Re: blacklisting a forger
On söndagen den 2 augusti 2009, RW wrote: > On Sat, 1 Aug 2009 21:34:04 -0400 > > "Terry Carmen" wrote: > > > Of course it's blacklisted, but would you care to explain how > > > rejecting mail from 59.184.51.13 helps, when the backscatter > > > doesn't come from there? > > > > According to the OP, that's the IP he received the message from. > > No, he quoted the following: > > Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in > > as I already said: "Received-From-MTA is a standard DSN field set by > the MTA generating the DSN." So it might perhaps be worthwhile to extract that field and test it against some RBLs? -- Magnus Holmgrenholmg...@lysator.liu.se (No Cc of list mail needed, thanks) signature.asc Description: This is a digitally signed message part.
Re: blacklisting a forger; summary; /* end
LuKreme wrote: > On 3-Aug-2009, at 10:21, Dennis G German wrote: >> Content-Type: text/html; >> charset="US-ASCII" >> Content-Transfer-Encoding: quoted-printable >> > > Yes, there IS a problem. > > What the hell? > The message was multipart/alternative. You are more than capable of reading the text/plain part. html-only messages are strongly discouraged on the list, but so is complaining about multipart/alternative.
Re: blacklisting a forger; summary; /* end
On 3-Aug-2009, at 10:21, Dennis G German wrote: Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable http://www.w3.org/TR/REC-html40";> medium)"> Summary: Problem: Yes, there IS a problem. What the hell? -- Behind every great man there's a woman with a vibrator -- Hawkeye Pierce
Re: blacklisting a forger; summary; /* end
Summary: Problem: Observing "scatter" from many different sites coming to vari...@mydomain.com . These are NDRs (Non delivery Responses) to messages sent from the forger or infected system : 59.184.51.13 aka triband-mum-59.184.51.13.mtnl.net.in Is already blacklisted on many Realtime Black Lists as seen via http://www.mxtoolbox.com/blacklists.aspx The various sites that are sending NDRs should be checking one of The RBLs and ignoring the initial email. My email is configured to accept all vari...@mydomain.com so it does not contribute to network traffic by sending NDRs. First forwarder: relay1.sea.eschelon.com (66.213.193.108) shold Thank to all for comments and suggestions
Re: blacklisting a forger
Terry Carmen a écrit : >> On Sat, 1 Aug 2009 19:33:40 -0400 >> "Terry Carmen" wrote: >> >>> The backscatter would not have been received, since the sender is on >>> a number of RBLs. >> It's the IP address of the botnet PC that's on the RBLs, the backscatter >> doesn't come from there, it comes from the recipients of the spam. >> >> See: http://en.wikipedia.org/wiki/Backscatter_(e-mail) > > Regardless of whether or not the message was backscatter, The sending system > (triband-mum-59.184.51.13.mtnl.net.in) is blacklisted, > - bot at triband-* sent junk to silly.server.example. - silly.server.example didn't reject it. instead it bounced it to OP - the bounce includes infos about which host sent the original junk to silly.server.example, and this is triband-* so for OP, this is backscatter, and RBL/DNSBL is of no help.
Re: blacklisting a forger
On Sat, 1 Aug 2009 21:34:04 -0400 "Terry Carmen" wrote: > > > Of course it's blacklisted, but would you care to explain how > > rejecting mail from 59.184.51.13 helps, when the backscatter > > doesn't come from there? > > According to the OP, that's the IP he received the message from. No, he quoted the following: Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in as I already said: "Received-From-MTA is a standard DSN field set by the MTA generating the DSN." The DSN could have come from anywhere *except* triband-mum-59.184.51.13.mtnl.net.in
Re: blacklisting a forger
On Sat, 1 Aug 2009 20:44:27 -0400 "Terry Carmen" wrote: > > > On Sat, 1 Aug 2009 19:33:40 -0400 > > "Terry Carmen" wrote: > > > >> The backscatter would not have been received, since the sender is > >> on a number of RBLs. > > > > It's the IP address of the botnet PC that's on the RBLs, the > > backscatter doesn't come from there, it comes from the recipients > > of the spam. > > > > See: http://en.wikipedia.org/wiki/Backscatter_(e-mail) > > Regardless of whether or not the message was backscatter, The sending > system (triband-mum-59.184.51.13.mtnl.net.in) is blacklisted, Of course it's blacklisted, but would you care to explain how rejecting mail from 59.184.51.13 helps, when the backscatter doesn't come from there?
