spam, forged sender, bounce backs

Drake

Well-Known Member
Nov 9, 2001
83
0
306
New Jersey
cPanel Access Level
DataCenter Provider
Hi all,

This age old problem is getting on our nerves again. Especially within the last few days (August 20+) As sysadmins, we are receiving non-deliverable e-mail bounce backs. It is obviously spammers (not relaying through our boxes), but just using a bogus sender name. Some of the recipient targeted servers actually send back a full snapshot of the bounced e-mail, which is good, so we can analyse the headers to be sure its not one of our own customers spamming. What we're seeing is that the sender is claiming to be from one or more of our hosted domain names, but not an IP number or ours. These originating IP numbers have been in Thailand, taiwan, and various eastern block Europe countries. Only a few are from IP's within the USA. In a perfect world, you would lookup the IP number and send a complaint to the Sysadmin of the offending network. OK, but this gets nowhere, even with Bell Atlantic DSL, and other USA companies. The best response I got from them was an automated e-mail trying to sell me their spam blocking service. What a joke. And forget about complaining to a sysadmin in Bulgaria. This seemes to come in waves, and then quiet down for a while. Anyone got any ideas why this is? :mad:
 

Snowman30

Well-Known Member
PartnerNOC
Apr 7, 2002
679
0
316
cPanel Access Level
DataCenter Provider
Im wondering if you found a soultion for this.

Im having the same sort of problem on one domain and its loading up exim way to much...
 

Poonga

Registered
Sep 17, 2004
2
0
151
bogons, blacklists, and the like

Have you looked into bogon listings? They can be added to your iptables to block bogus ip net ranges, also, adding rbl listings to your sa or exim can filter out quite a few spammers. Using a global type of filter like that to block subject headers can cause real bounce backs to be foobared so you gotta be careful with those. Do a forum search in here, I'm sure you'll find a couple of threads mentioning this.

Edit: There's a great filter for fake message bouncing over at http://www.timj.co.uk/linux/sa.php thanks to Tim Jackson.
 
Last edited: