I've got several held emails from a spammer trying to use our system for
relay.
I've got the box locked down to only accept relay from "authenticated"
users, but somehow this guy got through.
Luckily, I've got hijack on the box, which has blocked all of his
emails.
Here's an example of the email he's trying to relay through:
Received: from 208.253.112.160 [169.207.38.237] by richmond.com
(SMTPD32-7.07) id A450F9200BE; Wed, 12 Mar 2003 18:35:44 -0500
Received: from 0e.ygr0.net ([143.95.123.108]) by 208.253.112.160 with
SMTP; Wed, 12 Mar 2003 22:30:43 -0100
Message-ID: <[EMAIL PROTECTED]>
From: "Mervin Crow" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
Subject: re: Increase Your Gas Mileage by up to 27% ohvs eex
Date: Wed, 12 Mar 03 22:30:43 GMT
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: The Bat! (v1.52f) Business
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="15978B3_057.85AE_.850_"
This is a multi-part message in MIME format.
--15978B3_057.85AE_.850_
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<html><body>Paul athwartship,<a href=3D"http://[EMAIL PROTECTED]
averpro.com">
<img src=3D"http://[EMAIL PROTECTED]/the.jpg" width=3D"536=
" height=3D"505">
</a>salute beacon stumpweapon gap<br>%RA=
NDOM_WORDhum implantation party dish</body></html>
--15978B3_057.85AE_.850_--
How is he successfully getting through?
Also, how can I block him from coming through again?
Thanks.
Brian
-----Original Message-----
From: R. Scott Perry [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 6:18 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] HELO contains
>SOO.. My question is this.. Could I create a wordfilter rule that goes
>like HELO 10 CONTAINS imail.fament.com
>or will that shoot myself in the foot for some reason ?
That will work fine, just so long as you don't have any other
mailservers
that identify themselves as "imail.fament.com". If your IMail server is
the only one that does, the filter will work fine.
>If it really is the HELO string then I don't see this as a problem
>since my understanding is that my mail server do NOT connect to itself
>and should then never send the helo imail.fament.com to itself ?!
Correct. There might be odd cases where the IMail server would connect
to
itself, but if that happens, you've got another problem on your hands
(as
it would cause a mail loop).
-Scott
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
"unsubscribe Declude.JunkMail". The archives can be found at
http://www.mail-archive.com.
---
[This E-mail was scanned for Viruses and Spam by Richmond.com]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
