Maiming People and Spam Prevention

Yes, I hope to accomplish both of the above. Apparently a few companies have been exploiting scripts placed by clients to send hundreds of emails an hour. I will do the best I can to run for Congress and create a spam spanking law which will allow us web site owners a full hour of solid paddling (as hard as you want) of spammer trespassers for every 1,000 emails they have sent in addition to civil and criminal penalties. You all know the extreme outrage and anger I'm feeling.

It's worse. They also apparently have been sending spam to every conceivable address at one of our sites. I'm not sure if the addresses are random generated, e.g. bill@site.com, glenn@site.com, etc. and it has gotten to the point where it's absurd. Some of these companies are in China. I'm hoping that during my vacation I can visit some of these locations and maim the bastards and leave the country. Including my catchall accounts, I am getting in excess of 10,000 pieces of spam email to my 10 personal accounts per *week.*

But let's do what is practical right now after I'm feeling good about getting out that rant. I've turned on spam assassin but find that unless you set it pretty high, it doesn't do much. The problem is in running a corporate type network as well, it will catch short replies as potentially being spam. White and blacklisting can be difficult, especially due to spoofing.

With regard to script exploitation, how can I find out what domain or script is being hacked and used to send the email? I've looked in the logs but can't really find where a script is called to send an email. I have been able to identify some of the domains used since the return address is info@hackedsite.com and the spoofing identifies the domain.

Here is an example of what I see in WHM in the header area looking at the EXIM Mail Manager... and all comments most appreciated. Of note, I have also had a friend setup other spam prevention software that is not helping.

SAMPLE A - Sent to our domain

1EheFq-0003rg-M2-H
mailnull 47 12
<1-14474028-mydomain.com?john@rtp3.valfortune.com>
1133404382 0
-helo_name rtp3.valfortune.com
-host_address 63.97.177.237.41238
-interface_address 64.62.134.202.25
-received_protocol smtp
-body_linecount 20
-deliver_firsttime
XX
1
john@mydomain.com

188P Received: from [63.97.177.237] (helo=rtp3.valfortune.com)
by spider.mydomain.net with smtp (Exim 4.52)
id 1EheFq-0003rg-M2
for john@mydomain.com; Wed, 30 Nov 2005 21:33:02 -0500
018 MIME-Version: 1.0
022 X-Accept-Language: en
019 X-Priority: Normal
053F From: HolidaySurpriseGift <cooldeals@valfortune.com>
023T To: john@mydomain.com
050 Subject: HolidayShop with this 1500 on QVC or HSN
036 Date: Wed, 30 Nov 2005 19:49:37 CST
065I Message-ID: <q8Sh12,265$8Sh8wLbO9swbOL678tS@rtp3.valfortune.com>
046 Content-Type: text/html; charset="ISO-8859-1"
032 Content-Transfer-Encoding: 7bit


-------------------------------------

SAMPLE B - Seems to be using nobody and sent from our domain and I suspect this is a script exploitation


1Eg8fw-0002XE-00-H
nobody 99 99
<nobody@spider.mydomain.net>
1133044664 0
-ident nobody
-received_protocol local
-body_linecount 23
-auth_id nobody
-auth_sender nobody@spider.mydomain.net
-allow_unqualified_recipient
-allow_unqualified_sender
-local
YY drbehavior@msn.com
YY lizana060702@aol.com
NN liveoaks98@aol.com
128P Received: from nobody by spider.mydomain.net with local (Exim 4.52)
id 1Eg8fw-0002XE-00; Sat, 26 Nov 2005 17:37:44 -0500
023T To: took8864@dman.com
028 Subject: took8864@dman.com
013* From: scalet
039F From: scalet@spider.mydomain.net
047 Content-Type: text/plain; charset=\"us-ascii\"
018 MIME-Version: 1.0
032 Content-Transfer-Encoding: 8bit
045 Subject: Set to double or triple within DAYS
8139* bcc: crazynurse1969@aol.com, bilo27957710@aol.com, bwater212@aol.com.... HUGE LIST HERE
058I Message-Id: <E1Eg8fw-0002XE-00@spider.mydomain.net>
038 Date: Sat, 26 Nov 2005 17:37:44 -0500

 

 

 

 

Top