lately my box start receiving lot of emails from adresses looks like this :

???? [nvkuoj@yahoo.com.tw]
??? [ijogcc@ms51.hinet.net]
??? [rbjfgo@ms51.hinet.net]
??? [sdugdo@ms51.hinet.net]
??? [fqylmr@ms24.hinet.net]
???? [xetfyl@seed.net.tw]
??? [evnxkw@cycu.edu.tw]
??????? [kusog6@citymail.com.tw]
?? [bsvlpy@dickson.com.tw]
2005????????? [kylqri@pchome.com.tw]
??????OL? [kusog2@citymail.com.tw]

and lot more and all from tiwan i guess ....how can i stop it for good ?

Most MTAs have a way to refuse email from certain email addresses or entire domains. However, usually the sender's email address in a spam message is fake or a throw away address and blocking spam based on from address is not very effective or accurate. You'll need more information than the email addresses to start an effective means at blocking those spam messags.

Originally posted by bitserve
Most MTAs have a way to refuse email from certain email addresses or entire domains. However, usually the sender's email address in a spam message is fake or a throw away address and blocking spam based on from address is not very effective or accurate. You'll need more information than the email addresses to start an effective means at blocking those spam messags.

What all that means is ... post the raw headers of the message.

They are doing a dictionary attack on your server.
If you running exim, you can configure it using the following method.

http://www.webumake.com/free/eximdeny.htm

Tarpitting will help a lot as well as turning on Reverse DNS and enabling access to DNSBL.

Originally posted by fyrestrtr
What all that means is ... post the raw headers of the message.

one message header :

Return-path: <servce@taiwan.com>
Envelope-to: webmaster@mysite.com
Delivery-date: Mon, 27 Dec 2004 18:11:29 +0300
Received: from [218.163.199.47] (helo=mail.com)
by host.mysite.com with smtp (Exim 4.43)
id 1CiwWs-0004FQ-0M
for webmaster@mysite.com; Mon, 27 Dec 2004 18:11:29 +0300
Reply-To: <servce@taiwan.com>
From: "·|_û¿W¨É" <servce@taiwan.com>
Subject: Innostream i2100_ì¼t¥þ°t¥u_n7,900 //
Date: Mon, 27 Dec 2004 23:14:35 +0800
MIME-Version: 1.0
Content-Type: text/html;
charset="big5"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus


another message header :

Return-path: <kusog6@citymail.com.tw>
Envelope-to: webmaster@mysite.com
Delivery-date: Mon, 27 Dec 2004 21:17:12 +0300
Received: from [222.250.24.65] (helo=your-cb91e70a1d)
by host.mysite.com with smtp (Exim 4.43)
id 1CizQX-0005dR-Ay
for webmaster@mysite.com; Mon, 27 Dec 2004 21:17:12 +0300
Received: from tpts5
by tcts1.seed.net.tw with SMTP id 9hH8ioe5AdO4Foo1e2Qcwz9SEKu;
Tue, 28 Dec 2004 02:17:00 +0800
Message-ID: <O7jzINy2r@tpts8.seed.net.tw>
From: ¡i«z¬~¾Ç¥Í©f¡j<kusog6@citymail.com.tw>
To: °ê¤¤£°¦P¾Ç
Subject: ¡»100%®ÄªG«OÃÒ-±aµ¹§A³±²ô¼Wªø¡y 3 _^¦T¡zªº©_ÂÝ!¡» ¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@ ¡@¡@¡@GUY97548VY2B9YB892V3Y8NNPPNEOEWU¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@¡@
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_fkUun1ss5glpzaQVfjPQE"
X-Mailer: Taev6eBPAoG5hyQ5is5cD6JHx
X-Priority: 3
X-MSMail-Priority: Normal
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus


and another one :

Return-path: <rqnevm@ms51.hinet.net>
Envelope-to: webmaster@mysite.com
Delivery-date: Fri, 24 Dec 2004 10:29:36 +0300
Received: from [218.163.196.65] (helo=mychat-eaf689f1)
by host.mysite.com with smtp (Exim 4.43)
id 1ChjtD-0004I1-BJ
for webmaster@mysite.com; Fri, 24 Dec 2004 10:29:35 +0300
Reply-To: rqnevm@ms51.hinet.net
From: ¤ý«a°·<rqnevm@ms51.hinet.net>
Subject: §A·Q¤£·Q¬Ý¤E±ÚÄåªá²½©O!!! 1 CCMNCXQSWN
Date: Fri, 24 Dec 2004 15:30:15 +0800
MIME-Version: 1.0
Content-Type: text/html;
charset="big5"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

Two of those are from this net block:

inetnum: 218.160.0.0 - 218.175.255.255
netname: HINET
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
country: TW

The other is from:

inetnum: 222.250.0.0 - 222.251.127.255
netname: ETWEBS-TW
descr: ETWebs Taiwan Co. Ltd.
descr: Broadband Internet Service Provider
descr: Taiwan Cable Modem Service Provider
descr: Taiwan CATV operator
country: TW

You could probably firewall these, but you might instead just want to find an anti-spam solution. I recommend spamstopshere.com.

Since your using Exim, look into the Exiscan patch http://duncanthrax.net/exiscan-acl/ and then you can use SpamAssassin ACLs. Or you can stop mailservers from those IP ranges from connecting to your server altogether using a firewall. Hope that helps, GL!

Yeah, i use in one box exiscan & spamassasin and really works for me

SpamAssassin's accuracy and weighting system is much less effective at actually ensuring that you get the email you want and it wastes your time because you have to review spam for false positives.

But SA is free as opposed to SSH, which starts at $20/mo. So it's a matter of volume vs cost. If you are overwhelmed by the spam, check out SSH as bitserve suggests. If you are merely annoyed, try SA+Exiscan. For me, firewalling known spammers and using Exiscan+SA to toss out blatant spam has made all the difference.

I hate that people started calling spamstopshere SSH, cause well, that acronym is already taken. :)

Anyway, spamstopshere is way easy to implement, especially for noobs, and they have a 30 day free trial if you just want to implement it today while you figure out how to install spamassassin. Again, good for noobs.