SPAM: HELP: SURPRISE

Roeland M.J. Meyer rmeyer at mhsc.com
Sat Feb 14 16:53:19 GMT 1998 

Hey gang, 

In the process of chasing this thing down, I got this note about one-less
open-relay, after this weekend.


>From: friedl at mtndew.com (Stephen J. Friedl)
>X-Mailer: SCO System V Mail (version 3.2)
>To: rmeyer at mhsc.com
>Subject: VSI.COM spam
>Cc: scott at vsi.com
>Date: Fri, 13 Feb 98 15:46:17 PST
>
>Good afternoon,
>
>>VSI.COM:
>>This spam was inserted at obiwan.vsi.com. The evidence is fairly
>>conclusive. However, only an analysis of your logs can determine exactly
>>who this luser is.
>
>I am a consultant helping V-Systems (vsi.com) run their internet site,
>and the message below did not originate from us -- we were used as a
>relay. We have known of our being on somebody's spam relay list and have
>been taking steps to fix it. Last weekend we cut over to the latest
>sendmail, but when I tried to add the rules that prevent relay it
>broke our regular mail so I had to take it out. This weekend I will
>make another run at it and see if I get any farther.
>
>I do sendmail for my customers just often enough to think I can learn
>it with enough staring at the bat book, but not often enough to get
>good at it. I am sickened by these spammers and resent them making
>me/us/you go through so many hoops. Cocksuckers.
>
>In the hopes that we can track down who did this, I'll annotate
>your notes:
>
>> There is definitely a Star Wars fan on the Sys Admin staff <grin>.
>
>That would be Rob. ;-)
>
>>I believe that I'm correct in assuming that this RL is bogus, since it
>>followed a From: line.
>>>Received: from sample.com (20.houston-04.tx.dial-access.att.net
>
>The "sample.com" is bogus, but the machine name in parens is correct.
>Our syslog entry for this message shows:
>
>>Feb 13 03:55:41 obiwan.vsi.com sendmail[15881]: DAA15881: \
>>	from=<somebody at somewhere.com>, size=7468, class=0, pri=607468,
>>	nrcpts=20, msgid=<199802131154.DAA15881 at obiwan.vsi.com>, proto=SMTP,
>>	relay=20.houston-04.tx.dial-access.att.net [12.65.131.20]
>
>This IP address traceroutes into what I believe is att.net territory.
>The clock on obiwan is about four minutes slow in case you're trying to
>synchronize your logs. This weekend I'll get the time server running
>to make sure our clocks are accurate.
>
>Really, we're guilty of providing unknowing relay, but we did not 
>originate this spam. Thank you for your detailed report, and hopefully
>you'll not get any more trash from us again.
>
>Steve
>
>--- 
>Stephen J Friedl | Software Consultant | Tustin, CA |   +1 714 544-6561
>3B2-kind-of-guy  | I speak for me only |   KA8CMY   | friedl at mtndew.com
>
___________________________________________________
Roeland M.J. Meyer, ISOC (InterNIC RM993)
e-mail:		mailto:rmeyer at mhsc.com
Personalweb pages:	http://www.mhsc.com/~rmeyer
Company web-site:	http://www.mhsc.com/
___________________________________________
Watch for the SecureMail system at MHSC.NET

More information about the samba mailing list