On Wed, 28 Jul 2004 19:37:54 -0400 Tracy <[EMAIL PROTECTED]> wrote: > At 19:32 7/28/2004, Gerald V. Livingston II wrote: > >With one exception. Using SMTP AUTH I know who's account to shut down > for > >abuse without ever having to leave the mail log and cross reference a > >connection log. Especailly if the user is sending mail while connected > via > >some other ISP or corportae network. > > > >If I get a spam report I can open the mail log and track the message ID > >right back to the [log-ID] [EMAIL PROTECTED] -- AUTHENTICATED line in > the > >log and disable that account on the spot. The AUTHENTICATED marker > always > >has the true local email account info for the sender. Doesn't matter > >what's in the "From:" or "Sender:" headers. > > > Oh, no... I completely agree that SMTP AUTH makes an admin's job a lot > easier. It's just that it doesn't necessarily take care of the whole > problem....
But making the admin's job easier helps to take care of much more of the problem than you realize. If I have 5 spam reports in my mail abuse box and I know it's going to take me 2 or 3 hours to grep through 500+ Meg of log files then cross reference what I find there against 2 or 3 Gig of radius logs, and, if I'm lucky, trace only 3 of 5 back to their origin, then I'm going to pass the buck. I'm going to let those abuse reports sit and request that the person submitting them provide more definitive proof that it was one of MY users that sent the spam. If I have the same 5 reports and I know it'll take me only 20 minutes to grep for the right headers and either locate the offending user or prove without a doubt that it didn't come from my server I'll take care of it when I get it. If all of the "honest" (non-spamming) mail admins out there closed 2 spammer accounts each week we could slowly force the active ones to move to spam freindly ISP's -- you know, the ones we can block easily with DNSBLs. Besides, I can write a script with all the grep commands in it and train a monkey to handle the initial searches so all I have to look at is log snips with relevant info (of course, working for a small company, I have no monkeys to train). Gerald - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
