I actually was hit again around 22:00est on Friday evening, and I was
fortunate enough to be here scanning the logs and seen it happening. I was
reading up on mail blocking, relay blocking etc.. The incoming mail from
the spammer did get about 1500 messages through before I was able to figure
things out.
I was able to go into the Post.Office config and set the necessary fields
to only allow messages FROM an IP address on the local side to be SENT out
to others (RELAY prevention). The other option would have been to allow
message with an Address FROM my domains to go out - but I found that one of
the spammers actually used a name which implied they had a valid account
with us!
I have tested the configuration and it works PERFECT. About the only way
someone will be able to use us as a RELAY HOST is to FORGE the IP address
of the sending system.. This would be difficult to do - but give it a few
months and the average 12 year old will be doing it!
In regards to who was sending the SPAM.. Well.. It was worse than I had
first thought.. At the beginning of the month, I turned on detailed logging
in Post.Office, which creates larger log files, which included the EXACT
details I needed. What I have found, is that I have had several people
actually using us as a RELAY HOST - the spammers must maintain a list of
known good email hosts. The first real instance where it effected my
system was while I was away at Comdex and it totally crashed the mail server.
So.. Here is a list of IP address, and reverse lookups as to who the host
systems are:
12/05: 206.175.226.28 - COMPUSERVE
12/04: nothing out of the ordinary
12/03: 206.133.7.30 - Sprint
12/03: 207.107.160.132 - Sprint Canada
12/02: 206.133.8.116 - Sprint
12/01: 206.133.7.120 - Sprint
12/01: 206.214.98.16 - NETCOM On-Line Communication
12/01: 206.133.8.129 - Sprint
12/01: 206.133.9.80 - Sprint
As can be seen from this - I think an important lesson can be learned.
Blocking by a single IP address or block of IP addresses would limit anyone
from these organization from relaying mail. I think the only solution is to
completely eliminate all possibilities of a server being used as a relay
host. If you have special situations where someone needs to be able to do
this, ADD them in as an exception - deny everyone from the outside, then
allow the ones you want.
I have learned a good lesson here and one that has saved me hours of more
worry - I want to thank everyone for their assistance..
John
At 11:59 PM 12/5/97 -0500, you wrote:
>Could you share the ip address of the spammer with the rest of us so we may
>protect our, networks? Sorry I can't help with Post Office as we quit using
>it a while back. If you can pass along the Spammers' IP it would be much
>appreciated.
>
>Kurt A. Butzin, DDS
>President
>Molarnet Technologies, Inc. (An Internet Solutions Provider)
>kurt@molar.net
>http://www.molar.net
>kurt@butzin.com
>http://www.butzin.com
>
>-----Original Message-----
>From: John D. Kerr <john.kerr@peel.com>
>To: NTISP@emerald.iea.com <NTISP@emerald.iea.com>
>Date: Friday, December 05, 1997 2:37 PM
>
>
>>Email Relaying Restriction
>>
>>Over the past few days, our systems have been used as a relay host for
>>subscribers of other services (in the most recent case - CompuServe) to
>>forward out hundreds of Spam messages. This action has put a tremendous
>>load on the servers, and generated hundreds of failed attempt message to
>>the administrator (me!).
>>
>>We are running the latest release of Post.Office (v3.1.2) and it offers
>>features to block/eliminate this type of activity (at least they claim this
>>in their adverts). I have reviewed the options available, and there are
>>many - but I have not quite figured out the best solution for our setup.
>>
>>What I think is the best solution, which I think would solve my problem is
>>as follows:
>>- Allow mail from ANY outside domains to flow freely into domains hosted on
>>our mail server. This would mean blocking any mail not for local domains.
>>- Allow mail from ANY IP addresses on my local domain to flow out freely.
>>
>>This sounds like a simple solution to me, but I cannot figure out how (or
>>even if this is possible) to do with Post.Office. Has anyone any experience
>>in this type of configuration with Post.Office?
>>
>>My second question, also around Post.Office, is whether I can have all
>>messages which go to the Mail Administrator (error messages) go into a NUL
>>device?? I really don't want to have to look at all the error messages on
>>the Mail Administrator account daily, nor do I want to be forced to clear
>>out message from the "Deferred Mail", "Handle Error Messages" system
>>administrator option.
>>
>>Any advice on these situations would be appreciated.
>>
>>John
>>john.kerr@peel.com
>>
>> ----------------------------------------------------------
>> NTISP Mailing List listserver@emerald.iea.com
>>
>>
>>
>
>
>
> ----------------------------------------------------------
> NTISP Mailing List listserver@emerald.iea.com
>
>