On 22 Jan 2003, at 1:26am, [EMAIL PROTECTED] wrote: > Some, I haven't even told anyone about, so there's no way anyone can know > that I can (or expect to) receive email at them.
They have an MX record, which is all the spam robots need. > The source ip also varies ... By how much? Are they all within the same netblock? > ... I'm not sure how to determine if it's spoofed or not. You can't really spoof the source IP address of a TCP connection. (Well, you can, but the TCP handshake will never complete, making it rather useless.) You can hijack someone else's IP address or machine, which has much the same effect, as far as you're concerned. It leaves more evidence at the other end, but that likely doesn't help you much. > It's highly likely that the domain name is spoofed. Almost certainly. > Looks like I found an email address harvester. What I'm wondering, now, > is how do you defend against this crap? It depends. Organizations who never (or rarely) communicate with anyone overseas often just block any mail exchanger with an IP address in Asia. There are systems out there that use heuristics to auto-detect harvesters and auto-block IP addresses or netblocks. Sounds like overkill for your situation. If you suspect you might want to communicate with anyone you blacklist, you could setup an auto-responder opt-in whitelist robot (just use caution with combining such with mailing list subscriptions and other robots -- mail loops and PO'd postmasters can result). > (And from a legal or ethical perspective, would it be better to just > remove the mx record altogether?) That is what I would do. However, be aware that if a domain does not have an MX record, but does have an A record, the RFCs say that a mail exchanger should try to connect to the IP address of the A record. > Anyhow, I'm hoping someone on this list can offer some help in tracking > this low-life down. All you can do to prosecute an attacker is to track the netblocks using WHOIS and attempt to contact the operator of the systems/networks from which the attacks originate. > Anybody out there have experience tracking spammers? news:net.admin.net-abuse.email (NANAE) http://www.nanae.org http://www.spamfaq.net http://www.abuse.net (Network Abuse Clearinghouse) http://www.cauce.org (The Coalition Against Unsolicited Commercial Email) http://www.spamcop.net http://www.spamhaus.org -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss