[Gllug] Handling a new twist by spammers

[Jason Clifford]

On 9 Dec 2002, John Winters wrote:

> One of my machines functions as a secondary mail server (running Exim). 
> I notice this morning that it has a large number of frozen messages and
> looking at them I find a new twist to the nuisance of spammers.
> 
> Someone has been sending a large number of e-mails to randomly generated
> addresses, (like "fred101 at linuxemporium.co.uk",
> "fred102 at linuxemporium.co.uk" etc.) and then sending them to the
> *secondary* mail server.  It accepts them because it doesn't know any
> better, then tries to pass them on, fails, tries to send them back to
> the originator, fails again and then freezes them.

It's not new and it's not a (deliberate) DoS.

ISPs have been seeing this for a long time.

An increasing number of spammers are using scripts that connect to the 
secondary mail servers only and use those to inject spam as it seems many 
people don't apply black lists to the MX secondaries while they do to the 
mail servers that actually handle local delivery.

There is no really effective defence against random username attempts on 
secondaries other than to have already blacklisted the host trying to 
inject them.

I suppose you could write something to analyse your logs, pick up on a 
failed delivery with a failed bounce and mv it to another mail queue, or 
just delete it if you feel confident.

Jason Clifford
-- 
UKFSN.ORG		Finance Free Software while you surf the 'net
http://www.ukfsn.org/			Sign Up Now


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug