You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Rich Dygert <ri...@aol.com> on 2007/12/07 17:15:34 UTC
Spammer sending from jqr@csi.com
Folks
I am the postmaster for @compuserve.com and @csi.com (the "i" is
important, @cs.com is someone else).
A couple months ago my email traffic doubled (from 1 million a day to 2
million a day). After some investigation I found that a spammer was
sending from jqr@csi.com and I was getting the back splatter. I
cancelled the jqr@csi.com account and thought the spammer would soon
stop. Turns out I was wrong, the spammer is still at it. I just received
several hundred attempts to return email from @walmart.com.
To make a long story short, please feel free to block jqr@csi.com. You
can verify that the address is invalid first if you wish.
Is there a better way to handle something like this?
--
Rich Dygert
CompuServe classic Email SA
Re: Spammer sending from jqr@csi.com
Posted by "Christopher X. Candreva" <ch...@westnet.com>.
On Fri, 7 Dec 2007, Rich Dygert wrote:
> Is there a better way to handle something like this?
You and Mr. Brennan may want also post this on the SPAM-L list.
http://www.claws-and-paws.com/spam-l/spam-l.html
There are people on that list who find patterns such as this, who may be
able to gather more information on this particular spammers MO.
==========================================================
Chris Candreva -- chris@westnet.com -- (914) 948-3162
WestNet Internet Services of Westchester
http://www.westnet.com/
Re: Spammer sending from jqr@csi.com
Posted by mouss <mo...@netoyen.net>.
McDonald, Dan wrote:
> On Fri, 2007-12-07 at 11:15 -0500, Rich Dygert wrote:
>
>> Folks
>>
>> I am the postmaster for @compuserve.com and @csi.com (the "i" is
>> important, @cs.com is someone else).
>>
>> A couple months ago my email traffic doubled (from 1 million a day to 2
>> million a day). After some investigation I found that a spammer was
>> sending from jqr@csi.com and I was getting the back splatter. I
>> cancelled the jqr@csi.com account and thought the spammer would soon
>> stop. Turns out I was wrong, the spammer is still at it.
>>
>
> Sure, since they are forging the address anyway...
>
>
>> I just received
>> several hundred attempts to return email from @walmart.com.
>>
>> To make a long story short, please feel free to block jqr@csi.com. You
>> can verify that the address is invalid first if you wish.
>>
>> Is there a better way to handle something like this?
>>
>
> SPF or domainkeys. Then Walmart would know that the message being sent
> was forged.
>
or tempfail this mail, so that Walmart are encouraged to implement
recipient validation....
>
>
>
Re: Spammer sending from jqr@csi.com
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Fri, 2007-12-07 at 14:03 -0500, Rich Dygert wrote:
> McDonald, Dan wrote:
> > On Fri, 2007-12-07 at 11:15 -0500, Rich Dygert wrote:
> >
> >> A couple months ago my email traffic doubled (from 1 million a day to 2
> >> million a day). After some investigation I found that a spammer was
> >> sending from jqr@csi.com and I was getting the back splatter. I
> >> cancelled the jqr@csi.com account and thought the spammer would soon
> >> stop. Turns out I was wrong, the spammer is still at it.
> >>
[...]
> >> Is there a better way to handle something like this?
> >>
> >
> > SPF or domainkeys. Then Walmart would know that the message being sent
> > was forged.
> That is a reasonable suggestion but my customers don't always send email
> from my SMTP servers. As I understand SPF I would have to list my
> servers and says "It is not an error if it comes from some other server."
>
> Would that not be a problem for Domain Keys also?
Yes. If you don't control who can send mail with your return address,
then you have no way to eliminate joe-jobs. That is a business
decision.
On the other hand, Walmart shouldn't be back-scattering you....
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: Spammer sending from jqr@csi.com
Posted by Rich Dygert <ri...@aol.com>.
