&;$/&$)&/$)&$? Spammers

[The_Librarian]

MEH

Found http://www.mxtoolbox.com/blacklists.aspx

Yup, am on two "backscatter" email lists.

Bladdy spammers

Maak my sommer die **** in...

[The_Librarian]

Yep it's closed down now

There is one more thing you should check too,and that's to deny sending to any addresses not listed in Active Directory,prevents those random mail bombers from hitting your internal mail stores

Any articles on how to do that?

[The_Librarian]

Implemented a ClearOS mail filter which sits between the Exchange and the firewall.

Still early days, but will leave it running and see what happens.

[PsyWulf]

Any articles on how to do that?

Look up recipient filtering for your exchange version

[The_Librarian]

Look up recipient filtering for your exchange version

Forgot about msexchange.org

Found out how, did it.

Now I gotta tweak the spam filters...

[Pr⊕phet]

Forgot about msexchange.org

Found out how, did it.

Now I gotta tweak the spam filters...

m-sex-change?

[The_Librarian]

Ok guys

Said spammer did indeed send out copious amounts of spam. His IP is 74.238.194.123

How do I report this so that it can be blacklisted? I can forward log files proving that he loaded the server with spam.

In the meantime I have added a blacklist entry for his IP so he can do diddly-squat.

[j4ck455]

These (use all of them):

www.spamhaus.org
www.spamcop.net
www.dnsbl.info

Those above are aimed at punishing the ISP for allowing its network to be used by spammers and force the ISP to suspend the spammer's broadband account.

And then do this one as well for good measure:

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=74...se&ext=netref2
#

NetRange: 74.224.0.0 - 74.255.255.255
CIDR: 74.224.0.0/11
OriginAS: AS6389
NetName: BELLSNET-BLK18
NetHandle: NET-74-224-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
Comment: For Abuse Issues, email abuse@att.net. NO ATTACHMENTS. Include IP address, time/date, message header, and attack logs.
Comment: For Subpoena Request, email ipoperations@bellsouth.net with "SUBPOENA" in
Comment: the subject line. Law Enforcement Agencies ONLY, please.
RegDate: 2006-01-17
Updated: 2012-04-16
Ref: http://whois.arin.net/rest/net/NET-74-224-0-0-1

OrgName: BellSouth.net Inc.
OrgId: BELL
Address: 575 Morosgo Drive
City: Atlanta
StateProv: GA
PostalCode: 30324
Country: US
RegDate: 1995-03-02
Updated: 2010-09-20
Comment: For Abuse Issues, email abuse@att.net.
Comment: For Subpoena Issues, please email ipadmin@bellsouth.net with "SUBPOENA" in the subject line.
Comment:
Comment: Rwhois rwhois.eng.bellsouth.net 4321
Ref: http://whois.arin.net/rest/org/BELL

ReferralServer: rwhois://rwhois.eng.bellsouth.net:4321

OrgAbuseHandle: ABUSE81-ARIN
OrgAbuseName: Abuse Group
OrgAbusePhone: +1-919-319-8265
OrgAbuseEmail: abuse@att.net
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE81-ARIN

OrgTechHandle: IPOPE3-ARIN
OrgTechName: IP Operations
OrgTechPhone: +1-888-510-5545
OrgTechEmail: ipoperations@bellsouth.net
OrgTechRef: http://whois.arin.net/rest/poc/IPOPE3-ARIN

RAbuseHandle: ABUSE81-ARIN
RAbuseName: Abuse Group
RAbusePhone: +1-919-319-8265
RAbuseEmail: abuse@att.net
RAbuseRef: http://whois.arin.net/rest/poc/ABUSE81-ARIN

RTechHandle: IPOPE3-ARIN
RTechName: IP Operations
RTechPhone: +1-888-510-5545
RTechEmail: ipoperations@bellsouth.net
RTechRef: http://whois.arin.net/rest/poc/IPOPE3-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

[The_Librarian]

Right... so gonna complain of that abuse, thanks.

