In message <199805271903 .
com>, you wrote:
>This isn't a list management issue, but I think there is considerable
>expertise in the subject among the subscribers here and I'm not sure where
>else to ask it.
>Since upgrading to sendmail 8.8.8 a few weeks back I have been noting
>a LOT of rejected SMTP sessions because of invalid domains caught by the
>check_rule filter, which logs the site attempting the connection. As far
>as I can tell, all of these are UCE/spam.
Don't bet on it. It sounds to me like you are maybe checking the validity
of the domain name given in the HELO SMTP command, but a lot of places
still have that misconfigured I think.
>Here's the tally of rejected messages just SINCE MIDNIGHT;
>> 77 abraham.ugrad.physics.mcgill.ca
>> 18 cduweb.cdrewu.edu
>> 72 ftp.senet.co.jp
>> 46 info.sssi.com
>> 18 outbound.Princeton.EDU <=======
>> 10 relay.ibenet.it <=======
>> 2 syse.senet.co.jp
>> 19 www.art-in.com
The two that I have put arrows next to I recognize, because they have been
hitting my own spam traps lately. The others I don't know about.
>Any suggestions as to what to do to 'encourage' these sites to fix their
>security problems would be appreciated.
Umm.... may I suggest an ordinary kitchen cheese grater, inserted rectally?
But seriously folks, the spammers themselves are doing a lot to smack many
sysadmins out of their lethargy. It's kind of a bummer when you get all
of your bandwidth stolen from you for a time and when you then also have
to deal with the complainst that _you_ get because you are a moron who is
still running an open relay in the current era.
I don't know that there is a lot else that can be done. Find the admin
addresses (using my ipw program, which I posted a pointer to here recently)
and send them bitch-o-grams and tell them they are morons. It's about all
you can do.
The only other thing would suggest is to be sure to give them a pointer
which has a lot of instructions and help for closing relays.
I'm mention right now also, that if you can find the people who are admin-ing
the containing address block, you can tell them for me that I am now offering
a free confidential open mail relays scanning service to help people find out
where all of their remaining open relays are. I will only do this for author-
ized network admins and the results are always kept confidential, but when
it is done for a given IP address block, I send the list of open relay IP
addresses to the relevant network admin(s) for further action... which hope-
fully mean getting all of those damn relays closed.
I have done this for several /16 blocks already, and the network admins I
sent the results to were most appreciative.
I think that this sort of thing needs to be done a LOT, mostly at the level
of /16 blocks, until this huge open relays problem gets wiped out. We are
still a long way from that. I hope to have the whole scan request process
totally automated at some point so that authorized net admins can request
the scans for themselves via a web page, but that will be later on. For
now, people have to ask me for a scan via ordinary E-mail.
>(And if there's a more specific
>forum for discussing this, please let me know.)
The SPAM-L mailing list deals with spam in general, and of course there is
always news.admin.net-abuse.email, but that's kind of a zoo these days.
Then there is the spamtools mailing list, where specific technical counter-
measures to spam are discussed.
-- Ron Guilmette, Roseville, California ---------- E-Scrub Technologies, Inc.
-- Deadbolt(tm) Personal E-Mail Filter demo: http://www.e-scrub.com/deadbolt/
-- Wpoison (web harvester poisoning) - demo: http://www.e-scrub.com/wpoison/