| View previous topic :: View next topic |
| Author |
Message |
YetiChick
n00b
Joined: 23 Jun 2003
Posts: 69
|
 Posted: Mon Sep 27, 2004 3:10 pm Post subject: Spam... Grrrrr... |
 |
|
I'm just venting because if I don't, I think I'll explode. What makes people think that they have the right to do things which push their problems onto other people? If spammers have a 'right' to get their message out then why don't they have the *responsibility* to accept the consequences of their actions?
(sigh)
There is someone sending spam using randomly generated addresses containing one of my domains as their forged "From:" address. They've been doing it for about two weeks, and I've had about 700M of logs roll by because of the bounce messages from the recipient mail servers. I normally reject any mail without a valid address on a domain, but I made a catchall account to pick up some of these messages so I could see what use they might be to me. In five minutes, I had over 500K of mail in the account. Since these are bounce messages, most of them have no clues pointing to the identity of the spammer, although some of them are more informative than others. The few which seem to contain headers from the original spam messages have a variety of originating IPs, but many have this:
(SquirrelMail authenticated user kxxkaex)
following the first (bottommost) "received from" line. The "authenticated user" is a random string of seven lowercase alpha characters. The "received from" line is an apparently valid ip address - so far I've only found the same IP in more than one message if the messages were all delivered to the same domain in one batch. I have not had time to carefully analyze the 160 or so messages I let into the catchall account, but I don't see how I'm going to be able to stop this abuse without investing a lot more time than I have availaible. Soooo...
I have to deal with:
A. One of my domains is getting 'smeared' in the minds of those admins who do not realize that the from field is almost always forged in spam. (And yes, there are plenty of those - I've had to work with them more than enough.)
B. Some of (not a significant amount, but dammit, it's *mine*) my bandwidth is being eaten up processing these bounce messages.
C. My logs are being filled with junk which makes the quick, easy 'scan by eye' method of spotting trouble nearly impossible.
D. My frustration level at being unable to do anything about this is going to give me a stroke.
E. Even after the upcoming stoke kills me, this ... ARRRRG! I can't think of a single word which both describes the spammer and is ladylike enough to say in a public forum... (sigh) Even after my stroke, this <fill this in with something really nasty> will still be smearing the name of my domain, because it apparently likes using it as a from address.
Mmmmmmf.
My first few efforts trying to get help from the postmasters sending me the bounces were quite frustrating. It seems that nobody checks their postmaster account anymore, and none of the numbers I've been able to find have put me in touch with anybody who has a clue what I'm talking about. If anyone out there has any suggestions, I'm all ears.
Well, I feel a little bit better. If you read this - thanks. Just typing it out helped.
Tracy |
|
| Back to top |
|
 |
Stormy Eyes
Veteran
Joined: 09 Apr 2003
Posts: 1064
Location: Watching God spit-shine my boots.
|
| Posted: Mon Sep 27, 2004 3:18 pm Post subject: |
|
|
| YetiChick wrote: | | E. Even after the upcoming stoke kills me, this ... ARRRRG! I can't think of a single word which both describes the spammer and is ladylike enough to say in a public forum... (sigh) Even after my stroke, this <fill this in with something really nasty> will still be smearing the name of my domain, because it apparently likes using it as a from address. |
Since I've got a penis I'm not obligated to be "ladylike". Nor am I obligated to be a gentleman when describing scoundrels, so allow me to characterize the people joe-jobbing you as worthless, misbegotten spawn of a syphilitic whore willing to couple not only with the most depraved of men, but also with swine, cattle, and rabid dogs.
Feel better? |
|
| Back to top |
|
|
YetiChick
n00b
Joined: 23 Jun 2003
Posts: 69
|
| Posted: Mon Sep 27, 2004 3:24 pm Post subject: |
|
|
Stormy Eyes:
Thank you, that helped.  |
|
| Back to top |
|
|
Stormy Eyes
Veteran
Joined: 09 Apr 2003
Posts: 1064
Location: Watching God spit-shine my boots.
|
| Posted: Mon Sep 27, 2004 3:25 pm Post subject: |
|
|
| YetiChick wrote: | Stormy Eyes:
Thank you, that helped. |
*purr* You're welcome. If you ever catch the misbegotten filth masquerading as a human being responsible for this joe-job, may I suggest Vlad Tepes' favorite punishment? |
|
| Back to top |
|
|
cokey
Advocate
Joined: 23 Apr 2004
Posts: 3355
|
| Posted: Mon Sep 27, 2004 3:29 pm Post subject: |
|
|
How do we know its not you spamming 
Part of me wants to kill them but the other part of me says, "at least you know that you are better than the likes of those..."
