This is happening to the servers hosting GNHLUG. Same scenario - every 2 hours or so and all from john@... And he seems to come from open relays.
I've had to firewall out some of the relays he's been using, but he's still chewing up megabytes/day in log files. I'll have to put another disk on that system soon. If this happens much longer, I'm going to have to get out the baseball bat. > Subject: OT: More Spam > From: Paul Iadonisi > To: Greater New Hampshire LUG > Date: 22 Jan 2003 01:26:32 -0500 > > So I have a bunch of domains, many of which I don't currently use. > Some, I haven't even told anyone about, so there's no way anyone can > know that I can (or expect to) receive email at them. Early Tuesday, I > did my occasional check of my sendmail logs and found something I had > missed. > Since January 11 about every two hours, someone connects to my > sendmail port and checks for about 30 random email address (presumably > with the 'rcpt to:' smtp command). It's been getting slightly more > frequent, now at about every hour and forty minutes. The 'mail from:' > value is always [EMAIL PROTECTED] where domain.name varies at every > attempt. The source ip also varies, but I'm not sure how to determine > if it's spoofed or not. It's highly likely that the domain name is > spoofed. > Well, since I only host a few email accounts, none of john@'s guesses > have had a hit, so no spam has actually been received. Rather than hunt > down a bunch of IPs through arin.net and friends (though I did check one > of them -- surprise, surprise, it's in China), I figured I'd set up > sendmail virtual hosting to capture anything to my domain and direct it > to a single valid email address so that I can have a little more to go > on. > Lo and behold, the spammer isn't spamming...at the moment at least. > The attempt came in an hour and forty minutes after the last one like > clockwork. And, as expected, there were no 'User unknown' messages in > my maillog, but no email actually got delivered (yes, I did test it). > Looks like I found an email address harvester. What I'm wondering, > now, is how do you defend against this crap? As a temporary solution, > since I don't currently use the domain for anything, I've set my mx > record to 127.0.0.1, but I can't obviously do that with a domain that is > in use. (And from a legal or ethical perspective, would it be better to > just remove the mx record altogether?) > I'm just so fed up. I'm beginning to think that Barry Shein of The > World is right: however depressed we are about spam, we need to be more > depressed. The spammers are winning. I've been looking at various spam > defenses, argued about open relays, talked about to-rbl-or-not-to-rbl > until I've been blue in the face. Spamassassin does about 11,000 > checks. That's absurd! > Anyhow, I'm hoping someone on this list can offer some help in > tracking this low-life down. There's probably not to much time left as > he's used domain names beginning with a through g and I expect that once > he gets from h through z done, it might stop. Still, that probably > gives me about two weeks, given the current frequency. Anybody out > there have experience tracking spammers? ------------------------------------------------- This mail sent through IMP: www.milessmithfarm.net _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss