Re: [Exim] Columbian Spammer

Top Page
Delete this message
Reply to this message
Author: Ron McKeating
Date:  
To: Matthew Byng-Maddick
CC: Exim-Users (E-mail)
Subject: Re: [Exim] Columbian Spammer
On Mon, 2003-11-03 at 20:56, Matthew Byng-Maddick wrote:
> On Mon, Nov 03, 2003 at 07:29:17PM +0100, Giuliano Gavazzi wrote:
> > At 17:43 +0000 2003/11/03, Matthew Byng-Maddick wrote:
> > [...]
> > >did what the DNS told me to do." If you break the cooperation, you're no
> > >better than the spammers, in many ways, and I'll know that I don't want
> > >to accept mail from you, because I'll be unlikely to be able to report
> > Matthew, you have singlehandedly destroyed your own argument...
>
> If you think that, you didn't understand the argument.
>
> I'm the third party here, I find that a mail to someone broke, I try to mail
> their postmaster, but I can't, because I've been blacklisted and their network
> is just dropping. I have no idea (other than what the DNS tells me) whether
> they really are supposed to be the MX for that domain. As far as I'm
> concerned, I'm sending it to the right place. If they turn around and say
> "relaying denied", then I'm likely to try and mail their postmaster and try
> and work out whether that's a configuration error on their end, or a
> configuration error in the DNS. If I can't do that, that's equivalent, in
> my mind, to not being able to send a bounce, or an abuse mail.
>
> My mail system does callouts, so if you blacklist me, you won't be able to
> send me mail either.
>
> MBM
>
> --
> Matthew Byng-Maddick         <mbm@???>           http://colondot.net/

>


Well as the person who started all this I have to say it has been very
revealing. I would like to thank MBM for pointing out some of the
aspects I had not considered with regard to malconfigured mx's and the
fact that cutting off a site's access to your postmaster is not a good
way to resolve issues.

On the other hand, as far as I can tell all the traffic coming from this
site is spam. They only send between midnight and 5am, roughly 5 to 7
thousand emails per night. And I have sent repeated emails to both
postmaser and abuse at their domain and had no response. If I want to
check something in my logs, I have all these thousands of entries to
wade through to find the thing I want. It ties up may server when it
could be doing other things.

Also every email comes from the same person, here is a log sample

2003-11-04 04:57:58 H=(compaq-1.epm.net.co) [200.116.23.169]
F=<utvegaya@???> rejected RCPT <d_hernandez@???>: relay
not permitted

Now lets search the log for Mr utvegay@hotmail with a zgrep -c and we
get 7130. All have different RCPT but all 7130 from the same user all
sent in a short period of about 5 hours. Now isn't this just a bit suss?
Surely now after trying every means to contact them and getting no
response I have a right to firewall them ?

Just grepping the logs for the last few days for Mr utvegay gives
5266
7130
4982
5355
4429

So I cannot accept that this is legitimate mail or a badly configured
MX. It is spam spam spam. And I think I have a right to stop it tying up
my server.

Ron

> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##

--
Ron McKeating
Senior IT Services Specialist
Internet Services and Software Solutions
Loughborough University
01509 222329