[Wolves] Spam Wonderful Spam

Ron Wellsted wolves at mailman.lug.org.uk
Thu Sep 4 20:13:01 2003


On Thursday 04 September 2003 6:25 pm, Matthew Warwick wrote:
> Heyas all,
>
> I have a very nasty problem on my hands here.
>
> Basically, It looks like someone is sending out lots of spam, and making
> it appear as if it came from my domain. I keep ketting lots of "mail
> undeliverable" emails in my inbox and when I view their headers, they
> are returning to me because the From: field lists my domain name in
> there.
>
> Some of these error emails attatch the original, so I've been looking at
> the headers in the original ones that were sent, there's an example at
> the bottom of this mail. The addresses listed in the From: field in the
> spam mails just seem to be random letters @qbie.com, for example
> jhjkwer3@qbie.com and kjh3hjf@qbie.com
>
> I'm totally at a loss of what to do. All these emails have originated
> from different servers by the looks of it, I have contacted a couple of
> the ISP's (one being BT Openworld) but I'm getting so many of these in
> my inbox its beyond a joke. I've already setup filtering rules to move
> them into a separate folder but they're coming in at a rate of about 20
> an hour.
>
> Any advice or help would certainly be much appreciated :)

Plenty of sympathy from me as I have been suffering the same problem since 
about May.  It seems to go in waves, and we seem to be at or near a peak at 
the moment as I am getting upto about 40-50 NDRs per hour.  Interestingly, 
most of mine have been targetted at .ru domains.  Any paterns in yours?

I suspect this is results of systems being infected with one of the virii that 
turns a M$ system into a open mail relay. 

I have just recently started receiving spam for some of these invalid 
addresses, so it looks like these virii are now havesting the random 
addresses that they have themselves generated.

As for advice, either 
1. grin and bear it
or
2. setup your MTA to start dumping all misdirected mail into /dev/null or a 
folder.

I have been patient and tried 1. I am now preparing to try 2. (I will route to 
a file first then if there are NO false positives, I may change the filename 
to /dev/null.

-- 
Ron Wellsted
http://www.wellsted.org.uk
ron@wellsted.org.uk
N 52.567623, W 2.137621