[Gllug] Handling a new twist by spammers

Robert McKay rm at accucard.com
Mon Dec 9 13:12:03 UTC 2002


On Mon, 9 Dec 2002, John Winters wrote:

> One of my machines functions as a secondary mail server (running Exim).
> I notice this morning that it has a large number of frozen messages and
> looking at them I find a new twist to the nuisance of spammers.
>
> Someone has been sending a large number of e-mails to randomly generated
> addresses, (like "fred101 at linuxemporium.co.uk",
> "fred102 at linuxemporium.co.uk" etc.) and then sending them to the
> *secondary* mail server.  It accepts them because it doesn't know any
> better, then tries to pass them on, fails, tries to send them back to
> the originator, fails again and then freezes them.
>
> It looks either like incompetence or a half-baked DoS attack.  Is there
> anything that can be done to prevent this trick?
>
> TIA,
> John

You could get around the problem (of having loads of frozen messages on
the secondary) by making the primary MX first accept all messages from the
secondary and then bounce them itself, rather than rejecting them from the
secondary. Of course that's only an option if you have access to the
primary.  It would be incorrect behavior to silently delete all messages
rejected by the primary when being relayed, as legitimate emailers will be
left without a bounce notification.

If the server accepts anything and then sends a bounce the spammers have
to try and parse bounce messages to determine what addresses they have,
which means they need to arrange for a working return address that can
receive hundreds of thousands of bounces and then parse them all.. this is
far more work for the spammer than if the mail server tells them right
away before delivery that the address doesn't exist. What may have
happened in this case is they were pounding on the primary MX so hard that
some of their own connections started failing over to the backup.

Regards,

Robert McKay
Unix Systems Administrator
Accucard Ltd.
tel: 02070732283

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list