Results 1 to 10 of 10
  1. #1

    * big problem with SPAM

    Hello,

    I do a tail -f /var/log/exim_mainlog and I get..

    2005-11-01 19:38:52 H=(n4a.bulk.scd.yahoo. com) [66.94.237.38] F=<sentto-4012611-280130-1130882778-gpatxi=siteinmyserver. com@returns.groups.yahoo .com> rejected RCPT <gpatxi@siteinmyserver .com>: Unrouteable address
    2005-11-01 19:38:52 H=(n8.bulk.dcn.yahoo .com) [216.155.201.61] F=<sentto-4166736-229188-1130879492-gpatxi=siteinmyserver. com@returns.groups.yahoo. com> rejected RCPT <gpatxi@siteinmyserver. com>: Unrouteable address
    2005-11-01 19:38:52 H=(n2a.bulk.scd.yahoo .com) [66.94.237.36] F=<sentto-341162-45588-1130879619-gpatxi=siteinmyserver. com@returns.groups.yahoo. com> rejected RCPT <gpatxi@siteinmyserver. com>: Unrouteable address
    a lot of emails, and don't stop! They still running and overloading my server...

    Exist any way to block gpatxi@siteinmyserver. com to in / out of my server?

    I searched in google about gpatxi and is a spanish-man that lives sending spam.

    And the email account "gpatxi@siteinmyserver. com" don't exist.

    Help pleaseeeeee!

    How can I stop it?

    Thank you very much!

    edit:

    I created an email account called: gpatxi@siteinmyserver. com to receive the emails...
    and they are ALL emails of list accounts created at yahoo groups, subjects of some emails:

    [A1 Home Biz] Earn high daily returns on your investme...
    [1_more_safelist] About Get-Paid-To-Read-Email sca...
    [1-list-for-all] Easiest money I have ever made - 30K ...
    [1-to-1] Easiest money I have ever made - 30K in your ...
    [1Business_Opp_Gold] Easiest money I have ever made - ...
    [123Work_at_home] Easiest money I have ever made - 30K ...
    [10DaysDouble] Easiest money I have ever made - 30K in ...
    [100percentFREEMoney] Easiest money I have ever made - ...
    [3MoonsDiscussion] Making money has NEVER been so ...
    [0-newbies] GUARANTEED UNBELIEVABLE MONEY LOOPHOLE ...
    [Ads_Unlimited] Build A Lifetime Residual Income!
    [0-postfreeadz] Who is this Internet Renegade?

    They are arriving about 120 or 200 by minute...
    Last edited by Gauch0r; 11-01-2005 at 07:10 PM. Reason: I do a test

  2. #2
    Join Date
    Jul 2003
    Location
    Nothing but, net
    Posts
    2,062
    Set the domain siteinmyserver.com as default :fail: and delete the address you've created.

    That should stop those emails from Yahoo! Groups quickly since the emails will "bounce".

  3. #3
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    21,309
    If you fail the default address in Cpanel, all mail to the domain will get rejected unless you create forwards for them. Create forwards in the format of:
    username@servername.domain.com...and not username@domain.com and they will still get delivered to the default mailbox.
    Last edited by bear; 11-01-2005 at 07:20 PM. Reason: removing auto links
    Having problems, or maybe questions about WHT? Head over to the help desk!

  4. #4
    ok, thats ok..

    but the mails still coming and overloading the server

    7444 mailnull 16 0 3600 3600 2540 S 14.1 0.3 0:00 0 exim
    7447 mailnull 16 0 3600 3600 2540 S 13.5 0.3 0:00 0 exim
    6690 mailnull 16 0 3600 3600 2540 S 7.3 0.3 0:01 0 exim
    6783 mailnull 16 0 3600 3600 2540 S 7.3 0.3 0:01 0 exim
    7360 mailnull 15 0 3592 3592 2540 S 7.3 0.3 0:00 0 exim
    7454 mailnull 17 0 3592 3592 2540 S 7.3 0.3 0:00 0 exim
    7261 mailnull 15 0 3604 3604 2540 S 6.7 0.3 0:01 0 exim
    exist any way to STOP it before exim process the email?

  5. #5
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    21,309
    :fail: will just accept the headers to see if it's for a legitimate address and then reject based on recipient. How can it possibly reject messages it hasn't seen at all..unless it's all coming from one IP address, and then you can block that from conecting to the box at all.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  6. #6
    Join Date
    Mar 2004
    Location
    Singapore
    Posts
    6,967
    Do you know where they are from? Get the IP and block them using Iptables.

  7. #7
    Join Date
    Oct 2005
    Location
    Quebec
    Posts
    60
    You could setup rbl checks with exim, this is quite effective for me.

  8. #8
    Join Date
    Jul 2002
    Location
    Malaysia
    Posts
    698
    probably another implementation is to configure dictionary attack on your exim

  9. #9
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    21,309
    The problem with RBL or IP blocks is that these are all coming from Yahoo addresses. Not likely listed in RBL, and blocking all *yahoo is kind of extreme. I should think that the fail notices may eventually stop the issue, since that typically returns a "no account" type message.

    Although it's unlikely they will act on it, perhaps contacting Yahoo and discuss the issue? Let them know that your domain is being used on their groups, and it's causing abuse of your mail server. Provide proof, and maybe there's something they can (and will) do.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  10. #10
    Join Date
    Sep 2005
    Location
    Essex, England
    Posts
    548
    For now I would :fail: that account, that should cut down on resource use significantly. Given time, the attacks ought to drop off.
    Of course, if they're from yahoo groups you could use an ACL for now, if it's too extreme even after failing them.

  11. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •