sendmail issue.

[Scot L. Harris]

On Wed, 2004-07-21 at 19:35, netmask wrote:
> > ----
> > I'm not convinced that this is entirely true any longer. I was under the
> > impression that much of today's UBE was being sent by Windows machines
> > that have been compromised and are relaying mail at the control of
> > others and less from improperly configured mail servers (hence your
> > point about idiot ISP's that don't block port 25 properly I suppose). I
> > don't have any statistics on this though.
> 
> According to my logs, this would be an accurate statement. I get hit by a lot 
> of brute forcers trying *@domain and just tons of stupid spam drones.. Nearly 
> all coming from dialup win boxes (according to p0f they are win boxes). 
> Luckily cbl.abuseat.org and the other various rbl's do a pretty good job of 
> keeping them under control. I very rarely see someone rejected as being an 
> open relay.
> 
> However, the second someone has an open relay up.. it's a spammer heaven.

Everyday I see relay attempts through the mail server, all blocked of
course.  There must be enough open relays for them to keep trying that
method.

And I agree with you that the majority of the spam comes from
compromised zombie windows clients.  I recently setup greylisting on the
mail server and this alone reduced spam by 98 to 99% (was 2000 to 6000
spam messages a day and now we get 3 to 8 spam messages a day). 
Greylisting works by telling the remote MTA that there is a temporary
error (451).  A real MTA will wait a few minutes and try to connect
again.  Virtually all the zombie machines out there are not that smart,
they get an error and just move on and don't retry.  Amazingly quiet on
the email server now.  :)

-- 
Scot L. Harris
webid at cfl.rr.com

Beware of a tall black man with one blond shoe.