On Aug 7, Rob Browning wrote [ISP abused by spammers] > I'd appreciate any help in diagnosing and stopping this (an RTFM would be > fine).
I'm not really an expert on this, so I'll point you to a FM: http://spam.abuse.net . > I've reproduced a bit of suspicious log and one of the bounces below. > > There are many of these in the daemon.log which I suspect might be > related: > > Aug 6 15:47:18 inside tcp-env[7395]: connect from 205.232.65.5 > Aug 6 16:31:11 inside tcp-env[7490]: connect from relay3.smtp.psi.net psi.net. Yep. That's suspicious. If it looks like all spam is originating from a small number of domains, a stopgap measure is to block those domains from accessing your SMTP port by using tcpwrappers (in netbase); see http://spam.abuse.net/spam/tools/ipblock.html for details. Using tcpwrappers's "PARANOID" setting (refuse service in case of name/address discrepancy) is probably wise too. Once you've done that, you can work on the real solution: disabling the use of your system as a mail relay. See http://spam.abuse.net/spam/tools/mailblock.html#relay for that. As a service to the customers, you can try to make it harder for spammers to harvest their addresses: - disable whole system fingers ("finger @machine"); this can be done with cfingerd. - If you run identd, run it with "-n". This makes it send out UIDs instead of account names. and to validate addresses: - Disable the "EXPN" and "VRFY" commands of SMTP; I don't know how to do that. When browsing with e.g. netscape, too much information is send out (select "don't believe us" at www.anonymizer.com for a demo). You can stop this by installing "squid" as a webproxy, and setting "http_anonymizer paranoid" in /etc/squid.conf; make sure the users set the proxy (or make it transparent). HTH, Ray -- Obsig: developing a new sig -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