Re: blacklisting a forger
> On Sat, 1 Aug 2009 19:33:40 -0400 > "Terry Carmen" wrote: > >> The backscatter would not have been received, since the sender is on >> a number of RBLs. > > It's the IP address of the botnet PC that's on the RBLs, the backscatter > doesn't come from there, it comes from the recipients of the spam. > > See: http://en.wikipedia.org/wiki/Backscatter_(e-mail) Regardless of whether or not the message was backscatter, The sending system (triband-mum-59.184.51.13.mtnl.net.in) is blacklisted, Terry
Re: blacklisting a forger
On Sat, 1 Aug 2009 19:33:40 -0400 "Terry Carmen" wrote: > The backscatter would not have been received, since the sender is on > a number of RBLs. It's the IP address of the botnet PC that's on the RBLs, the backscatter doesn't come from there, it comes from the recipients of the spam. See: http://en.wikipedia.org/wiki/Backscatter_(e-mail)
Re: blacklisting a forger
> On Sat, 1 Aug 2009 11:04:35 -0400 > "Terry Carmen" wrote: > >> >> > On Sat, 1 Aug 2009 10:02:54 -0400 >> > "Terry Carmen" wrote: >> > >> >> >> >> > I have received many emails in the last hour which were >> >> > undeliverable, NOT sent by me. >> >> > It seems someone is forging usernames in my domain >> >> > Real-World-Systems.com as the "from:" and the "return-path:" . >> >> > >> >> > Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in >> >> > >> >> > >> >> > I have sent a message to ab...@mntl.net.in and >> >> > helpd...@mtnl.net.in but no response. >> >> > >> >> > How does an MTA get blacklisted?? >> >> >> >> You'll probably never get a response, and even if you do, nothing >> >> will happen. >> >> >> >> The easiest thing to do is configure your mail server use an RBL, >> >> which would have stopped this before you received it. >> > >> > No it wouldn't. triband-mum-59.184.51.13.mtnl.net.in is almost >> > certainly an infected PC, and the backscatter is coming from >> > third-party servers. >> >> >> The IP address is listed on almost two dozen RBLs. > > sure, but the original poster wrote: > > "I have received many emails in the last hour which were > undeliverable, NOT sent by me. It seems someone is forging usernames in > my domain" The backscatter would not have been received, since the sender is on a number of RBLs. Terry > > In other words he is receiving backscatter. And Received-From-MTA > is a standard DSN field set by the MTA generating the DSN. > -- CNY Support, LLC Web. Database. Business http://www.cnysupport.com
Re: blacklisting a forger
On Sat, 1 Aug 2009 11:04:35 -0400 "Terry Carmen" wrote: > > > On Sat, 1 Aug 2009 10:02:54 -0400 > > "Terry Carmen" wrote: > > > >> > >> > I have received many emails in the last hour which were > >> > undeliverable, NOT sent by me. > >> > It seems someone is forging usernames in my domain > >> > Real-World-Systems.com as the "from:" and the "return-path:" . > >> > > >> > Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in > >> > > >> > > >> > I have sent a message to ab...@mntl.net.in and > >> > helpd...@mtnl.net.in but no response. > >> > > >> > How does an MTA get blacklisted?? > >> > >> You'll probably never get a response, and even if you do, nothing > >> will happen. > >> > >> The easiest thing to do is configure your mail server use an RBL, > >> which would have stopped this before you received it. > > > > No it wouldn't. triband-mum-59.184.51.13.mtnl.net.in is almost > > certainly an infected PC, and the backscatter is coming from > > third-party servers. > > > The IP address is listed on almost two dozen RBLs. sure, but the original poster wrote: "I have received many emails in the last hour which were undeliverable, NOT sent by me. It seems someone is forging usernames in my domain" In other words he is receiving backscatter. And Received-From-MTA is a standard DSN field set by the MTA generating the DSN.
Re: blacklisting a forger
On Sat, August 1, 2009 14:19, Dennis German wrote: > I have received many emails in the last hour which were undeliverable, > NOT sent by me. backscattering, block this ip, and send a mail to the postmaster, whois ip might say what email there system accept non existsing users, or some other bad lda that bounce when mta have accepted it > It seems someone is forging usernames in my domain Real-World-Systems.com > as the "from:" and the "return-path:" . http://old.openspf.org/wizard.html?mydomain=Real-World-Systems.com&submit=Go! change all to -all (softfail vs fail) also see the later part for how to add zones to bind/djbdns > Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in > I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in but > no response. block the client ip then check that the ip is not in dnswl or dnsbl lists already > How does an MTA get blacklisted?? start accepting emails and setup sieve to reject (dovecot sieve have this bug) temporary i have disabled reject in my sieve to not do this -- xpoint
Re: blacklisting a forger
> On Sat, 1 Aug 2009 10:02:54 -0400 > "Terry Carmen" wrote: > >> >> > I have received many emails in the last hour which were >> > undeliverable, NOT sent by me. >> > It seems someone is forging usernames in my domain >> > Real-World-Systems.com as the "from:" and the "return-path:" . >> > >> > Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in >> > >> > >> > I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in >> > but no response. >> > >> > How does an MTA get blacklisted?? >> >> You'll probably never get a response, and even if you do, nothing >> will happen. >> >> The easiest thing to do is configure your mail server use an RBL, >> which would have stopped this before you received it. > > No it wouldn't. triband-mum-59.184.51.13.mtnl.net.in is almost > certainly an infected PC, and the backscatter is coming from > third-party servers. The IP address is listed on almost two dozen RBLs. Terry'
Re: blacklisting a forger
On Sat, 1 Aug 2009 10:02:54 -0400 "Terry Carmen" wrote: > > > I have received many emails in the last hour which were > > undeliverable, NOT sent by me. > > It seems someone is forging usernames in my domain > > Real-World-Systems.com as the "from:" and the "return-path:" . > > > > Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in > > > > > > I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in > > but no response. > > > > How does an MTA get blacklisted?? > > You'll probably never get a response, and even if you do, nothing > will happen. > > The easiest thing to do is configure your mail server use an RBL, > which would have stopped this before you received it. No it wouldn't. triband-mum-59.184.51.13.mtnl.net.in is almost certainly an infected PC, and the backscatter is coming from third-party servers.
Re: blacklisting a forger
> I have received many emails in the last hour which were undeliverable, > NOT sent by me. > It seems someone is forging usernames in my domain Real-World-Systems.com > as the "from:" and the "return-path:" . > > Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in > > > I have sent a message to ab...@mntl.net.in and helpd...@mtnl.net.in but > no response. > > How does an MTA get blacklisted?? You'll probably never get a response, and even if you do, nothing will happen. The easiest thing to do is configure your mail server use an RBL, which would have stopped this before you received it. http://www.mxtoolbox.com/blacklists.aspx Terry