Re: SPAM from own customers
Michel Renfer writes on 12/2/2003 12:50 PM: How will you deal with the problem, that one user can flood your SMTP Server with tousends of emails within 10-20 minutes? Virus filtering Rate limit (+ script to auto terminate user) and smtp auth on outbounds Separate inbound and outbound smtp relay. Don't let your inbound MX relay for your dialup pool (some trojans take the rDNS name / hostname of the infected box and do nslookup -q=mx domainname) Ask AOL for an [EMAIL PROTECTED] feed - a lot of these trojan spams seem to target AOL users. etc -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: SPAM from own customers
- Original Message - From: Suresh Ramasubramanian [EMAIL PROTECTED] To: Michel Renfer [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, December 02, 2003 2:23 PM Subject: Re: SPAM from own customers Virus filtering Rate limit (+ script to auto terminate user) and smtp auth on outbounds SMTP AUTH is becoming risky if its not carefully setup and monitored. I can name one big time spammer who has warmed up to cracking weak passwords on e-mail systems that do SMTP AUTH. Means you'd have to filter your outbound mail servers port 25 from anyone not inside your network or a trusted source. Virus filtering is a must, but, alas, not all mail servers filter *outgoing* mail. Most filter only incoming mail. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: SPAM from own customers
Ask AOL for an [EMAIL PROTECTED] feed - a lot of these trojan spams seem to target AOL users. Something to be aware of with the AOL scomp feed...any time one of your users sends a message with no To address, and everyone in the BCC or CC fields, it will generate a notification to the e-mail address you've registered with them. We have caught some spam originating from our network through the feed, but for the most part it's mostly legitimate mail. Thanks, Adam Debus Network Engineer, ReachONE Internet [EMAIL PROTECTED]
Re: SPAM from own customers
Michel Renfer wrote: Hi All The topic Spam sent over infected or malconfigured enduser pc's will become an big issue. We saw Virus' sending Spam directly from the users pc, downloading the recipient list and the payload trough HTTP from the web. How will you deal with the problem, that one user can flood your SMTP Server with tousends of emails within 10-20 minutes? In addition to the other suggestions, scanning the CBL (cbl.abuseat.org) for your own IPs is useful from an operational standpoint to find open proxies and trojans. On a similar vein, detecting customer IPs trying to connect to 47.129.25.87 on port 25 (no legitimate email goes there) will give you similar intelligence, tho, it's not quite as definitive as a CBL listing. Most reliable if you exclude legitimate customer mail servers (bounced forged spam and virii) or correlate to the CBL. Couple either or both with an autodisconnect script like what Suresh suggested.