Results 1 to 10 of 10
Thread: big problem with SPAM
Hybrid View
-
11-01-2005, 07:07 PM #1Newbie
- Join Date
- Nov 2005
- Posts
- 19
big problem with SPAM
Hello,
I do a tail -f /var/log/exim_mainlog and I get..
2005-11-01 19:38:52 H=(n4a.bulk.scd.yahoo. com) [66.94.237.38] F=<sentto-4012611-280130-1130882778-gpatxi=siteinmyserver. com@returns.groups.yahoo .com> rejected RCPT <gpatxi@siteinmyserver .com>: Unrouteable address
2005-11-01 19:38:52 H=(n8.bulk.dcn.yahoo .com) [216.155.201.61] F=<sentto-4166736-229188-1130879492-gpatxi=siteinmyserver. com@returns.groups.yahoo. com> rejected RCPT <gpatxi@siteinmyserver. com>: Unrouteable address
2005-11-01 19:38:52 H=(n2a.bulk.scd.yahoo .com) [66.94.237.36] F=<sentto-341162-45588-1130879619-gpatxi=siteinmyserver. com@returns.groups.yahoo. com> rejected RCPT <gpatxi@siteinmyserver. com>: Unrouteable address
Exist any way to block gpatxi@siteinmyserver. com to in / out of my server?
I searched in google about gpatxi and is a spanish-man that lives sending spam.
And the email account "gpatxi@siteinmyserver. com" don't exist.
Help pleaseeeeee!
How can I stop it?
Thank you very much!
edit:
I created an email account called: gpatxi@siteinmyserver. com to receive the emails...
and they are ALL emails of list accounts created at yahoo groups, subjects of some emails:
[A1 Home Biz] Earn high daily returns on your investme...
[1_more_safelist] About Get-Paid-To-Read-Email sca...
[1-list-for-all] Easiest money I have ever made - 30K ...
[1-to-1] Easiest money I have ever made - 30K in your ...
[1Business_Opp_Gold] Easiest money I have ever made - ...
[123Work_at_home] Easiest money I have ever made - 30K ...
[10DaysDouble] Easiest money I have ever made - 30K in ...
[100percentFREEMoney] Easiest money I have ever made - ...
[3MoonsDiscussion] Making money has NEVER been so ...
[0-newbies] GUARANTEED UNBELIEVABLE MONEY LOOPHOLE ...
[Ads_Unlimited] Build A Lifetime Residual Income!
[0-postfreeadz] Who is this Internet Renegade?
They are arriving about 120 or 200 by minute...Last edited by Gauch0r; 11-01-2005 at 07:10 PM. Reason: I do a test
-
11-01-2005, 07:16 PM #2Web Hosting Master
- Join Date
- Jul 2003
- Location
- Nothing but, net
- Posts
- 2,064
Set the domain siteinmyserver.com as default :fail: and delete the address you've created.
That should stop those emails from Yahoo! Groups quickly since the emails will "bounce".
-
11-01-2005, 07:19 PM #3
If you fail the default address in Cpanel, all mail to the domain will get rejected unless you create forwards for them. Create forwards in the format of:
username@servername.domain.com...and not username@domain.com and they will still get delivered to the default mailbox.Last edited by bear; 11-01-2005 at 07:20 PM. Reason: removing auto links
Your one stop shop for decentralization
-
11-01-2005, 07:27 PM #4Newbie
- Join Date
- Nov 2005
- Posts
- 19
ok, thats ok..
but the mails still coming and overloading the server
7444 mailnull 16 0 3600 3600 2540 S 14.1 0.3 0:00 0 exim
7447 mailnull 16 0 3600 3600 2540 S 13.5 0.3 0:00 0 exim
6690 mailnull 16 0 3600 3600 2540 S 7.3 0.3 0:01 0 exim
6783 mailnull 16 0 3600 3600 2540 S 7.3 0.3 0:01 0 exim
7360 mailnull 15 0 3592 3592 2540 S 7.3 0.3 0:00 0 exim
7454 mailnull 17 0 3592 3592 2540 S 7.3 0.3 0:00 0 exim
7261 mailnull 15 0 3604 3604 2540 S 6.7 0.3 0:01 0 exim
-
11-01-2005, 08:15 PM #5
:fail: will just accept the headers to see if it's for a legitimate address and then reject based on recipient. How can it possibly reject messages it hasn't seen at all..unless it's all coming from one IP address, and then you can block that from conecting to the box at all.
Your one stop shop for decentralization
-
11-01-2005, 08:44 PM #6Retired Moderator
- Join Date
- Mar 2004
- Location
- Singapore
- Posts
- 6,990
Do you know where they are from? Get the IP and block them using Iptables.
-
11-02-2005, 12:05 AM #7Junior Guru Wannabe
- Join Date
- Oct 2005
- Location
- Quebec
- Posts
- 60
You could setup rbl checks with exim, this is quite effective for me.
-
11-02-2005, 03:07 AM #8Web Hosting Master
- Join Date
- Jul 2002
- Location
- Malaysia
- Posts
- 702
probably another implementation is to configure dictionary attack on your exim
-
11-02-2005, 07:40 AM #9
The problem with RBL or IP blocks is that these are all coming from Yahoo addresses. Not likely listed in RBL, and blocking all *yahoo is kind of extreme. I should think that the fail notices may eventually stop the issue, since that typically returns a "no account" type message.
Although it's unlikely they will act on it, perhaps contacting Yahoo and discuss the issue? Let them know that your domain is being used on their groups, and it's causing abuse of your mail server. Provide proof, and maybe there's something they can (and will) do.Your one stop shop for decentralization
-
11-02-2005, 08:02 AM #10Web Hosting Evangelist
- Join Date
- Sep 2005
- Location
- Essex, England
- Posts
- 548
For now I would :fail: that account, that should cut down on resource use significantly. Given time, the attacks ought to drop off.
Of course, if they're from yahoo groups you could use an ACL for now, if it's too extreme even after failing them.