Re: [IMail Forum] To be spam or not to be spam?

Sat, 21 Oct 2000 00:54:04 -0700 


>I analyzed it and found this:
>
>Top Recipients
>  79097    14286029  [EMAIL PROTECTED]

uh oh, do-33.net is non-existant domain:

# dig do-33.net

; <<>> DiG 8.2 <<>> do-33.net
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      do-33.net, type = A, class = IN

;; AUTHORITY SECTION:
NET.                    2h59m54s IN SOA  A.ROOT-SERVERS.NET. 
hostmaster.nsiregistry.NET. (
                                         2000102001      ; serial
                                         30M             ; refresh
                                         15M             ; retry
                                         1W              ; expiry
                                         1D )            ; minimum


>    133      241259  [EMAIL PROTECTED]
>     67       99731  [EMAIL PROTECTED]
>     45      102271  [EMAIL PROTECTED]
>     29           0  [EMAIL PROTECTED]
>
>On the next day the same user had about 83000 emails. I changed the name and
>domain to protect (i hope, the innocent)
>
>Then, in the log, there are thousands of these 3 line fragments.
>
>10:20 18:17 SMTPD(BF1F0112) [140.247.165.200] MAIL FROM:<[EMAIL PROTECTED]>
>10:20 18:17 SMTPD(BF1F0112) [140.247.165.200] RCPT TO:<[EMAIL PROTECTED]>
>10:20 18:17 SMTPD(BF1F0112) [140.247.165.200] ERR www.lookwww.com invalid
>user <[EMAIL PROTECTED]
>
>This customer does host on our box, but he doesn't host this domain. Can
>anyone tell me how to read this.

Since do-33.net does not exist, and bdalton is sending from himself 
to himself, I conclude that this is a mail bomb a DoS attacking your MX.

What do you have Imail's SMTP security set to?  You must know by know 
it has to be "relay for addresses" with ip anti-spoofing at your border router.

Also, note this reverse lookup for ip 140.247.165.200:

# dig -x 140.247.165.200

; <<>> DiG 8.2 <<>> -x
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUERY SECTION:
;;      200.165.247.140.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
200.165.247.140.in-addr.arpa.  3H IN PTR  roam165-200.student.harvard.edu.

;; AUTHORITY SECTION:
247.140.in-addr.arpa.   3H IN NS        ns.harvard.edu.
247.140.in-addr.arpa.   3H IN NS        ns1.harvard.edu.
247.140.in-addr.arpa.   3H IN NS        ns2.harvard.edu.

Len


http://BIND8NT.MEIway.com: ISC BIND 8.2.2 p5 & 8.2.3 T6B for NT4 & W2K
http://IMGate.MEIway.com:  Build free, hi-perf, anti-spam mail gateways

Please visit http://www.ipswitch.com/support/mailing-lists.html 
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Reply via email to