<<< Chronological Author Index    Subject Index <<< Threads

Re: Spamcop madness

  • To: Petra Zeidler < >
  • From: Frank Ronny Larsen < >
  • Date: Mon, 02 Oct 2000 17:07:12 +0200

> Hi,
> 
> Thus wrote Jan Meijer (Jan.Meijer@localhost):
> 
> > >     >In this case, we have been harrassed for a couple of weeks
> > >     >by someone spoofing one of our ipaddresses in spams.
> > > Well, you were "lucky" that only a non-used/routed IP address
> > > was used. A couple of years ago a *valid* e-mail address of
> > > one of our users was used this way...
> > 
> > How did you stop it?
> 
> We have a similar problem: someone's pumping out huge amounts of spam
> through hit&run dialups (it's been various) and using the domain of a
> customer of ours as envelope from.
> After we collected 5 GB in bounces, we've been forced to point the
> domains MX to nevernever-land; anyone have a reasonable idea that doesn't
> involve a separate mailer machine that prefilters that domains mail?
> The good people are a rather small customer and they definitely don't
> deserve nor want to pay for the traffic costs that would run up, not to
> speak of other costs.

Somebody mentioned using procmail to filter out this. I like this idea, 
since it gives much flexibility.

We have had luck with the following setup:
We use a central mailserver that all incoming mail passes through, which 
forwards the mail further to the right department here at the university. 
This forwarding is done using sendmail's mailertable functionality.

When we then had an attack from spammers using adresses made of 3 to 6 
letters + 2 digits @ department.uit.no we filtered this single department 
through a small procmail setup by changing that line of the mailertable 
like this:
# old entry
#department.uit.no              esmtp:[mail.department.Uit.No]
# new entry
department.uit.no             procmail:/root/spamstopprocmailrc

with /root/spamstopprocmailrc like this:
:0
*^TO.*[a-z]+[0-9]+@localhost
  /dev/null

:0      # forward mail
! -oi -f $1 $2

This sends the bounces to /dev/null whlie forwarding the rest to the 
correct server.

This setup massively removed load from the machine during the attack. It 
also let me easily filter the thousands of mail that were in the queue at 
the time I put this in action.

You can probably hack around a little with this to make it work even if 
the mail is to be delivered to the local machine in the first place.

The first filter should be modified to match whatever common theme is in 
the mail the spammer is using in your case. And take care so as not to 
match legit mails as well.

Frank Ronny Larsen
-- 
postmaster@localhost - University of Tromsx, Norway





  • Post To The List:
<<< Chronological Author    Subject <<< Threads