Hello All
A professional spammer is using a forged "From:" header line
which quotes a non existant address at one of our domains. Every
spam he sends to a bad address gets bounced to us. We are
running qmail, which by default, accepts these bounces then
handles them as "double bounces".
To give you an idea of the scope of the problem we have received
about eleven thousand bounces with the same forged address over
the last month. All of the Spam was launced from AOL, and relayed
using a whole list of open relays - many in Eastern Europe and the
Far East.
We send copies of this spam to [EMAIL PROTECTED] on a daily basis.
The only response I have ever had from AOL is from an
autoresponder. Sometimes we send copies to the relay machine
admins, usually "abuse@<domain>" bounces and sometimes
"postmaster@<domain>" bounces too. I have never had a reponse
from any of them.
The problem is an irritation to me and obviously to all of the people
who are getting the spam. My plan is to convert the qmail to exim
(this is part of a larger project, which is why I have not done anything
yet) then let exim refuse the bounce messages with a 500 error
before they are accepted.
Then this was posted on debian-isp@lists.debian.org
On 1 Mar 00, at 20:38, Michael Koehne wrote:
> Last (if you're realy desperate) install a "Teergrube". The so called
> tar pit is abusing the dash ("-") feature SMTP uses to keep alive, to
> hold an IP connection open for ever, if it comes from a host on the
> rbl list. This will cause the spaming host to go down, as any operating
> system has a limit on open sockets.
>
> Try to surf around with the keywords "Teergrube" or "Tarpit" and "SMTP"
> to get some patches for sendmail.
Ouch! This sounds pretty drastic and it is not normally my style.
However it may be appropriate in this case.
All of those bounce messages come from open relays, while they
are actively sending spam. If I could run an effective DOS on them,
then the spammer who is sending the spam would find his
productivity gets hit quite hard. Maybe he will notice and then
choose to forge somebody elses address... which will make my
problem go away. The DOS should only be invoked on servers
sending bounce messages to the non existant address.
Does anybody know of "Teergrube" patches for qmail, or exim.
Has anybody tried this before. What resources do I have to have
available on my end to sink the other server without sinking my own?
Can anybody help I got another 35 bounces in the time it took to
write this!
Thanks
Ian
---------------------------------------------------------------------
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 +21 683-1388 Fax: +27 +21 64-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
---------------------------------------------------------------------
