Security Incidents mailing list archives
Re: Spoofed SPAM relayed using my email address.
From: Dennis DeDonatis <dennisd () PARAGONTECH COM>
Date: Wed, 23 Aug 2000 08:56:51 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 22 Aug 2000, Dennis DeDonatis wrote:I received the following 3 bounces today. I did not generate the original emails. Have any of you on the incidents email list had this happen?No, but one of my users once got 10000+ bounces from spam mails sent out with his email address. I guess you are lucky.
Yow! I do feel lucky. :) :)
I haven't had any flaming mail come to me from the people that were spammed, as I had expected, which is a good thing, I guess. :)Most sensible postmasters (including me ;-) know that the From: address means nothing and is likely to belong to an innocent bystander. I always flame...ehm...complain directly to the poorly secured mail server's admin.
I expected the end users that received the junk mail to send me hate mail, but I haven't gotten any, yet. :)
Is there ANY way to protect against this other than not using my email address anywhere? :)In case you have any influence on your site's email policy try to convince the postmaster of using MAPS RBL, RSS, DUL and maybe ORBS markings in the mail headers of received mail. By doing this you can filter emails by using procmail. See http://www.orbs.org/usingindex.html for more information.
Our NT SMTP mail software, sadly, doesn't support any of those. :( I've looked at them many times. :) I'm considering pushing all of our mail through a Linux computer so I can filter it using one of those.
I also recommend to have disk quotas on _any_ accounts on a system. Just in case.
We have quotas of 4MB for the entire mailbox and a single email can only be 2MB, if I remember correctly. I try keep 'em small to keep the attachments down. Although we have a "business use only" signed letter from each employee, their friends REALLY want to email them trojans and viruses. I was auto-magically paged by our mail-server 49 times last night because one user was getting emailed chain letters with the KAK worm in them.
I can't think of anyone I would have annoyed enough to do this on purpose.Most people do but such incidents happen anyhow.Thanks for any help you can give. :)My pleasure. Cheers, Rene P.S.: Did you sent complaints to the postmasters?
The site that it originated at (in Korea) bounces all my emails to abuse, root and postmaster for the domain name and directly to the machine that looks like it relayed the email in question. They don't have any MX records at all. :( The domain contact's mail bounces, too. I've emailed the technical and administrative contacts for the .kr domain, but I don't expect much, there. I would call them, but I don't know Korean. :) Thanks again for the response. Dennis
--- GNU/Linux Manages! - Support, Administration, Consulting RP3191-RIPE - Networking, Programming, Installation -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5ow7VeMu5lRpXJ7kRAnDMAKCvpXcXVtN/l8ATFHf/WrJh0rQSRACeNuNC x0UGXt5K0kuyjD78HUqwZug= =fLn9 -----END PGP SIGNATURE-----
Current thread:
- Spoofed SPAM relayed using my email address. Dennis DeDonatis (Aug 22)
- Re: Spoofed SPAM relayed using my email address. Vince Vielhaber (Aug 22)
- Re: Spoofed SPAM relayed using my email address. Mardy Hutchinson (Aug 22)
- Re: Spoofed SPAM relayed using my email address. Bjorn Djupvik (Aug 23)
- Message not available
- Re: Spoofed SPAM relayed using my email address. Dennis DeDonatis (Aug 23)
- <Possible follow-ups>
- Re: Spoofed SPAM relayed using my email address. Andrea Adams (Aug 22)
- Re: Spoofed SPAM relayed using my email address. Danyial Burnett (Aug 23)