>>Received: from [61.11.84.56] (HELO asia) by watervalley.net (Stalker SMTP >>Server 1.8b8) with ESMTP id S.0076377894 for <[EMAIL PROTECTED]>; >>Tue, 16 Dec 2003 03:09:27 -0600 > > That's very disturbing. > > I know you are a contender for the largest SIMS site in the world, > but is there any hope at all of turning up the logging all the way > for SMTP and the router to capture the details on these? I see that > your MX is now listed at SpamCop, but unfortunately SpamCop has gone > insane and is no longer yielding any useful information with their > listings.
contender? I think I am the undefeated champion. Our setup changed a few months ago and SIMS now sends all mail out through a linux machine running postfix. This allows us to filter all outgoing mail to stop sending spam to the internet (in theory). We use header_checks and body_checks to discard (i.e., not generate a bounce) and we have now discarded 450,000+ of these stupid messages (which are all the same...some human grth horm thing) We will try changing to kx100.net = error and see what that does to our bandwidth and processing. I was under the impression that it would generate a bounce message in our mail queue and make SIMS unhappy, but if it won't then it is better than the discard on the way out system. > > My top suspicion is that you have a cracked account that is (in this > case) being abused by someone on a DSL line in India. Hunting that > down really requires deep logging, because you have to capture the > AUTH part of the session to know for sure that this is happening. If > you have POP-before-SMTP relay access turned on, you also need to > look at POP sessions. Spammers in the past couple of months have > taken to attacking machines that relay for authorized users by > running password-guessing attacks, most visibly on role accounts like > 'postmaster.' This is what we thought as well, but I turned of AUTH advertising and SMTP after POP. Does AUTH work even if it is not advertised? Could that be the problem? > > If all of these are coming from particularly scummy parts of the net > (61.0.0.0/8 unfortunately qualifies, as does most other space > allocated via APNIC) from which you get nothing you want, you can > probably safely just wall those areas off from your network. > Blacklisting them in SIMS won't work if they are hitting a cracked > account, you would need to use whatever you use as a firewall to > block packets aimed at port 25 from the source networks. If ignoring > large chunks of Asia is not feasible, you might still get some > success from blocking smaller chunks around the bad actors that you > can identify, for example 61.11.0.0/17 is DishnetDSL in India, a > network that sources a lot of bad traffic and almost certainly no > mail that you want. I understand and I am trying to avoid that, but I may have no choice. _________________________________________________________________________ New Game For MacOS 8.6, 9, and X --> http://lastcontact.greendragon.com/ _________________________________________________________________________ Howard Shere | Green Dragon Creations | Water Valley Interchange President | 301 N. Main St. | P.O. Box 70 Software Sculptor | Water Valley, MS 38965 | Water Valley, MS 38965 | [EMAIL PROTECTED] | [EMAIL PROTECTED] | www.greendragon.com | www.watervalley.net | 1-662-473-4225 | 1-662-473-9209 ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
