On Wed, 28 May 2003, Michael J. Kidd wrote: > Hi all, > I run a server which hosts several sites. I've been using > Spamassassin for a while now, and absolutely love it. I know this may > be slightly off topic, but I figured I'd start here. > > I've recently noticed a barrage of 'Mailer-daemon' messages in my mail > queues. These messages are in response to non-existent users on my > system. i.e. Someone is spamming with a spoofed source email that > points to my domain. My concern is that someone who is not very > informed about this practice, or that isn't intelligent enough to look > at the IP path the email took to get to them, is gonna get my site on a > RBL. I have taken strict actions to prevent spammers from using my > systems, ( including pop-locking of smtp relay privileges, and my own IP > block list that is 4000 IP's strong just from spam relays ). Since > these messages appear to originate from out of country (according to the > IP's in the mail headers ), is there any course of action I can take to > curb these events? Or, should I not even worry about it, and deal w/ > the added mail traffic due to the bounces? Thanks in advance, and if > there's a better list to address this on, please let me know.
Howdy Michael. You're facing what all us admins have to face. Joe jobbing. The good news is I can't think of a single DNSBL that is so unprofessionally maintained to list a site that was the victim of Joe Jobbing. This is a good thing. Usually the DNSBL maintainers require multiple submissions that a site has been abused and then investigates (or test for relays, etc..) themselves before taking action. The bad news is that the ill-informed will look no farther than the From: address to decide who the bad guy is. They will make a lot of noise and pitch a small temper tantrum. After explaining it to them, though, most usually get it or realize that the matter is over their heads and go away. Some auto-acks automatically mail the alleged sender of a virus blindly. This too is annoying but not damaging. In short, yes there are a lot of ignorant people that look no farther than the From: line. Fortunately DNSBL maintainers are stupid enough to let a single (l)user dictate what they put into their BL. I also have a lengthy Sendmail access list. It's around 15,000 lines of both spamming domains, spamming netblocks, and pro-spam ISP netblocks. Unless you are very active in spam discussions like spam-l or NANAE, I wouldn't recommend listing too many IPs because you won't be able to adequately maintain that list. I recommend you fall back to using DNSBLs that provide exactly what you're looking for like the SBL for the big spammers, dialin BLs like the DUL, all the assorted open proxy/relays/SOCKS BLs for what they provide, etc.. It's much easier to maintain. The domain list won't change very quickly (or at least old entries rarely cause FPs). Old netblock lists can cause a lot of grief. I can't keep up with my netblock listings anymore. I now rely more on the DNSBLs that should be up-to-date. Good luck Justin ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
