server, so I can close their account and send them elsewhere? And then how do I prevent it happening again? I guess that if there's a clueful person who knows the answer to this one then they'll probably want to email me personally, so that the solution is not advertised to the spammers. Then again I guess we'd all like to know how to do this. I'm using smail from the 1.3 distribution. Perhaps I should be using another mail-daeomn. Or is there a way that I can restrict things in smail? The documentation for smail is (or was anyway) pretty woeful! This is rather urgent as I see it! John Foster System Administrator (in training!?) Net-Trek/Cynergy -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] . +--+ + Paul Wade Greenbush Technologies Corporation + + mailto:[EMAIL PROTECTED] http://www.greenbush.com/ + +--+ + http://www.greenbush.com/cds.html Special Linux CD offer + +--+ -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: How do I find the source of the spammers?
On Fri, Jun 20, 1997 at 07:50:01AM +1000, John Foster wrote: This post is probably a bit off topic, but maybe one of you can give me a pointer in the right direction. I'm looking after the servers of an ISP, and someone is using us for bulk mailouts. I get a lot of mail in postmasters mailbox about it. I can't seem to find how it's getting in though! You might want to consider installing Blackmail, which is an antispam filter; I don't remember the exact address, but Altavista should turn it up. Or see spam.org. It will kill any connection it thinks is spam, either from a list of spam sites you specify, or any traffic which both originates and terminates not on your machine or a specified list of machines. Stops people spamming you. You have to be careful with its configuration though; I run it on my company's internet server, located at our ISP; I specified that all of our domain can send mail via the server, but as dialup users we appeared in the ISP's domain, so it wouldn't forward our mail (using Netscape Mail or whatever) until I fixed my configuration. I'm using smail from the 1.3 distribution. Perhaps I should be using another mail-daeomn. Or is there a way that I can restrict things in smail? The documentation for smail is (or was anyway) pretty woeful! Blackmail likes smail. hamish -- Hamish Moffatt, StudIEAust[EMAIL PROTECTED] Student, computer science computer systems engineering.3rd year, RMIT. http://hamish.home.ml.org/ (PGP key here) CPOM: [ ] 47% The opposite of a profound truth may well be another profound truth. --Bohr -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: How do I find the source of the spammers?
Paul Wade wrote: The problem of relaying can be solved by restricting access to the local subnet. However, that would irritate some good customers. Suppose I am traveling with my laptop and want to read and answer my email. I don't want to pay for a toll call to the dialup because I can hook up via ethernet or my brother says 'go ahead and use my local dialup account'. Well, I don't see it as an irritation. I do travel with my laptop and I do get/send email while on the road. But if you're on the road and have access to the internet but not through your own ISP, you *should* have access to the sendmail server for whoever's Internet hookup you're using. I find it quite painless to simply go into my Netscape Mail settings and set the outgoing mail server to whatever the local sendmail server is. As long as your Reply-To: header is set correctly, you'll have not trouble getting replies sent through a foreign sendmail server. And besides, are you saying that *your* sendmail will accept connections from the outside world? You are truly a brave spirit, given the seeming never-ending source security holes which sendmail has always been. There is a way to fix this for the ISP who thinks it's worth the trouble. You could set up a web page that requires a password or have them login via telnet. This would validate the IP the customer is at and you could allow in.smtp because you know who to 'counsel' if you get a spam complaint. I suppose that you could require the telnet connect to stay active in order to accept mail for relaying. They would have to switch to the telnet and hit a key within n(60?) seconds before sending or the connect to smtp would be refused. Hopping between open telnet and mailer programs is easy for Windows or Linux users. The apache approach has several possibilities. Maybe a javascript (ugh) would be sufficient to tell the server you are still valid from the IP. If somebody does this, they should share it freely. Most of the spam comes from 'borrowed' mail servers. I think the ultimate solution is to build support into mail clients for ssh or something of the like. -- Jens B. Jorgensen [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