[The_Librarian]

A snippet from my log :

Code:

2012-4-21            23:57:23 GMT     74.238.194.123  User       mx.google.com                MYSERVER            192.168.50.1                clgaa@pldt.com.ph        1031       MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co.za              3              0              1488                50           2012-4-21 23:57:3 GMT   0              Version: 6.0.3790.3959  -              Mystery Shopper/Customer Service Evaluator             agency@senateshopper.net      -

2012-4-21            23:57:23 GMT     74.238.194.123  User       mx.google.com                MYSERVER            192.168.50.1                clhaney@crosstel.net   1031       MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co.za              3              0              1488                50           2012-4-21 23:57:3 GMT   0              Version: 6.0.3790.3959  -              Mystery Shopper/Customer Service Evaluator             agency@senateshopper.net      -

2012-4-21            23:57:23 GMT     74.238.194.123  User       mx.google.com                MYSERVER            192.168.50.1                clhdg@alloymail.com    1031       MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co.za              3              0              1488                50           2012-4-21 23:57:3 GMT   0              Version: 6.0.3790.3959  -              Mystery Shopper/Customer Service Evaluator             agency@senateshopper.net      -

>snip<

2012-4-21            23:57:24 GMT     74.238.194.123  User       mx.b.hostedemail.com                MYSERVER            192.168.50.1                clgarcia@cob.us               1031       MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co.za              3              0              1488                50           2012-4-21 23:57:3 GMT   0              Version: 6.0.3790.3959  -              Mystery Shopper/Customer Service Evaluator             agency@senateshopper.net      -

2012-4-21            23:57:24 GMT     74.238.194.123  User       mx.b.hostedemail.com                MYSERVER            192.168.50.1                clgusguthrie@isp.com  1031       MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co.za              3              0              1488                50           2012-4-21 23:57:3 GMT   0              Version: 6.0.3790.3959  -              Mystery Shopper/Customer Service Evaluator             agency@senateshopper.net      -

>some more snipping<
 

2012-4-21            23:57:24 GMT     74.238.194.123  User       COL0-MC1-F47.Col0.hotmail.com             MYSERVER            192.168.50.1                clgarcia@cob.us               1031       MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co.za              3              0              1488                50           2012-4-21 23:57:3 GMT   0              Version: 6.0.3790.3959  -              Mystery Shopper/Customer Service Evaluator             agency@senateshopper.net      -

2012-4-21            23:57:24 GMT     74.238.194.123  User       COL0-MC1-F47.Col0.hotmail.com             MYSERVER            192.168.50.1                clgusguthrie@isp.com  1031       MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co.za              3              0              1488                50           2012-4-21 23:57:3 GMT   0              Version: 6.0.3790.3959  -              Mystery Shopper/Customer Service Evaluator             agency@senateshopper.net      -
>aaaaaaaand some more snipperings<

2012-4-21            23:57:24 GMT     74.238.194.123  User       BAY0-MC4-F34.Bay0.hotmail.com            MYSERVER            192.168.50.1                clgarcia@cob.us               1031       MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co.za              3              0              1488                50           2012-4-21 23:57:3 GMT   0              Version: 6.0.3790.3959  -              Mystery Shopper/Customer Service Evaluator             agency@senateshopper.net      -

2012-4-21            23:57:24 GMT     74.238.194.123  User       BAY0-MC4-F34.Bay0.hotmail.com            MYSERVER            192.168.50.1                clgusguthrie@isp.com  1031       MYSERVERuSbh29cM3or0000004e@MYSERVER.mycompany.co.za              3              0              1488                50           2012-4-21 23:57:3 GMT   0              Version: 6.0.3790.3959  -              Mystery Shopper/Customer Service Evaluator             agency@senateshopper.net      -

Over and over and over again... 900+ of this kuk... The only thing that is static is the IP the spammer uses, so I assume he/she managed to compromise a server somewhere.



It is permanent on a blacklist now. Not going to remove it anymore. (both firewall and email server)

[The_Librarian]

Reported the spammer to AT&T

Will report later to Spamhaus etc.

[satanboy]

Die spammers DIE!!

[The_Librarian]

Added this :

Code:

smtpd_recipient_restrictions =

    reject_invalid_hostname, 
    reject_non_fqdn_sender, 
    reject_non_fqdn_recipient, 
    reject_unknown_sender_domain, 
    reject_unknown_recipient_domain, 
    reject_unauth_pipelining, 
    permit_mynetworks, 
    reject_unauth_destination, 
    reject_rbl_client bl.spamcop.net 
    reject_rbl_client zen.spamhaus.org
    permit

Hope it do the trick... I'm getting gautvol.

SORBS will delist today at 23:00 GMT.

[The_Librarian]

Delisted from all but one blacklist.

Quite..... an interesting experience, I must say. Learnt something new. Tightened up email practices etc.

Looking at ASSP for email filtering as the ClearOS filter doesn't work.

[Lino]

What is terrible is when one has been de-blacklisted and a week later ones machine starts sending out spam again.

Then it takes weeks to resolve and one has to beg them to delist one. Horrible experience, libs does your Exchange server make use of a smart host or does it deliver mail using mx records?