Re: Spoofed SPAM relayed using my email address.

[Dennis DeDonatis <dennisd () PARAGONTECH COM>]

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 22 Aug 2000, Dennis DeDonatis wrote:
>
> > I received the following 3 bounces today.  I did not generate the original emails.
> >
> > Have any of you on the incidents email list had this happen?
>
> No, but one of my users once got 10000+ bounces from spam mails sent out with
> his email address. I guess you are lucky.

Yow!  I do feel lucky. :) :)

> > I haven't had any flaming mail come to me from the people that were spammed,
> > as I had expected, which is a good thing, I guess. :)
>
> Most sensible postmasters (including me ;-) know that the From: address means
> nothing and is likely to belong to an innocent bystander. I always
> flame...ehm...complain directly to the poorly secured mail server's admin.

I expected the end users that received the junk mail to send me
hate mail, but I haven't gotten any, yet. :)

> > Is there ANY way to protect against this other than not using my
> > email address anywhere? :)
>
> In case you have any influence on your site's email policy try to convince the
> postmaster of using MAPS RBL, RSS, DUL and maybe ORBS markings in the mail
> headers of received mail. By doing this you can filter emails by using procmail.
>
> See http://www.orbs.org/usingindex.html for more information.

Our NT SMTP mail software, sadly, doesn't support any of those. :(
 I've looked at them many times. :)  I'm considering pushing all of
our mail through a Linux computer so I can filter it using one of
those.

> I also recommend to have disk quotas on _any_ accounts on a system. Just in
> case.

We have quotas of 4MB for the entire mailbox and a single email
can only be 2MB, if I remember correctly.  I try keep 'em small to
keep the attachments down.  Although we have a "business use
only" signed letter from each employee, their friends REALLY want
to email them trojans and viruses.  I was auto-magically paged by
our mail-server 49 times last night because one user was getting
emailed chain letters with the KAK worm in them.

> > I can't think of anyone I would have annoyed enough to do this on purpose.
>
> Most people do but such incidents happen anyhow.
>
> > Thanks for any help you can give. :)
>
> My pleasure.
>
> Cheers,
> Rene
>
> P.S.: Did you sent complaints to the postmasters?

The site that it originated at (in Korea) bounces all my emails to
abuse, root and postmaster for the domain name and directly to
the machine that looks like it relayed the email in question.  They
don't have any MX records at all. :(  The domain contact's mail
bounces, too.  I've emailed the technical and administrative
contacts for the .kr domain, but I don't expect much, there.

I would call them, but I don't know Korean. :)

Thanks again for the response.

Dennis

>  ---
>  GNU/Linux Manages! - Support, Administration, Consulting
>   RP3191-RIPE       - Networking, Programming, Installation
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.1 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE5ow7VeMu5lRpXJ7kRAnDMAKCvpXcXVtN/l8ATFHf/WrJh0rQSRACeNuNC
> x0UGXt5K0kuyjD78HUqwZug=
> =fLn9
> -----END PGP SIGNATURE-----