Anatoy A. Pedemonte Ku wrote:
This problem, is does generated by CHKUSER, change settings in tcp.smtp
Set CHKUSER_RCPTLIMIT="200",CHKUSER_WRONGRCPTLIMIT="3"
And Try....
The new spam thing is to connect to your server and try to send to
hundreds of email addresses:
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
and so on. They're sending hundreds of emails to common-name email
addresses in the hopes of it getting to 1 or 2 real users. They don't
care if the rest bounce. The chkuser patch was added to combat this
specific type of spamming. The '15' in your tcp.smtp file tells chkuser
to allow up to 15 recipients at a time, and drop the incoming message if
it exceeds this. It also has a '3' in there, which says that if a server
connects and tries to send a message to multiple users, after the 3rd
wrong email address to drop the message. You can change the limits if
you'd like, but be aware that if you set the limit to 200 recipients,
this causes extra load on your mail server. While it's only a rather
minuscule amount, it can add up and tie the server up and make it run
slow for brief periods of time while it tries to process the 200
recipients emails, and bounce them back to the sender (which is usually
also faked, so they double bounce).
My opinion is don't worry about it. I get hundreds of these a day. It's
normal. The particular email you're getting is also a common one. The
FBI released an advisory about a month ago letting everyone know that
spammers are trying to send emails that LOOK like they're coming from
someone at the FBI and to ignore these messages. It should say something
like "your IP has been logged conducting illegal activity" and ask you
to go to a web page and fill out some info. This is a phishing scam.
They make it look like it's coming from a reputable source (the FBI in
this case) and send you to a web page to get some information out of
you. Usually just name, address, and phone number. With these pieces of
information they can easily obtain your social security number, and
poof: You're now a victim of identity theft. I find it funny that the
FBI released the advisory about 30 days ago, but I've had an open ticket
with the IFCC complaint department since 2-24-2005 for this exact same
email. Guess I'm just lucky to get it 8 months earlier than everyone
else <grin>.
Blocking the IP is a possible short-term solution. This is how the RBL
lists run, themselves. After so many people turn in a mail server as a
"spammer", their IP gets added to the RBL. When your server gets an
email, it checks the IP it got the message from against the RBL lists -
if the IP matches one that is in the RBL, it drops the message. Same
principal as blocking the IP in your firewall. There was an article
(and a guy on the list here a while back) that blocked whole subnets
from certain countries, and said that stopped 85% of his incoming spam.
He specifically blocked (from memory...) the Pacific Rim, Jamaica, and
Germany. All spam blocking-techniques are a knee-jerk reaction to spam
unfortunately, but it's the best that can be done until the smtp rules
can be rewritten. You may be able to block these areas yourself (which
is against the rules, but so is sending spam....), but if you're like me
(your company does business with people in these areas, even if they're
only traveling) then you can't. SPF was supposed to be a solution to
this, but it was never adopted globally (and it has holes already...).
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
