Re: [Exim] Domain abused for Spamming / Cleaning of mail que…

Top Page
Delete this message
Reply to this message
Author: Dave C.
Date:  
To: Marc Stuermer
CC: exim-users
Subject: Re: [Exim] Domain abused for Spamming / Cleaning of mail queue

On Fri, 30 Jun 2000, Marc Stuermer wrote:

> Hello,
>
> I've got one question: I've got Exim running on a server for the domain
> buerger.net . It hosts several mailing lists, and it is backup mx for at least
> 20 other domains.
>
> It is no open relay.
>
> Now there is somebody permanently abusing the domain for his spam mails since
> weeks; all error messages of thus spamming is getting therefore into my mailqueue.
>
> He uses non existent mail adresses under the domain, e.g.
> 702dlPHsX@???, WMLBVp1Wx@??? and so on.


Yikes.. the first thing I would do is get rid of the wildcard MX record
you seem to have at *.buerger.net, and install specific MX records for
only the domains you want to accept mail for. The wildcard allows the
sender to use any_local_part@anything_he_can_make_up.buerger.net as a
sender address.

Then, it depends on wether the spammer always uses
'@kraftwerk.buerger.net', and wether it is an otherwise valid domain
(does any legitimate mail address live in that domain)..

Getting rid of the wildcard MX will prevent him from making up
hostnames in your domain - he would have to use existing ones. This
may be enough to make him use another domain instead of yours.

If its a legitimate domain, you can try to look into using
receiver_verify - of course, if it was a secondary MX, it would have to
have some way of knowing what local-parts were valid..

If you can't do that, then a system filter looking for the one known
hosts would be your best bet.. have it do 'seen finish' when it
matches.. (Since these are error messages, you dont want to use the
standard convention for filters of 'if error_message then unseen
finish' - since that would thwart the filter..

You probably also want to ccontact appropriate legal counsel to see
what actions you can take in that arena, as this person is guilty of
forgery and denail-of-service.




>
> Is there a suitable way to get rid of this spam, since it only fills my
> mailqueue and slows down the normal mails it should work with?
>
> Since these error messages come from msn.com, mail.com, netcom.com and so on there is no real way to block only one host.
>
> The only constant there seems to be the host this spammer uses to feed his
> messages to his victims, cmcweb.cmctech.co.kr, which is prominent in every
> error message in the header as first Received: - header.
>
> I would prefer if Exim is forwarding thus waste automagically to /dev/null.
>
> Thanks in advance
>
>


--