Re: [exim] Zombie spam?

On Sat, 17 Sep 2005, Jeremiah Foster wrote:

[...]
> From what I have gleaned from the specification file it points to a
> host, 194-16-251-213.customer.telia.com, which delivered the email
> to me.

I'm not sure[1] if we have that host pattern blocked in our mailer
yet, but if they came to our attention, we'd block it without
hesitation. We have hundreds of analogous patterns already blocked,
either with wildcard or regex.

> is a Zombie machine sending out forwarded spam?

Like countless others of the same kind, it seems.

> Should one contact the abuse
> address of the Zombie, or is that futile?

My counsel would be "the latter". We'd need a large fulltime staff
completely committed to following up such abuses, if we tried to
follow up every one that hit us. Instead, we just block the host
pattern, as being inappropriate for anything running a bona fide MTA,
and move on.

There are of course dnsRBLs one can use for defending against such
hosts, but they have a hard time keeping up with the rate at which
naive newcomers to the Internet turn themselves into exploitable
Zombies. So we use both: the dnsRBLs and the local host blocking
patterns. It works for us, in the sense that we keep out vast amounts
of spam, and only occasionally get a complaint from someone who
considers they have been unjustly blocked. (They'd be "unjustly"
blocked by many another target site too, though.)

regards

[1] of course - an exim -bh session would be happy to tell us:

>>> processing "deny"
>>> check hosts =

[snip detail]

yes (matched
"^\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.customer\.telia\.com$" in
/etc/exim4/hostregex_reject)

So yup, this one gets tossed on a regex match, as it happens.