Re: Spammer putting my domain in replyto causing high traffic - HELP!
Charles Cazabon writes: > Barry Hill <[EMAIL PROTECTED]> wrote: >> >> I got a shock when I browsed the mail logs today: huge amounts of mails >> are landing on my machine to users which don't exist (usernames >> composed of random letters). These mails are mainly "user doesn't >> exist" messages, and they are landing on my machine because the >> REPLY-TO and FROM addresses have been set to my domain. > > You've been joe-jobbed. >> I've looked in the archives, but there is only a mention of adding the >> domain to "badrcptto". Which doesn't help my legitimate users. We´ve been joe-jobbed some time before, too. our solution was to set up a badrcptpatterns file, which is provided by the spamcontrol patch. place a ´*@*´ in the file and include every user and alias on your machine with a leading ´!´. that should deny every incoming mail except of those residing on your machine. as fas as i know that should help you out. regards, philipp Philipp Steinkrüger Technik Oberberg Online Tel.: +49 2261 814240 Fax: +49 2261 814919 www.oberberg.net [EMAIL PROTECTED]
Re: Spammer putting my domain in replyto causing high traffic - HELP!
Barry Hill <[EMAIL PROTECTED]> wrote: > > I got a shock when I browsed the mail logs today: huge amounts of mails > are landing on my machine to users which don't exist (usernames > composed of random letters). These mails are mainly "user doesn't > exist" messages, and they are landing on my machine because the > REPLY-TO and FROM addresses have been set to my domain. You've been joe-jobbed. > This is causing an large increase in traffic, which I have to pay for :-( > > Having a default user for the domain collects these mails, and not > having a default user responds with a bounce, and a log entry: > "discarding triple bounce". Which uses more bandwidth ?? If you don't have a default user, you deliver a lot of double-bounces (or try to, anyways), and that will use some bandwidth. Better to just save or discard them locally. > I've looked in the archives, but there is only a mention of adding the > domain to "badrcptto". Which doesn't help my legitimate users. No. There's no way to (a) continue providing service to the legitimate users in the same domain, and (b) stop receiving the spam bounces. > This could go on for ever - has anyone any ideas what I can do? It won't last forever. Your best bet is track down the spammer based on what they're promoting (a website, a phone number, etc) and get them shut down. Within a week, the bounces will have stopped. > Are there any free services which would accept being entered as a > MX and which would filter out the sh*t and forward the rest? Not for free -- it takes significant system resources, as you've seen. > There doesn't seem to be anything in the mails which would point > towards the ISP of the spammer: The headers are forged anyways. Look in the body of the message to see what the spammer was promoting. Charles -- --- Charles Cazabon<[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Spammer putting my domain in replyto causing high traffic - HELP!
Hi folks, I got a shock when I browsed the mail logs today: huge amounts of mails are landing on my machine to users which don't exist (usernames composed of random letters). These mails are mainly "user doesn't exist" messages, and they are landing on my machine because the REPLY-TO and FROM addresses have been set to my domain. This is causing an large increase in traffic, which I have to pay for :-( Having a default user for the domain collects these mails, and not having a default user responds with a bounce, and a log entry: "discarding triple bounce". Which uses more bandwidth ?? I could delete the MX entry, but then legitimate users wouldn't get any mails. I've looked in the archives, but there is only a mention of adding the domain to "badrcptto". Which doesn't help my legitimate users. This could go on for ever - has anyone any ideas what I can do? Are there any free services which would accept being entered as a MX and which would filter out the sh*t and forward the rest? There doesn't seem to be anything in the mails which would point towards the ISP of the spammer: "smtpav", "MailClients", "Mailserver" and "Mailhub" are all very vague, as can be seen here in the header of the original SPAM mail (which couldn't be delivered): Received: from dfw-smtpin3.email.verio.net ([129.250.38.53]) by dfw-spool2.email.verio.net (Netscape Messaging Server 4.15) with ESMTP id GEVPA001.JT4 for <[EMAIL PROTECTED]>; Wed, 13 Jun 2001 17:15:36 + Received: from [200.205.108.34] (helo=eddie.int.acaosp.com) by dfw-smtpin3.email.verio.net with smtp id 15AEEv-0006yS-00 for [EMAIL PROTECTED]; Wed, 13 Jun 2001 17:15:34 + Received: from Mailhub by eddie.int.acaosp.com id AA25878; Mon, 17 Jan 1994 02:41:15 -0300 Received: from MailClients by Mailserver id NAA124008; Wed, 13 Jun 2001 13:23:51 -0200 Received: FROM 192.168.1.8 BY smtpav ; Wed Jun 13 03:09:36 2001 -0300 HELP! Best regards, Barry