RE: [IMail Forum] HELP GIBBERISH@Domain.com getting us listed in spam cop repeatedly

[KathyJ]

I have the same issue with my mail server, and I have found many to turn out to be a valid user with the swen virus.  They get this email, plug in all their info for sending mail thinking it is valid, and the virus runs it’s own SMTP engine sending to random addresses though the mail server it was configured for...  With the bet that the user hasn’t configured for SMTP auth, those messages will appear in your log saying invalid domain..   So,, I wander over to my log file for POP.. see who logged in last with that IP at the same time as the mail being sent.. and contact them.  I have yet to get back a “wasn’t me” email, but I do get back “all clean”.   While they are doing their thing..  I block that IP in the control access tab of SMTP so it can’t send mail through my server. (if you can catch it while it is happening as most accounts are dynamic and will change later on).   What a pain.. I still haven’t conquered it all..  Wish they had the AV long before September.   -Kathy     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Moss Sent: Monday, December 29, 2003 1:20 PM To: [EMAIL PROTECTED] Subject: [IMail Forum] HELP [EMAIL PROTECTED] getting us listed in spam cop repeatedly   OK everyone I have been fighting this for awhile and decided to write the question to the group.   We have been listed in the spamcop database repeatedly over the last several weeks and are removed after the 48 hour waiting period for mail that doesn't seem to be passing through our email system at all - any complaint that we receive we check the headers and find that the info is forged.  We have No Relay set and all of our users are forced to use Authenticated SMTP (still answering questions on that everydayJ).  However, users are unable to send to certain domains when we get listed with SpamCop as some ISP’s use this as a high weight in spam filtering.  We are very adamant about fighting spam and it has been a living heck trying to get spam filtering while eliminating false positives, we have what we consider an adequate solution right now for our users.  However, if our server is relaying (tests fine from ORBS) or anything that may make it possible for spammers to use our system we want to prevent it.   Please help, my assumption is that someone is forging the return addresses and we are getting bounces back to us as well as to someuser at another domain.  I have no idea as to how to prevent this any help would be greatly appreciated.       Most recent spam cop: >>MYMXRECORDFORMYDOMAIN listed in bl.spamcop.net (127.0.0.2)     >>Since SpamCop started counting, this system has been reported about 340 times by less than 10 users. It has been >>sending mail consistently for at least 10.7 days. It has been listed for 7.6 days.   >>In the past week, this system has: >>Been reported as a source of spam less than 10 times >>Been detected sending mail to spam traps >>Been witnessed sending mail about 200 times >>A sample sent sometime during the 24 hours beginning Sunday, December 21, 2003 7:00:00 PM -0500: >>Received: from -.com (-.-.com [MYMXRECORDFORMYDOMAIN])- >>by -.-.-.com (Postfix) with - id -2- >>for <[EMAIL PROTECTED]>- Mon, 22 Dec 2003 - - >>Subject: postmaster - feeling lonely >>From: l7.. at ..k.com   This information is actually not entirely correct as the IP address has changed for the mail server in the last few days but both the old and new IP’s have been listed pretty much every other day.   A couple of log entries 12:29 00:00 SMTPD(2A7C014C) [202.181.0.28] RCPT TO:<hbbq17ljl@MYDOMAIN> 12:29 00:00 SMTPD(2A7C014C) [202.181.0.28] ERR MYDOMAIN invalid user <hbbq17ljl@MYDOMAIN   12:29 00:00 SMTPD(2EF00086) [192.117.154.20] RCPT TO:<9x0nwa3p@MYDOMAIN > 12:29 00:00 SMTPD(2EF00086) [192.117.154.20] ERR MYDOMAIN invalid user <9x0nwa3p@MYDOMAIN     We have millions of these over the last several months and over the last couple of months the traffic has increased.  I can provide any additional information to help – please ask.     Thanks for any help or information Patrick Moss