|Last updated: Thu Sep 27 19:28:34 PDT 2007|
We have now implemented SPF. We are
not certain how much this will help in the future, since in order for SPF
to work, it requires an SMTP server make use of it. The backscatter
SPAM is a good indication that the SMTP servers causing it are not
properly run in the first place. But we hope it will help some.
Here is a good tutorial on SPFs by EasyDNS.
|Tue Sep 25 02:18:20 PDT 2007|
So I learned we are not alone in experiencing such inconvenience.
I found this gentleman in Norway with similar issue. Here is a
link to two of his blog entries "Hey spammer! Here's a list for you!"
and "A Lady in Distress..."
about his situation.
Here is a newer list of servers (IPs and HELO/EHLO id) that are bouncing emails to our SMTP server.
More reading and email conversations with others provided the following link on "Backscatter SPAM" (You should also google the term yourself).
|Sun Sep 23 17:22:17 PDT 2007|
Our mail server is getting flooded again by an enormous amount of SMTP
connections. I am afraid some jerk is once more spoofing our domain
name to send out SPAM messages.
Please check the header of the SPAM and follow the sender's IP Address and report the abuse to proper authorities.
To see a partial list of hosts that flooded our SMTP server follow this link: partial flood hosts
|Fri, 2 May 2003 08:21:12 -0700|
On Tuesday (April 22nd, 2003) I noticed that two SMTP servers belonging to Government of Canada (gc.ca) have started to flood my mail servers. Continuous connections were being made to my mail servers in an attempt to bounce emails back to my mail servers.
The load on the mail servers were 5+ and rising. I had to filter out all IP traffic from gc.ca to stop the flooding. After doing so, I contacted the administrator for the gc.ca domain and left her a voice message explaining the situation.
All seemed fine until Thursday, the 24th, when I noticed a lot of activity on my LAN switch. Similar situation again. SMTP server from quicknet.com.au was flooding me. It had been doing so since 03:33 (PST). I noticed this around 11:16 (PST). By this time the load on the mail server had reached 46+ and the server had long since stopped accepting any legitimate emails.
Once again I implemented firewall filters. In addition, I changed settings on my SMTP servers to limit the number of connections and rate at which they accept new incoming connections.
I contacted quicknet.com.au and notified them of the situation as well. Next I contacted my ISP with this information. My ISP, to my, surprise notified me that they would not be able to do much for me and that I was on my own.
An admin from quicknet.com.au confirmed my suspicions that someone has been sending spam to their server using a faked email address at my domain (midds at boxsoft dot com and a few slight variations of it). The spammer has been guessing quicknet.com.au's user account names in his or her attempt to send spam to them. For every email account that didn't exist (i.e., guessed incorrectly) quicknet.com.au's SMTP servers were trying to bounce the email back to the alleged sender as undeliverable.
Since then I noticed similar SMTP floods from following domains:
net.brSo, if you think you have received spam from my domain (boxsoft.com), I can assure you that you have not. Please check the full header of the spam you have received. You should see a section that resembles the following:
Received: from ---.boxsoft.com (---.boxsoft.com [66.xx.xx.xxx]) by ----.boxsoft.com (-.--.--/-.--.--) with ESMTP id h3SLBKfi004535 for <xxxxxxxxxxxxxxxxxxxxxxxx>; Mon, 28 Apr 2003 14:11:20 -0700 Received: from hotmail.com (dhcp024-209-069-053.woh.rr.com [188.8.131.52]) by ---.boxsoft.com (-.--.--/-.--.--) with SMTP id h3SLAua4027141; Mon, 28 Apr 2003 14:10:58 -0700Each of these "Received" lines is supposed to act as an audit-trail of which SMTP servers this email has passed through to have arrived to the recipient.
Looking at the second entry I can tell that my SMTP server accepted the email from a server pretending to be "hotmail.com" while in fact the connection was from IP address 184.108.40.206 which resolves to be dhcp024-209-069-053.woh.rr.com a Road Runner account!
I would strongly suggest that you contact your ISP (Internet Service Provider) by email (and phone if possible). Send them the full header of the spam you received so they can determine and track the originator of the spam. In addition, if the domain of the sender is an obvious one you may consider sending the ISP a notice as well. In this case the ISP is Road Runner and the email address to send complaints to would be firstname.lastname@example.org (Road Runner Company Contact Info).