| View previous topic :: View next topic |
| Author |
Message |
Woland
Apprentice
Joined: 02 Aug 2002
Posts: 248
Location: Russian Jack, Alaska
|
 Posted: Fri Jun 27, 2003 6:41 am Post subject: Spam for user "hanmail" |
 |
|
Since starting my mail server, I have had problems with only one kind of Spam (so far, knock on wood) ---- but it is weird.
It comes from all sorts of different IP's --- from China and Korea (mostly) to California and Europe. And it is always addressed to hanmail@my.ip
Since, of course, it has a bogus "reply to:" header, qmail tells me that "the bounce bounced!"
Now since this Spam always seems for user "hanmail" the easy solution would be to alias user hanmail to /dev/null But this is just so weird! Why always the same user, from so many different spammers? I know that hanmail is a pretty big ISP in Korea, but the Spam is hanmail@... never ...@hanmail.
Anyone have simuylar experiances? Maybe I am growing paranoid, or maybe this is some way in which spammers "case out" my IP before flooding it with mail for random users in the hope of getting Spam through. Should I be worried?
A sample header (with the ensuing spam deleted) follows:
| Code: |
Hi. This is the qmail-send program at komos.momus.net.
I tried to deliver a bounce message to this address, but the bounce bounced!
<f-HANMAIL?momus.net-clqoqislskqkcorxbhdhdkdldlb@bounce.amazingdailydeals.com>:
209.164.36.177 does not like recipient.
Remote host said: 551 5.5.2 Syntax error
Giving up on 209.164.36.177.
--- Below this line is the original bounce.
Return-Path: <>
Received: (qmail 120 invoked for bounce); 27 Jun 2003 06:17:31 -0000
Date: 27 Jun 2003 06:17:31 -0000
From: MAILER-DAEMON@komos.momus.net
To: f-HANMAIL?momus.net-clqoqislskqkcorxbhdhdkdldlb@bounce.amazingdailydeals.com
Subject: failure notice
Hi. This is the qmail-send program at komos.momus.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<HANMAIL@MOMUS.NET>:
Sorry, no mailbox here by that name. (#5.1.1)
--- Below this line is a copy of the message.
Return-Path: <f-HANMAIL?momus.net-clqoqislskqkcorxbhdhdkdldlb@bounce.amazingdailydeals.com>
Received: (qmail 30234 invoked from network); 27 Jun 2003 06:17:29 -0000
Received: from unknown (HELO s1.amazingdailydeals.com) (209.164.36.177)
by 209-112-170-111-cdsl-rb1.nwc.acsalaska.net with SMTP; 27 Jun 2003 06:17:29 -0000
From: Family History <amazingdailydeals@lists.amazingdailydeals.com>
Subject: Trace your Family Tree for FREE!
To: HANMAIL@MOMUS.NET
X-Find: F-4-1-kIJ5bxOmY9y224qlz6eu+PI=-
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------105664667634956"
X-GSEMSE: yes
X-Mailer: gsemse-v1
Date: Thu, 26 Jun 2003 23:17:29 PST
--------------105664667634956
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Trace YOUR Family Tree for FREE!
http://amazingdailydeals.com/redir.php?id=816&e=HANMAIL@MOMUS.NET |
|
|
| Back to top |
|
 |
Supermule
Guru
Joined: 05 Mar 2003
Posts: 510
Location: /denmark/fyn
|
| Posted: Fri Jun 27, 2003 7:25 am Post subject: |
|
|
Hi,
Do u have count of all outgoing mails? If there is a lot being sent, that isnt sent from your internal network, u might be used for relaying of some sort?
_________________
regards,
Supermule |
|
| Back to top |
|
|
Woland
Apprentice
Joined: 02 Aug 2002
Posts: 248
Location: Russian Jack, Alaska
|
| Posted: Fri Jun 27, 2003 7:38 am Post subject: |
|
|
| Supermule wrote: |
Do u have count of all outgoing mails? If there is a lot being sent, that isnt sent from your internal network, u might be used for relaying of some sort? |
You have hit my paranoia on the head. No, I don't have a count of all outgoing emails, and maybe I am too much of a noob to do it just yet. Same with relaying. That is something else I have been worried about, but just assumed that qmail would turn it off by default, since it is the most paranoid (as far as I can tell) of all the SMTP's out there.
Unfortunately, I am new to the mail biz., and spent much time over getting IMAP going the way I want it, perhaps neglecting more important security issues and just trusting out of the box qmail.
Mea culpa, mea culpa, mea maxima culpa.
Which of course begs the question---how do I know if I am relaying, and if I am, how do I turn it off?
(I am monitoring my bandwidth usage, and if relaying is going on, so far there has not been much of it. Also, no irate emails to "abuse@" which I would expect.) |
|
| Back to top |
|
|
Supermule
Guru
Joined: 05 Mar 2003
Posts: 510
Location: /denmark/fyn
|
|
| Back to top |
|
|
puggy
Bodhisattva
Joined: 28 Feb 2003
Posts: 1992
Location: Oxford, UK
|
| Posted: Fri Jun 27, 2003 5:26 pm Post subject: |
|
|
Check this excellent site out. They will test your server to see if it's a relay...
Puggy
_________________
Where there's open source , there's a way. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
