Re: Intractable spam! (Exchange 2000)

"Julie" <julie@xxxxxxxxxxxxx> wrote:

"Rich Matheisen [MVP]" <richnews@xxxxxxxxxxxxxxxxxxxxx> wrote in message

What you're seeing is a real PITA. The sending server simply ignores
the 5xx statuses sent by your server and sends its data stream as if
they never occured. That behavior isn't unusual, but thankfully it's
not that common. There's not a lot you can do to thwart it except to
drop the connection. That may be a choice in your anti-spam software.

That's what I've been doing. In my example, the connection was from
"mail.swedenowin.com."

How can you tell from the log file? All you know is that the FQDN is a
value that _claims_ to be that server. Without the IP address you have
no idea if the sender's IP address belongs to that domain.


Looking at these two reports, I'd say that either it's a new email
server or a new e-mail domain:

http://www.senderbase.org/search?searchString=swedenowin.com
http://www.trustedsource.org/query.php?q=69.16.236.138

If it's a new server/domain, they may have the server misconfigured
and it's been compromised already.

It has a TXT record for SPF information (although that's no guarantee
of anything if junk mail originates from the correct IP addresses
associated with the domain).

I added that to the "deny" list in BCWare's NOSPAM and that put an end to connections from
there.

From where, 127.0.0.1? Or do you mean that you blacklisted the domain
name swedenowin.com no matter from what address the messages arrive?
Blocking an IP address vs. a domain may produce some, umm,
undesireable results. :-)

However, it isn't long before another spam domain, also with a valid PTR and
absent
from any RBL, begins to flood us with connections again. So I add the new sending machine
to the "deny" list, and on and on.

If your spam filter can't distinguish spam from ham without relying on
RBL's you need a new filter. RBL's can be useful, but they,re nly
about 40% effective in preventing you from receiving spam, but they're
very good at preventing the reception of ham. All an RBL knows is the
source of the message, not the content.

An interesting note: This just began on Friday, the 7th. Maybe we were lucky, but
the server has been running for years without this happening.

I'd say _extremely_ lucky.

Another interesting note: If you browse to http://swedenowin.com, you get a page that
says, "swedenowin.com has years of experience with marketing creation. Our team has gained
the vision and knowledge to develop email creatives, landing pages, and Pop Up campaigns
that motivate consumers to respond. We have spent years creating, testing, and
implementing hundreds of offers to our client's consumer base.
"We KNOW what is required to get the response you desire. We have sourced this data from
the most reputable sites that are 100% CAN SPAM compliant. We obtain data only from the
most valid sources, from consumers who have requested to receive information."

When I browse to the other domains that are barraging us in the same fasihion,
such as http://wannabeweu.com, you get the identical page except with the
different domain.

<gasp!> Imagine that! A deceptive spammer! Oh, my . . . alert the
media! :-)

So it looks like all of these are related.

Well, sorta:

If you believe that web page, think again. The domain was registered
on June 20, 2006:

http://reports.internic.net/cgi/whois?whois_nic=swedenowin.com&type=domain

Years of experience? And they've just now discovered the Internet?
That's pretty funny.

Unfortunately, they're not in a single
IP block, they all have valid PTR's, and they're not in any RBL.

Two words: Zombie network

If you have Java installed, check
http://www.trustedsource.org/zloc.php for some discouraging news. :-(

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx
.

Relevant Pages

  • Re: Antivirus on SBS 2003
    ... I have IMF and RBL on my own server, but I won't do RBL on a client's ... While helping a friend with his clients, ... I contacted Trend about it and they asked me to send them each spam after ...
    (microsoft.public.windows.server.sbs)
  • Re: How to do rDNS. WAS: RE: educating rDNS violators
    ... It's done in the DNS server. ... As a spam prevention measure, a lot of end-user Internet providers are ... Using your own mail server as a slave to the ISP's mail server will add ...
    (Security-Basics)
  • RE: OMA and Outgoing Spam
    ... Someone hacked a user account and use it to spam emails; ... Your Exchange server is open relaying emails;(You have checked it ... Your server is under RNDR Attack. ... Microsoft is providing this information as a convenience to you. ...
    (microsoft.public.windows.server.sbs)
  • RE: OMA and Outgoing Spam
    ... Someone hacked a user account and use it to spam emails; ... Your Exchange server is open relaying emails;(You have checked it ... Your server is under RNDR Attack. ... When you enable recipient filtering on the SMTP virtual server, ...
    (microsoft.public.windows.server.sbs)
  • Re: Anyone succesfully stopped Reverse NDR Attacks in exchange 2000?
    ... to their filtering servers and the Spam stops filling your Exchange Queues ... and destined to an non existing address on your server. ... connecting addresses as there are spam sent. ...
    (microsoft.public.exchange2000.admin)