** Forged spamming going on

Robert_Tarrall1 · December 21, 1998, 4:07pm

alex@nac.net wrote:
-> some luser off of AT&T DIalup is using mailme.com (my domain) for relaying
-> mail:
-> Received: from mailme.com (146.st-louis-71-72rs.mo.dial-access.att.net
-> [...]
-> He is sending thousands of emails to AOL users, who is then bouncing them
-> to me.
-> [...]
-> Thinking about this, there is no solution; here are my options:
->
-> 1) blackhole AT&T, which does nothing, since the mail is bounces coming
-> from AOL.
->
-> 2) blackhole AOL, which would fix my attack, but would break all
-> legitimate mail from/to AOL.
->
-> 3) temporarily blackhole mailme.com, which would prevent me from getting
-> the bounces, but then I can't send/get legit mail.

You forgot:

4) Deny relaying, which sendmail 8.9.1a will do by default (has worked
  great for us so far), and
5) Deny access to dial-access.att.net (and dialsprint.net, da.uu.net,
  pub-ip.psi.net, etc) which is what we're doing here just because we
  get so much spam directly from such dialup accounts these days.

Anyone have a list of legitimate outgoing SMTP servers for the big dialup
companies (UUnet, PSI, Concentric, AT&T, Sprint, etc)? So far I haven't had
any complaints about blocking stuff like da.uu.net, but I'd like to make sure
that legitimate email can still get through.

      -Robert Tarrall.-
      System/Network Admin
      E Central

Al_Reuben · December 21, 1998, 4:23pm

-> some luser off of AT&T DIalup is using mailme.com (my domain) for relaying
-> mail:

You forgot:

4) Deny relaying, which sendmail 8.9.1a will do by default (has worked
great for us so far), and

You didn't read the email thoroughly.

A user dialed into ATT, sent thousands of emails to aol.com users, with a
forged return-address of youarecool@mailme.com, which AOL bounces back to
youarecool@mailme.com, which is a domain I own.

Relaying on my machines has no bearing on this.

5) Deny access to dial-access.att.net (and dialsprint.net, da.uu.net,
pub-ip.psi.net, etc) which is what we're doing here just because we
get so much spam directly from such dialup accounts these days.

Still wouldn't fix it, as AOL is the one sending me the mails (bounces).

Anyone have a list of legitimate outgoing SMTP servers for the big dialup
companies (UUnet, PSI, Concentric, AT&T, Sprint, etc)? So far I haven't had
any complaints about blocking stuff like da.uu.net, but I'd like to make sure
that legitimate email can still get through.

That still wouldn't fix this problem, but I may do this seperately.

      -Robert Tarrall.-
      System/Network Admin
      E Central

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
     Atheism is a non-prophet organization. I route, therefore I am.
       Alex Rubenstein, alex@nac.net, KC2BUO, ISP/C Charter Member
               Father of the Network and Head Bottle-Washer
     Net Access Corporation, 9 Mt. Pleasant Tpk., Denville, NJ 07834
Don't choose a spineless ISP; we have more backbone! http://www.nac.net
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

Steve_Sobol1 · December 21, 1998, 7:15pm

If it's a forgery and the mail is not touching NAC.NET servers, neither step
is useful, although relaying should be shut off and SMTP access denied from
ISP dialup banks as a general rule.

Jon_Lewis · December 22, 1998, 6:13am

-> some luser off of AT&T DIalup is using mailme.com (my domain) for relaying
-> mail:
-> Received: from mailme.com (146.st-louis-71-72rs.mo.dial-access.att.net
-> [...]
-> He is sending thousands of emails to AOL users, who is then bouncing them
-> to me.
-> [...]
-> Thinking about this, there is no solution; here are my options:
->

You forgot:

4) Deny relaying, which sendmail 8.9.1a will do by default (has worked
great for us so far), and

I almost said that, but then I read the header he posted. This wasn't a
case of relaying...it's just "from address forgery". The same problem I
posted about a week or two ago. Some moron sends out a few hundred
thousand messages relayed through a variety of 3rd parties, claiming to be
from idontexist@yourscrewed.com...yourscrewed.com being your domain. When
the 3rd party relays fail to deliver tens of thousands of messages because
the spammer bought a 3rd rate address list full of bogus addresses, guess
where the bounces go?

5) Deny access to dial-access.att.net (and dialsprint.net,da.uu.net,
pub-ip.psi.net, etc) which is what we're doing here just because we
get so much spam directly from such dialup accounts these days.

And if you use a service like iPass, this becomes highly inconvenient for
your customers unless you've setup a relay after pop3 hack.

----don't waste your cpu, crack rc5...www.distributed.net team enzo---
Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or
Network Administrator | nestea'd...whatever it takes
Florida Digital Turnpike | to get the job done.
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key________