SPAM from own customers
clewis at nortelnetworks.com
Tue Dec 2 21:06:54 UTC 2003
Michel Renfer wrote:
> Hi All
> The topic "Spam sent over infected or malconfigured enduser pc's"
> will become an big issue. We saw Virus' sending Spam directly from
> the users pc, downloading the recipient list and the payload trough
> HTTP from the web.
> How will you deal with the problem, that one user can flood your
> SMTP Server with tousends of emails within 10-20 minutes?
In addition to the other suggestions, scanning the CBL (cbl.abuseat.org)
for your own IPs is useful from an operational standpoint to find open
proxies and trojans.
On a similar vein, detecting customer IPs trying to connect to
188.8.131.52 on port 25 (no legitimate email goes there) will give you
similar intelligence, tho, it's not quite as definitive as a CBL
listing. Most reliable if you exclude legitimate customer mail servers
(bounced forged spam and virii) or correlate to the CBL.
Couple either or both with an autodisconnect script like what Suresh
More information about the NANOG