Sorry if some of you are losing patience with this, I'm truly sorry,
but this is amazingly evil.
I get email from someone in Sprint Security, a new person, I'll be
decent enough to leave his name out, around 10:30PM EST.
The gist of it is that they've spoken with this guy who has been
sending these thousands of msgs, and he's a reasonable fellow, and I'm
inflating all this and perhaps even partly to blame, some wild and
ridiculous story about how my refusing his mail with a 550 error is
making his software do this, ridiculous if you know how mail actually
works, that's like getting a User Unknown error, you just throw it on
the floor, he runs sendmail 8.7 under Unix, telnet to his SMTP port at
iq-internet.com.
AT ABOUT 1AM EST THE MAIL LOOPING STARTS AGAIN, AFTER A FEW HOURS
HIATUS. HE STARTED IT UP AGAIN!
Unbelievable, I'm sorry, but this sort of behavior is going to destroy
these networks, and I mean behavior on the part of people like
Sprint. Bad people will happen, I know that, we all know that, but the
people at Sprint have absolutely no excuse for their behavior other
than sheer gullibility or abrogation of any shred responsibility.
Is there anyone here, who Sprint will believe, who can tell them that
they are dealing with a known evil person who is feeding them complete
bull? Obviously they don't believe me and will give this execrable
person more than every benefit of the doubt as he disrupts the network
for his own vicious purposes, this is going into the third full day of
this.
ridiculous story about how my refusing his mail with a 550 error is
making his software do this, ridiculous if you know how mail actually
works, that's like getting a User Unknown error, you just throw it on
the floor, he runs sendmail 8.7 under Unix, telnet to his SMTP port at
iq-internet.com.
Spammers don't send mail using sendmail or any other standard mailer. They
use special custom-built spamming programs that are geared to sending huge
quantities of the same message to LARGE mailing lists quickly and
efficiently. It's possible that his software has a bug that isn't dealing
with errors properly or it's possible that the mechanism to deal with
replies is recting badly to your mailer.
When I say "replies" I am referring to the fact that spammers do not want
you to reply to their email. If they receive replies, they process them
with some sort of robot. In the simplest case, all replies are sent to
the bit bucket. Now because Sprint's spam policy states that spamming is
OK as long as you remove people's addresses form your list if they request
it, their robot has to deal with that case and all spam from iq-internet
informs people that they can reply with "NO MAIL" in the subject to be
removed from the list. But spammers have another problem and they are
getting more sophisticated in dealing with that. I refer to the problem
created by irate spam recipients who then mailbomb the spammer. Spammers
are learning to deal with this by returning the messages to the source
with an error. I suspect that their spam software is screwing up and
treating your reject messages as a mail bombe and they are thus returning
them back to you creating a classic email loop.
AT ABOUT 1AM EST THE MAIL LOOPING STARTS AGAIN, AFTER A FEW HOURS
HIATUS. HE STARTED IT UP AGAIN!
Unbelievable, I'm sorry, but this sort of behavior is going to destroy
these networks, and I mean behavior on the part of people like
Sprint. Bad people will happen, I know that, we all know that, but the
people at Sprint have absolutely no excuse for their behavior other
than sheer gullibility or abrogation of any shred responsibility.
Barry, I agree with everyon on this list that this is NOT the place to be
discussing the problem. Please take this to the proper forum. If you would
post an account of your troubles along with the MX records for sprint.com,
sprintlink.net, etc. to the alt.2600 newsgroup then this problem would not
be occurring.
Are you a SPRINT customer? If not, you should be reporting this flood
attack to your upstream provider who appears to be Alternet from my
vantage point. It doesn't matter whether it is a ping flood, SYN flood or
mailbomb attack, your provider can work their way up the channels to the
source of the problem. In the interim they can install filters on their
router port to you that will block port 25 from the offending site. This
takes the load off your shoulders and also frees up the bandwidth that you
are paying your upstream provider for.
Michael Dillon - Internet & ISP Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com
I suspect that their spam software is screwing up and
treating your reject messages as a mail bombe and they are thus returning
them back to you creating a classic email loop.
I suppose that's why the four digit account number he uses keeps
changing, they look like this:
I suppose that's why the four digit account number he uses keeps
changing, they look like this:
So what?
C'mon, this is silly, why when confronted with an actual problem do
people get such an urge to play devil's advocate and spin wild
possibilities? Are you just amusing yourself, just in deep denial,
what?
Well so far you haven't said what is really happening other than a vague
claim about an excessively high rate of email messages. Have you inspected
any of these messages to determine if, in fact, this is merely his normal
message stream, or if, in fact, there is some kind of loop set up by your
mailer's refusals? Obviously, if your mailer's behavior is perpetuating
the flood, then you have a moral and a legal obligation to fix that
behavior. And if you are going to post something on a technical list like
this then you also have an obligation to provide details. Otherwise, there
is no point in posting it here because your words won't help other
operators who might find themselves in a similar situation.
I don't mean to get sarcastic but why is this attack the victim stuff
helpful or desireable?
Damn right it's desirable. This isn't a list for victims to whine and
moan. If there is a technical problem then please explain the details
because people on this list might be able to help. So far there have been
two good suggestions related to blackholing at your router and to joining
the spam filter distribution via OSPF.
Oh well, ok, maybe you win, maybe we're fucked, get used to it, on Jan
4, 1997 everybody just gave up and decided everything was someone
else's problem.
This sounds remarkably like your own attitude. Here you are posting on
this list asking us to fix the problem. A more productive attitude would
be to ask what *YOU* can do to solve the problem and then to implement
some of the suggestions. And all the emotional language you have posted to
the list has obscured the fact that you have given remarkably little
technical detail as to what is happening and why this is making you so
frazzled.
Contrast this with the SYN flood attacks a few months back when people
explained what was happening to them and others on the list joined in to
assist them in alleviating and ultimately fixing the problem.
Michael Dillon - Internet & ISP Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com
[snip]
Pardon me but this has been going on three days and I'm getting
awfully cranky and absolutely staggered at how eager people are to
leap up and say "why bother us with this, it's not our problem!", it's
kinda like dealing with dead people.
I have to concur with Barry in this. An excerpt from the NANOG charter
states:-
"Discuss specific implementation issues which require cooperation and
coordination among network service providers to ensure the stability of
overall service to the network users. "
I believe Barry's problem falls into this category.