I know which one is best
_________________
https://otw20.com/ OTW20 The new place for off the wall chat |
|
| Back to top |
|
|
YetiChick
n00b
Joined: 23 Jun 2003
Posts: 69
|
| Posted: Mon Sep 27, 2004 3:37 pm Post subject: |
|
|
cokehabit:
See? See? I know you were only joking, but there are definitely people out there who don't know better. Grrrrr! |
|
| Back to top |
|
|
cokey
Advocate
Joined: 23 Apr 2004
Posts: 3355
|
| Posted: Mon Sep 27, 2004 3:41 pm Post subject: |
|
|
Is there nothing you can trace? Send a couple to my email addy, i cant guarantee anything though...
_________________
https://otw20.com/ OTW20 The new place for off the wall chat |
|
| Back to top |
|
|
YetiChick
n00b
Joined: 23 Jun 2003
Posts: 69
|
| Posted: Mon Sep 27, 2004 4:18 pm Post subject: |
|
|
cokehabit:
Oh, I can trace the messages back to their source, but since they're just bounce messages from the people the spammer is hitting, it does me no good. I've verified that the messages are actually coming from the domains they appear to be from, and I've made an effort to get in contact with the postmasters of several of these domains, hoping that their logs might help. (So far, no response...)
But... If the originating IP addresses in the body of some of these bounce messages are accurate, the spammer is using a number of open-relays or friendly mailhosts to send his crap, and he appears to be using a Squirrelmail exploit.
I've done a cursory examination of several of the addresses in question, and none of the ones I've examined have been obviously up - no ping, no smtp, no telnet , no ssh, no web. Mmmm... No, as I go through these, I begin to think the IPs are just forgeries, too. 64.12.0.0 isn't a likely address for a mailserver, hm?
Anyhooo... I appreciate the offer, and I'd be happy to forward you some of these if you're willing to take a peek. It'd be nice if I you spotted something I'm missing. If you PM me your email address - or tell me where to find it on the forum; I'm not that active here - I'll pass some along.
Thanks,
Tracy |
|
| Back to top |
|
|
DaveArb
Guru
Joined: 29 Apr 2004
Posts: 510
Location: Texas, USA
|
| Posted: Mon Sep 27, 2004 5:31 pm Post subject: |
|
|
| YetiChick wrote: | | 64.12.0.0 isn't a likely address for a mailserver, hm? |
64.12.0.0 isn't a likely IP address at all. It's the "network identification" address for AOL-MTC, 64.12.0.0/16.
Mail Admin generally don't trust any received headers that weren't added by their own MTA, because the forging of them is trivial.
You have my sympathies, but no suggestions on how to conquer the problem, unfortunately. Best I can give you is you won't receive any of those bounces from my little corporate server, because we don't accept mail that cannot be delivered in the first place. Would be nice if everyone did the same.
Dave |
|
| Back to top |
|
|
Trevoke
Advocate
Joined: 04 Sep 2004
Posts: 4099
Location: NY, NY
|
| Posted: Mon Sep 27, 2004 6:00 pm Post subject: |
|
|
DaveArb : how do you set that up?
_________________
Votre moment detente
What is the nature of conflict? |
|
| Back to top |
|
|
YetiChick
n00b
Joined: 23 Jun 2003
Posts: 69
|
| Posted: Mon Sep 27, 2004 6:14 pm Post subject: |
|
|
| Quote: | | Quote: | YetiChick wrote:
64.12.0.0 isn't a likely address for a mailserver, hm? |
64.12.0.0 isn't a likely IP address at all. It's the "network identification" address for AOL-MTC, 64.12.0.0/16. |
Yes, that was my point.
| Quote: | | Mail Admin generally don't trust any received headers that weren't added by their own MTA, because the forging of them is trivial. |
And this is the source of my frustration. If I could get a couple of the postmasters who run the servers sending out these bounces, then their logs would be helpful in determining exactly who sent them the mail.
| Quote: | | ...because we don't accept mail that cannot be delivered in the first place. Would be nice if everyone did the same. |
You filter on the "from" header? Hm... I'm not sure I'd want to burden the sending mail server with the extra SMTP traffic - not to mention the weirdness in their logs from someone connecting just to validate an address. Not to mention that anyone with a catchall account would still seem 'valid'. Or did I misunderstand your comment? I mean, I check for a valid domain and I refuse mail that is not sent *to* a valid address, but I don't check to make sure that the *from* address is good. Is that what you meant?
Thanks to everybody who responded for your comments and suggestions and comfort. I'll keep trying to get a postmaster to respond, but I fear that I'll have to just wait this out. I can't help but wonder "why me?" Why this particular domain? It's little used and has about ten email accounts. (sigh) Oh well...
