I was on the phone with ev1.net twice yesterday. they just gave me the standard "we take this kind of thing very seriously" and said nothing regarding when or if they would take care of it.
I originally had a matcher for this user and a few others that bounced a "this account has been cancelled" message and sent the original to null. i dropped the bounce for this account to save bandwidth and decided to let james store the original message in /error for evidence.. James shut down again early this morning, i have no real idea why. i'm hoping james was shutting down because of the text that was being written to the cli everytime james did something. Peter was working with me on some last second changes and had some debugging text like "reading blahblahWrapperblah 11221121200" "writing blahblahwrapperblah 11221121200" going to the cli. Maybe, and i'm just guessing, the cli was puking while trying to write 100 lines of text every second. I'm now running the official 2.1a1-cvs and we'll see what happens. ----- Original Message ----- From: "Serge Knystautas" <[EMAIL PROTECTED]> To: "James Users List" <[EMAIL PROTECTED]> Sent: Saturday, November 30, 2002 11:37 PM Subject: Re: My first contact with James > Aaron Knauf wrote: > > Serge, > > > > The trouble is, it is a DDOS. See my previous post. > > Doh, missed the clever nuance from the last round of emails. > > Well, first thing would be to call and email the admin's at the evt1.net > mail server and the owner of the network addresses, to threaten lawsuits > (explain to them what's happening, and tell them to stop it or get > sued). A server admin and network address owner is responsible for > their box if it's been hacked and it's causing you harm. (we had an ISP > mislabel a block of addresses as belonging to us this past summer, so we > were getting lawsuit threats from all over the US because a 98 machine > in that network was hacked and was being used to attack other networks.) > > Next, report that IP address to the blacklists... there are 3 that are > mentioned in the James log files. Some of the big providers use them, > and that should hopefully stop them from generating bounce messages. > > In the meantime, you can use/write a matcher that checks the body for > "207.44.129.133", and then send those messages to the Null mailet. The > idea is the open-relay mail server's IP address should be appearing in > the bounce messages. > > Finally, James (or any mail server) shouldn't be crashing from this > traffic... the new version has a ton of work on the scalability front, > so I might consider trying that out as well. > > Serge Knystautas > Loki Technologies > http://www.lokitech.com/ > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
