SPAM from own customers

Chris Lewis clewis at nortelnetworks.com
Tue Dec 2 21:06:54 UTC 2003



Michel Renfer wrote:
> Hi All
> 
> The topic "Spam sent over infected or malconfigured enduser pc's"
> will become an big issue. We saw Virus' sending Spam directly from
> the users pc, downloading the recipient list and the payload trough
> HTTP from the web.
> 
> How will you deal with the problem, that one user can flood your
> SMTP Server with tousends of emails within 10-20 minutes?

In addition to the other suggestions, scanning the CBL (cbl.abuseat.org) 
for your own IPs is useful from an operational standpoint to find open 
proxies and trojans.

On a similar vein, detecting customer IPs trying to connect to 
47.129.25.87 on port 25 (no legitimate email goes there) will give you 
similar intelligence, tho, it's not quite as definitive as a CBL 
listing. Most reliable if you exclude legitimate customer mail servers 
(bounced forged spam and virii) or correlate to the CBL.

Couple either or both with an autodisconnect script like what Suresh 
suggested.




More information about the NANOG mailing list