Re: junk received from our own server??
From: Anthony Edwards (anthony.edwards_at_uk.easynet.net)
Date: 08/01/04
- Next message: Cary Shultz [A.D. MVP]: "Re: Urgent: How to block access to all users for administrative purposes?"
- Previous message: Kevin Longley: "Re: junk received from our own server??"
- In reply to: mmac: "Re: junk received from our own server??"
- Next in thread: mmac: "Re: junk received from our own server??"
- Reply: mmac: "Re: junk received from our own server??"
- Reply: Rich Matheisen [MVP]: "Re: junk received from our own server??"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 01 Aug 2004 12:56:03 -0000
On Sat, 31 Jul 2004 20:05:18 -0700, mmac <mmac@junkmail.bin> wrote:
> Thanks, The first question I have is how com ethey picked MY ip to spoof?
Since the forged HELO or EHLO greeting appears to have been the
IP address of your own machine, it is reasonable to assume that
the automated bulk emailing software ("spamware") in use by the
unscrupulous bulk emailer concerned is configured to simply use the
IP address of whichever machine is the highest priority MX ("Mail
eXchanger", or recipient mail server) for a recipient domain, or
perhaps the machine that it is connected to at the time, as its HELO
or EHLO greeting.
This presumably defeats some basic anti-spam measures in use on one or
more mail server platforms, or it may simply be designed to obfuscate
and to confuse mail recipients and potential complainants.
> And second, How can I block these things? Is there a list of compromised IP's
> that is made public?
Yes, there are many such lists and a link to a site which references
and queries some of them (the most widely respected and best known)
was included in my original posting.
The site concerned:
One issue, though, is that many compromised hosts are also senders
of legitimate email, with the result that rejecting email from such
compromised hosts can also result in the loss of mail that you,
or your users, may wish to receive.
> I can see how publishing that kind of list could be both good and bad but
> something must be available.
Perhaps the best DNSBL listing compromised hosts is:
>From the site referenced above:
The CBL operates in an entirely automated way designed to
avoid listings of spamtrap hits due to bounces of forged
spam, virus bounces, and "real" mail servers emitting
the occasional spam. It tries very hard to avoid listing
legitimate mail sources. It does not attempt to list every
possible spam source.
As a result, the "false positive" rate (legitimate mail being
incorrectly filtered) when using this list as the basis of a spam
filtering solution is likely to be very low, compared to that
experienced when using more conventional DNSBL lists, such as:
The DSBL lists will block a lot of spam if you configure your server
to reject mail from IP addresses so listed, but will also block
an amount of legitimate mail as many of the machines on this list
are actually legitimate mail servers, incorrectly configured and/or
not correctly secured by their administrators with the result that,
in addition to their legitimate use, unscrupulous bulk emailers can
also use them to relay Unsolicited Bulk Email without their owners'
knowledge, authorisation or permission.
The next stage of course is configuring your Exchange Server to query
such DNSBL lists that you choose to use; others here may be able to
assist you in terms of how that can be done.
-- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503
- Next message: Cary Shultz [A.D. MVP]: "Re: Urgent: How to block access to all users for administrative purposes?"
- Previous message: Kevin Longley: "Re: junk received from our own server??"
- In reply to: mmac: "Re: junk received from our own server??"
- Next in thread: mmac: "Re: junk received from our own server??"
- Reply: mmac: "Re: junk received from our own server??"
- Reply: Rich Matheisen [MVP]: "Re: junk received from our own server??"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