McDonald, Dan wrote:
> On Fri, 2007-12-07 at 11:15 -0500, Rich Dygert wrote:
>
>> Folks
>>
>> I am the postmaster for @compuserve.com and @csi.com (the "i" is
>> important, @cs.com is someone else).
>>
>> A couple months ago my email traffic doubled (from 1 million a day to 2
>> million a day). After some investigation I found that a spammer was
>> sending from jqr@csi.com and I was getting the back splatter. I
>> cancelled the jqr@csi.com account and thought the spammer would soon
>> stop. Turns out I was wrong, the spammer is still at it.
>>
>
> Sure, since they are forging the address anyway...
>
>
>> I just received
>> several hundred attempts to return email from @walmart.com.
>>
>> To make a long story short, please feel free to block jqr@csi.com. You
>> can verify that the address is invalid first if you wish.
>>
>> Is there a better way to handle something like this?
>>
>
> SPF or domainkeys. Then Walmart would know that the message being sent
> was forged.
>
>
>
>
That is a reasonable suggestion but my customers don't always send email
from my SMTP servers. As I understand SPF I would have to list my
servers and says "It is not an error if it comes from some other server."
Would that not be a problem for Domain Keys also?
--
Rich Dygert
CompuServe classic Email SA
Re: Spammer sending from jqr@csi.com
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Fri, 2007-12-07 at 11:15 -0500, Rich Dygert wrote:
> Folks
>
> I am the postmaster for @compuserve.com and @csi.com (the "i" is
> important, @cs.com is someone else).
>
> A couple months ago my email traffic doubled (from 1 million a day to 2
> million a day). After some investigation I found that a spammer was
> sending from jqr@csi.com and I was getting the back splatter. I
> cancelled the jqr@csi.com account and thought the spammer would soon
> stop. Turns out I was wrong, the spammer is still at it.
Sure, since they are forging the address anyway...
> I just received
> several hundred attempts to return email from @walmart.com.
>
> To make a long story short, please feel free to block jqr@csi.com. You
> can verify that the address is invalid first if you wish.
>
> Is there a better way to handle something like this?
SPF or domainkeys. Then Walmart would know that the message being sent
was forged.
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: Spammer sending from jqr@csi.com
Posted by Joseph Brennan <br...@columbia.edu>.
Rich Dygert <ri...@aol.com> wrote:
> A couple months ago my email traffic doubled (from 1 million a day to 2
> million a day). After some investigation I found that a spammer was
> sending from jqr@csi.com and I was getting the back splatter. I cancelled
> the jqr@csi.com account and thought the spammer would soon stop. Turns
> out I was wrong, the spammer is still at it. I just received several
> hundred attempts to return email from @walmart.com.
>
> To make a long story short, please feel free to block jqr@csi.com. You
> can verify that the address is invalid first if you wish.
The same spammer fakes jra54449@cs.columbia.edu, and the mail has a fake
Received header alleging the mail comes from cs.columbia.edu 128.59.16.20.
Only 1 million backscatter? We're getting 3 million backscatter a day.
In our case the sender address never existed, and the alleged origin is
a host that does not send any mail (it WAS a mail host until about six
months ago).
So, feel free to block mail from jra54449@cs.columbia.edu, and mail with
128.59.16.20 in a Received header. Guaranteed fake. There's a lot of it.
Go to Senderbase-- they list 128.59.16.20 as the largest mail sender in
columbia.edu-- and it's based 100% on believing fake Received headers!
OK, they are foolishly naive, but it suggests how much spam would match
a rule like this.
The spammer likes sender addresses that start jq or jr. We note also
that the spam to our users is never from jra54449@cs.columbia.edu, but
only from other addresses. I recognize jqr@csi.com.
Dan McDonald opined,
>> Is there a better way to handle something like this?
> SPF or domainkeys. Then Walmart would know that the message being sent
> was forged.
Thanks for playing, but cs.columbia.edu DOES have an SPF record. You'll
say we'd have even more without SPF, but I'm skeptical. The 3 million
bounces are from several hundred thousand hosts.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology