This sort of thing is exactly the reason that blackhole lists such as RBL exist. evt1.net is being a bad internet citizen in allowing the relaying in the first place.
Unfortunately I don't see that there is anything you can do about that, other than wait it out.
Of course, that doesn't mean that there is no solution. There are cleverer people than me on this list. :-)
ADK
JRC wrote:
I'm not relaying the mail. The spammer spoofed the server at ev1.net and used a return path to my server. I'm trying to cope with the bounces and complaints. The bounces are coming from all over the freakin' place so there is no single IP address to drop or block.There's nothing in the logs that I can find that indicates why James shut down. ----- Original Message ----- From: "Aaron Knauf" <[EMAIL PROTECTED]> To: "James Users List" <[EMAIL PROTECTED]> Sent: Saturday, November 30, 2002 4:09 PM Subject: Re: My first contact with JamesThe commonly accepted theory is that spammers will stop sending their spam when they realise that you are not relaying it. This is probably not much help to you right now though. You may need to configure your router to drop packets from the spammer's address. Out of interest, do the JAMES logs say why it crashed? There ought to be a stack trace somewhere. My own tests (some months ago) show that JAMES would start rejecting connections with a socket exception at about 10 new connections/second, but it never actually crashed. ADK JRC wrote:James2.1a1-cvs JRE 1.4.0_1 I just had an interesting evening with a spammer. About a week ago I gave a guy an account and noticed he was testingJames tosee if it would relay mail using a different address in the return path.Ilooked at the messages in the spam folder and noticed it was spam he was practicing with. I cancelled his account and put his username in amatcherthat bounces a message saying the account has been cancelled. I do thisforthe first week or two after cancelling an account to take advantage ofthefunny behaviour we have of sending ourselves email. Anyway, last night this spammer spews countless thousands of emailsusingthe same body he was practicing with when he had an account from me ANDheused that account name in the return path so I got every single bounce.Thetraffic was unbelievable, I had to modify the matcher to just send tonullto cut down on the traffic. James spontaneously shut down a little after midnight. After getting james back up and watching for a while I decidedtogo to bed. When I got up this morning James was down again, went down at 3:47 this morning. After restarting James I started getting all of the bouncesthatwent to my backup server while James was down. How do I make it stop? The stuff is still coming? ----- Original Message ----- From: "Danny Angus" <[EMAIL PROTECTED]> To: "James Users List" <[EMAIL PROTECTED]> Sent: Friday, November 29, 2002 4:11 AM Subject: RE: My first contact with James-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 29 November 2002 01:24 To: James Users List Subject: RE: My first contact with JamesAaron.I agree with all of what you have said. I have no particular desire to change JAMES behaviour here, as it is probably more effort than it is worth. (I think that putting mail handling rules in the SMTP dialog handler instead of the processor would be a bad trade off to make. If I am not mistaken, that would be the only way to achieve it, right?)Right, this is the dilemma, it would obfuscate James configuration tohavean additional set of configurable rules here.The perception of this by non-technical clients is something to be aware of, however. I have struck situations where clients have had the black hole thing pointed out to them by those proposing alternate solutions.Itdoes tend to make them uneasy.I do understand this, but IMO the arguments for both approaches areequallycompelling, tell them that rejecting mail at the border will allow their genuine addresses to be harvested, and that SMTP auth will reject muchofthe mail intended for illicit relaying at the border without revealinglocalusernames.As for the blackhole behind the firewall scenario - you are absolutely right. On thinking about it, I suspect this is actually preferable to rejection.IMO blackholes are preferable to rejection on the basis that theyprovide noinformation whatsoever to the sender, this is one guiding principle of firewalls, try telnetting to a port protected by a firewall and your connection just times out, you have no idea whether you were deniedaccess,if there was a problem connecting, or even if the machine really existsonthe network. By the same token I believe that spam blackholes leave potentialspammersunable to determine if a real mail service is running, if it is broken,orif their mail has been rejected, and it certainly doesn't help them to determine who the real local users may be. In my experience spammers will probe SMTP with mail sent to themselvesviaan MTA, if that mail is not recieved (and blackholes, by definition,don'tdeliver it) they will move on and look for other MTA's to probe. I've seen as many as a dozen such probe attempts in a single day, but no more than this and usually only one or two, this doesn't eat upbandwidth byeven a fraction of that used by unsolicited mail sent to real users,hencemy rather greater concern for obscuring the genuine mail addresses on a domain. Only once in almost two years have I encountered a spammer who dumpedinto James without checking it out first, and this would not havehappenedif the server were demanding SMTP auth. d. -- To unsubscribe, e-mail:<mailto:[EMAIL PROTECTED]>For additional commands, e-mail:<mailto:[EMAIL PROTECTED]>-- To unsubscribe, e-mail:<mailto:[EMAIL PROTECTED]>For additional commands, e-mail:<mailto:[EMAIL PROTECTED]>-- To unsubscribe, e-mail:<mailto:[EMAIL PROTECTED]>For additional commands, e-mail:<mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
