Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 7 Jan 2006 21:03:30 -0800
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        "Robert Slade" <bsd@bathnetworks.com>
Cc:        questions@freebsd.org
Subject:   RE: Spamcop listed - need help to diagnose why
Message-ID:  <LOBBIFDAGNMAMLGJJCKNCEDNFDAA.tedm@toybox.placo.com>
In-Reply-To: <1136618623.15229.17.camel@lmail.bathnetworks.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help


>-----Original Message-----
>From: owner-freebsd-questions@freebsd.org
>[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Robert Slade
>Sent: Friday, January 06, 2006 11:24 PM
>To: David Banning
>Cc: questions@freebsd.org
>Subject: Re: Spamcop listed - need help to diagnose why
>
>
>
>There is your problem TMDA is most likely the cause. Such programmes are
>in effect adding to the spam problem. Nearly all spam has a forged from
>address and all programmes such as TMDA do is send a challenge to an
>innocent 3rd party. Whist it looks like it reduces your spam all you do
>is in effect spam someone else. When your e-mail address has been used
>in a spam run by a spammer and you start getting 10s of these challenge
>an hour it is quite easy to report 1 my accident. If you look at the
>Spamcop reporting page you will see a warning about just this situation.
>
>I suppose that the real answer is to stop compounding the spam problem
>and use a combination of spamassassin and block lists.
>
>BTW I make it a point never to respond to challenges.
>

Ditto, and for the same reasons.  I've removed David from the cc
list on this for that reason as well.

Also we need to be aware of another trick that spammers have
figured out, that applies to anyone running multiple MX records on
a domain (I don't know if David is in that situation)

Normally if a domain has a single mailserver processing incoming
mail, there's a single MX record pointing to a single machine.   But
in many cases it's desirable to relay mail through a prefilter system
before it gets to the actual mailserver.  In those cases a common
trick is to block the highest priority MX host off with an access
list.  Senders try the highest priority, it fails, they then go to
the next highest priority host which is the relay host.  That host
gets it, does it's thing, then tries to send it to the highest
priority server which should work since the access list permits that
server.  This technique has been mentioned in the sendmail book
among others.

The problem is what spammers are doing now is they find one of these
hosts, and pump millions of messages to the secondary, with the VICTIM
address as the senders address, and a bogus address as the recipient
address.  The secondary gets the mail, and tries relaying it to the
primary, the primary rejects the mail as user-not-found and the secondary
tries to return the message to the sender - which is the victim address.

So the spam targets get messages from mailer-daemon that originate from
a legitimate host, but are spam.

It's a warzone out there, folks.

Ted




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNCEDNFDAA.tedm>