RE: [IMail Forum] To be spam or not to be spam?

Sat, 21 Oct 2000 06:04:37 -0700 



>I analyzed it and found this:
>
>Top Recipients
>  79097    14286029  [EMAIL PROTECTED]

uh oh, do-33.net is non-existant domain:

Yes I had to change teh domain before I sent out this email. The real one is
a real domain, but it's not on our server.

Oh, what the hell, the real info is:   [EMAIL PROTECTED]

We have imail security set for rely only local domains.


>    133      241259  [EMAIL PROTECTED]
>     67       99731  [EMAIL PROTECTED]
>     45      102271  [EMAIL PROTECTED]
>     29           0  [EMAIL PROTECTED]
>
>On the next day the same user had about 83000 emails. I changed the name
and
>domain to protect (i hope, the innocent)
>
>Then, in the log, there are thousands of these 3 line fragments.
>
>10:20 18:17 SMTPD(BF1F0112) [140.247.165.200] MAIL FROM:<[EMAIL PROTECTED]>
>10:20 18:17 SMTPD(BF1F0112) [140.247.165.200] RCPT TO:<[EMAIL PROTECTED]>
>10:20 18:17 SMTPD(BF1F0112) [140.247.165.200] ERR www.lookwww.com invalid
>user <[EMAIL PROTECTED]
>
>This customer does host on our box, but he doesn't host this domain. Can
>anyone tell me how to read this.

Since do-33.net does not exist, and bdalton is sending from himself
to himself, I conclude that this is a mail bomb a DoS attacking your MX.

What do you have Imail's SMTP security set to?  You must know by know
it has to be "relay for addresses" with ip anti-spoofing at your border
router.

Also, note this reverse lookup for ip 140.247.165.200:

# dig -x 140.247.165.200

; <<>> DiG 8.2 <<>> -x
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUERY SECTION:
;;      200.165.247.140.in-addr.arpa, type = ANY, class = IN

;; ANSWER SECTION:
200.165.247.140.in-addr.arpa.  3H IN PTR  roam165-200.student.harvard.edu.

;; AUTHORITY SECTION:
247.140.in-addr.arpa.   3H IN NS        ns.harvard.edu.
247.140.in-addr.arpa.   3H IN NS        ns1.harvard.edu.
247.140.in-addr.arpa.   3H IN NS        ns2.harvard.edu.

Len


http://BIND8NT.MEIway.com: ISC BIND 8.2.2 p5 & 8.2.3 T6B for NT4 & W2K
http://IMGate.MEIway.com:  Build free, hi-perf, anti-spam mail gateways

Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Please visit http://www.ipswitch.com/support/mailing-lists.html 
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Reply via email to