Hello Nigel
On 2 Mar 00, at 9:38, Nigel Metheringham wrote:
> iforbes@??? said:
> > We send copies of this spam to abuse@??? on a daily basis. The
> > only response I have ever had from AOL is from an autoresponder.
> > Sometimes we send copies to the relay machine admins, usually
> > "abuse@<domain>" bounces and sometimes "postmaster@<domain>" bounces
> > too. I have never had a reponse from any of them.
>
> This is culpable idiocy. Just because AOL are bit does not mean they
> can trample on everyone else in the world. However I guess the problem
> of launching legal action against a US entity from ZA would make legal
> a difficult option. Are these messages coming direct from AOL modem
> space, or through their mail systems - if the latter I would think
> there is sufficient evidence to get their mail mail systems on the
> Vixie RBL which tends to make even giants think twice.
The mail all originates from AOL's modems. I assume the
spammers sign up for "free" dial-up access and throw the account
away as soon as they are caught.
There is evidence that if we report an AOL modem IP address to
abuse@??? while it is actively spamming, the spam from that
IP address stops. However nobody at AOL acknowledges
anything, (except sometimes the autoresponder).
> However technical workrounds are:-
>
> - refuse at SMTP level all messages to the forged spam sender address
> this can be done within a vanilla exim, or I guess you would need to
> hack qmail's receiver [I don't really know qmail well enough to
> comment]
Setting this up on exim is easy. Changing from qmail to exim is not
so easy, that is why it has not happened yet. Patching qmail to
refuse the mail is another option, but I don't want to spend time on it
as I intend to drop it for other reasons anyway.
> However you will still get piles of messages to abuse@/postmaster@ that
> domain from the slightly more clued - and there isn't a good way of
> handling that other than maybe an autoreply (make sure it works right
> or you will live to regret it).
Remarkably the ratio of bounces to complaints is very small.
Maybe one or two complaints per 1000 bounces. We try and
answer every complaint.
(Off topic: This implies that the ratio of complaints to spam
delivered must be much higher, maybe 1 in 10000 or more, as
there are often 10 or 20 rejected addresses per bounce. If I ran all
of those bounces messages through a filter and extracted the reject
addresses, I wonder if I could sell them back to the spammer? It
would be worth something to him to clean up the bad addresses in
his list ;-). I could also extract a list of open relays. I would swop
them all in return for stopping this guy - any takers?).
> The Teergrube solution is *not* in any way a solution to your problem -
> don't even consider it. Remember that the machines sending you these
> bounces and complaints are probably innocently of any proper
> involvement in this spam run. There are also likely to be thousands of
> them, so when you say...
I don't know how the spammer selects relays. From the bounces it
appears that he uses about 5 or 10 relays in an evening. He is
most active when it is after hours both in S. Africa, and the U.S.A.
> the system it will take down is *your* system.
I can't risk that. This problem does not effect the service delivery to
our customers and it must stay that way.
> Also DOSing the relays is likely to bring you into problems of legality.
It probably transgresses our own AUP ;-)
> Remember if you have another machine (or even just an IP) on your
> external internet AS then you could put up exim on that box as an
> emergency measure and point the domain being hit at that system - at
> least then you can refuse a pile of the stuff quicker than you can
> reconfigure your complete mail system. This specialist handler would
> reject the crud and pass the rest on to your standard MTA config.
Routing the mail through a second box is probably the easiest
solution. I will look at that. Still their seems to be an opinion that
refusing the mail will bring other problems. Has anybody got first
hand experience on this?
I was thinking of running both MTA's on the same box when we
changeover. The qmail would listen to a non standard port and
exim would forward mail to qmail for local delivery. The trouble is
qmail is currently delivering to home directory mailbox files and
makes use of non-standard aliasing mechanisms. The change
over period will be very tricky. This is why it is not a short term
project.
Ian Forbes
---------------------------------------------------------------------
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 +21 683-1388 Fax: +27 +21 64-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
---------------------------------------------------------------------