Tracy |
|
| Back to top |
|
|
DaveArb
Guru
Joined: 29 Apr 2004
Posts: 510
Location: Texas, USA
|
| Posted: Tue Sep 28, 2004 2:43 pm Post subject: |
|
|
| YetiChick wrote: | | Quote: | | ...because we don't accept mail that cannot be delivered in the first place. Would be nice if everyone did the same. |
You filter on the "from" header? Hm... I'm not sure I'd want to burden the sending mail server with the extra SMTP traffic - not to mention the weirdness in their logs from someone connecting just to validate an address. Not to mention that anyone with a catchall account would still seem 'valid'. Or did I misunderstand your comment? I mean, I check for a valid domain and I refuse mail that is not sent *to* a valid address, but I don't check to make sure that the *from* address is good. Is that what you meant?
|
No, you misunderstand. My mail server does not accept messages that cannot be _delivered_, in other words <looks at yesterday's logs, picks first 10 undeliverables>
Alissa@domain.invalid: 2 Times(s)
Averroes@domain.invalid: 1 Times(s)
Brigadoon@domain.invalid: 1 Times(s)
Cheyennes@domain.invalid: 2 Times(s)
Colgate@domain.invalid: 1 Times(s)
Delilah@domain.invalid: 1 Times(s)
Eco@domain.invalid: 2 Times(s)
GNILBMESSA9@domain.invalid: 1 Times(s)
Gilead@domain.invalid: 1 Times(s)
Grenada@domain.invalid: 2 Times(s)
Were all sent here (assume our domain is domain.invalid), but were rejected during the SMTP dialog because the accounts don't exist. So, rather than bouncing to you, an innocent party, we reject at SMTP RCPT TO:.
Dave |
|
| Back to top |
|
|
YetiChick
n00b
Joined: 23 Jun 2003
Posts: 69
|
| Posted: Tue Sep 28, 2004 3:36 pm Post subject: |
|
|
| Quote: | | No, you misunderstand. My mail server does not accept messages that cannot be _delivered_, in other words <looks at yesterday's logs, picks first 10 undeliverables> |
I see... I do the same, and I agree - it would be nice if everybody did it.
About a third of these bounce messages result from the remote mailserver attempting to deliver to a non-existing address. Unfortunately, the remaining messages are irritating replies from moronic anti-spam software ("Hi, we think you sent us spam! Cut it out!" Oh, as if spammers use their own address.), out-of-office responses, "mailbox full" errors and other such things. I'd still be getting the fallout from this idiot's spam spree even if everyone did reject invalid mail during the SMTP transaction - although there would be less of it. I can't help but wonder how much spam with my domain name attached has actually gotten through. Grrrrrr... Getting angry again.
Tracy |
|
| Back to top |
|
|
YetiChick
n00b
Joined: 23 Jun 2003
Posts: 69
|
| Posted: Fri Oct 08, 2004 3:24 pm Post subject: |
|
|
Just an update...
The spam being sent with my domain name on it keeps changing, but one common feature is that all of the websites spamvertised within are hosted on either Korean or Chinese servers. A couple of people have been kind enough to send me the headers of the spam messages they received, and some have sent me logs... These messages appear to be either originating at or bouncing off of a number of mailservers located in the Phillipines. Attempts to contact the operators of these systems have been fruitless.
Anyway... It doesn't seem as though there is anything I can do to stop these people from spamming in my name. I'll just have to get used to rapidly scrolling mail server logs and having my domain placed in the blacklists of people who don't know any better. This is terribly frustrating.
(whimper) I guess I'll get used to it. Why my domain?? (sigh) |
|
| Back to top |
|
|
cokey
Advocate
Joined: 23 Apr 2004
Posts: 3355
|
| Posted: Fri Oct 08, 2004 4:13 pm Post subject: |
|
|
there are some SERIOUSLY good network bods out there who could really help with this, perhaps some of the devs could help you
_________________
https://otw20.com/ OTW20 The new place for off the wall chat |
|
| Back to top |
|
|
mallchin
l33t
Joined: 21 Jan 2003
Posts: 655
Location: United Kingdom
|
| Posted: Sun Oct 24, 2004 11:34 am Post subject: |
|
|
I want to kill those responsable for the spam in my Inbox, and I think it should be legal. You fuck me over, I fuck you over. Fair's fair.
Now, where did I put that rifle.
_________________
6700 @ 2.66GHz, 4Gb RAM, 2 x 500Gb, 8800 GTX, PhysX, X-Fi, 24" Widescreen, Tux mascot |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Duplicate Threads
