Great Circle Associates List-Managers
(May 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: What to do about site that indiscriminatly relay?
From: "Ronald F. Guilmette" <rfg @ monkeys . com>
Date: Wed, 27 May 1998 19:26:02 -0700
To: nolan @ tssi . com
Cc: list-managers @ GreatCircle . COM (List Managers)
In-reply-to: Your message of Wed, 27 May 1998 14:03:22 -0500. <199805271903 . OAA23839 @ celery . tssi . com>

In message <199805271903 .
 OAA23839 @
 celery .
 tssi .
 com>, you wrote:

>This isn't a list management issue, but I think there is considerable 
>expertise in the subject among the subscribers here and I'm not sure where
>else to ask it.
>
>Since upgrading to sendmail 8.8.8 a few weeks back I have been noting
>a LOT of rejected SMTP sessions because of invalid domains caught by the
>check_rule filter, which logs the site attempting the connection.  As far
>as I can tell, all of these are UCE/spam.

Don't bet on it.  It sounds to me like you are maybe checking the validity
of the domain name given in the HELO SMTP command, but a lot of places
still have that misconfigured I think.

>Here's the tally of rejected messages just SINCE MIDNIGHT;
>> 
>> 77 abraham.ugrad.physics.mcgill.ca
>> 18 cduweb.cdrewu.edu
>> 72 ftp.senet.co.jp
>> 46 info.sssi.com
>> 18 outbound.Princeton.EDU    <=======
>> 10 relay.ibenet.it		<=======
>>  2 syse.senet.co.jp
>> 19 www.art-in.com

The two that I have put arrows next to I recognize, because they have been
hitting my own spam traps lately.  The others I don't know about.

>Any suggestions as to what to do to 'encourage' these sites to fix their
>security problems would be appreciated.

Umm.... may I suggest an ordinary kitchen cheese grater, inserted rectally?

But seriously folks, the spammers themselves are doing a lot to smack many
sysadmins out of their lethargy.  It's kind of a bummer when you get all
of your bandwidth stolen from you for a time and when you then also have
to deal with the complainst that _you_ get because you are a moron who is
still running an open relay in the current era.

I don't know that there is a lot else that can be done.  Find the admin
addresses (using my ipw program, which I posted a pointer to here recently)
and send them bitch-o-grams and tell them they are morons.  It's about all
you can do.

The only other thing would suggest is to be sure to give them a pointer
to:

	http://maps.vix.com/tsi/

which has a lot of instructions and help for closing relays.

I'm mention right now also, that if you can find the people who are admin-ing
the containing address block, you can tell them for me that I am now offering
a free confidential open mail relays scanning service to help people find out
where all of their remaining open relays are.  I will only do this for author-
ized network admins and the results are always kept confidential, but when
it is done for a given IP address block, I send the list of open relay IP
addresses to the relevant network admin(s) for further action... which hope-
fully mean getting all of those damn relays closed.

I have done this for several /16 blocks already, and the network admins I
sent the results to were most appreciative.

I think that this sort of thing needs to be done a LOT, mostly at the level
of /16 blocks, until this huge open relays problem gets wiped out.  We are
still a long way from that.  I hope to have the whole scan request process
totally automated at some point so that authorized net admins can request
the scans for themselves via a web page, but that will be later on.  For
now, people have to ask me for a scan via ordinary E-mail.

>(And if there's a more specific 
>forum for discussing this, please let me know.)

The SPAM-L mailing list deals with spam in general, and of course there is
always news.admin.net-abuse.email, but that's kind of a zoo these days.
Then there is the spamtools mailing list, where specific technical counter-
measures to spam are discussed.


-- Ron Guilmette, Roseville, California ---------- E-Scrub Technologies, Inc.
-- Deadbolt(tm) Personal E-Mail Filter demo: http://www.e-scrub.com/deadbolt/
-- Wpoison (web harvester poisoning) - demo: http://www.e-scrub.com/wpoison/


Follow-Ups:
References:
Indexed By Date Previous: AOL: more trouble than they're worth??
From: Marcus <carcus @ bit . net . au>
Next: Do www.liszt.com ever give up?
From: Alan Thew <Alan . Thew @ liverpool . ac . uk>
Indexed By Thread Previous: What to do about site that indiscriminatly relay?
From: Mike Nolan <nolan @ celery . tssi . com>
Next: Re: What to do about site that indiscriminatly relay?
From: Mike Nolan <nolan @ celery . tssi . com>

Google
 
Search Internet Search www.greatcircle.com