On 6/17/04 at 08:22, Paul Galati wrote:
> Here is my log file from this morning. I get a couple instances of
> this a day, some of them having close to 100 recipients, all invalid.
Ah, I see the part of the picture that I missed yesterday. The incoming
message has multiple unknown recipients, so SIMS is sending a bounce for
each recipient.
> Couldn't you spam somebody this way. Create 100 messages and have
> the from address who you really wanted to send the mail to. Send it
> to any given mail server that would accept it. The mail server
> rejects the message because the recipient is not local, and sends the
> undeliverable to the from sender.
I don't think that's really the spammer's intent. The 'From' address is
most likely chosen at random and really only needs to have a valid domain
part so that the message will be accepted by the receiving MTA. This looks
like it's probably some sort of dictionary attack, where the spammer is
sending to many addresses @ your domain, not knowing if any of them
actually exist. For addresses for which the message is accepted, the
spammer concludes (rightly or wrongly) that the address does exist and a)
his message has been delivered to another poor schmuck and 2) he can keep
that address on his list and continue to spam it. For addresses for which
the message is rejected because the recipient is unknown, the spammer will
(or at least should) conclude that the address does not exist and there's
no point in continuing to spam it.
> I will block this address but still...
>
> Also, please refresh my memory on how to create the <unknown>
> account so I can have all invalid recipients go to another email
> address for sorting and forwarding (or blocking).
Blocking? You're already blocking these messages by not accepting them in
the first place. At any rate, 'Unknown' is a special account to SIMS. You
could create an actual account called 'unknown', but you're probably better
off with a router line like:
<unknown> = quarantine_account
where there is no actual account named 'unknown' and 'quarantine_account'
is your 'sorting and forwarding' account. However, as I suggested yesterday
and for the reasons given above, you're probably better off simply letting
SIMS reject and bounce messages to unknown addresses. With the above router
line messages are accepted, so the sending MTA (and by extension the
spammer) will think that all addresses are valid. The result is that the
spammer (and any of his little friends with whom he might share his list)
will just continue to spew spam at those non-existent addresses, generating
even more unnecessary traffic on your server.
One other thing that you might consider would be turning some of these
non-existent addresses into spamtraps, especially any that you see multiple
times in your logs. A spamtrap entry in your router would look like:
<nonexistent_address> = spamtrap
--
Christopher Bort | [EMAIL PROTECTED]
Webmaster, Global Homes | [EMAIL PROTECTED]
<http://www.globalhomes.com/>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
