You can feel safe adding this to your router:
kx100.net = error
perhaps:
kx100.net = NULL
would be better. error will generate bounces for each one, right?
That depends on your definition of 'generate a bounce.' If you use 'error' the message is rejected and never accepted, so the sending software will, if it is a real MTA and not some Windows trojan or proxy-abuse spamware, then generate a bounce message. If you use 'NULL' then SIMS will accept the message as if you are going to deliver it, then simply drop it. Using that sort of tactic really does not work, because it appears that at least some spammers pay some attention to whether their spam is accepted or rejected, and accepting the spam just leads them to keep sending it and send more.
Of course, whacking them in the router will only catch the envelope sender (i.e. Return-Path) so if the mail is using different addresses in From and envelope, thjat won't stop it.
The From address seems to be [EMAIL PROTECTED]
The real key is the Return-Path. SIMS can't catch the From header, but the Return-Path header (the top one if there are two...) is actually created by SIMS from on the SMTP envelope sender, which is what the router can actually operate on.
Is it relaying or delivering locally?? The relay controls only control relaying. Anyone can deliver to your local mailboxes.
I understand this. It is mail for elsewhere. The Received looks like this:
Received: from [61.11.84.56] (HELO asia) by watervalley.net (Stalker SMTP Server 1.8b8) with ESMTP id S.0076377894 for <[EMAIL PROTECTED]>; Tue, 16 Dec 2003 03:09:27 -0600
That's very disturbing.
I know you are a contender for the largest SIMS site in the world, but is there any hope at all of turning up the logging all the way for SMTP and the router to capture the details on these? I see that your MX is now listed at SpamCop, but unfortunately SpamCop has gone insane and is no longer yielding any useful information with their listings.
My top suspicion is that you have a cracked account that is (in this case) being abused by someone on a DSL line in India. Hunting that down really requires deep logging, because you have to capture the AUTH part of the session to know for sure that this is happening. If you have POP-before-SMTP relay access turned on, you also need to look at POP sessions. Spammers in the past couple of months have taken to attacking machines that relay for authorized users by running password-guessing attacks, most visibly on role accounts like 'postmaster.'
If all of these are coming from particularly scummy parts of the net (61.0.0.0/8 unfortunately qualifies, as does most other space allocated via APNIC) from which you get nothing you want, you can probably safely just wall those areas off from your network. Blacklisting them in SIMS won't work if they are hitting a cracked account, you would need to use whatever you use as a firewall to block packets aimed at port 25 from the source networks. If ignoring large chunks of Asia is not feasible, you might still get some success from blocking smaller chunks around the bad actors that you can identify, for example 61.11.0.0/17 is DishnetDSL in India, a network that sources a lot of bad traffic and almost certainly no mail that you want.
-- Bill Cole [EMAIL PROTECTED]
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
