On Saturday, in article
bv.RemoveThis@wjv.comREMOVE "Bill Vermillion" wrote:
> In article ,
> David Lord wrote:
> >On Thursday, in article
> >
> > max29.RemoveThis@agent99.dynip.com "Max Smart" wrote:
> >
> >> I run FreeBSD-4.9 gateway for a small LAN.
> >> pop3 on an another internal FreeBSD-4.9 server that the first one redirects
> >> too
> >> dynamic dial-up account with Earthlink
> >> dynip.com gives me a real domain name.
> >> All that works pretty good.
> >>
> >> Recently I've begun to notice strange e-mail in my account on the internal
> >> box. Mostly phony MS security patches. Knowing that I shouldn't do that, I
> >> just trash them. Each seems to be accompanied by another email that says
> >> something about "not able to deliver message" and there is always an
> >> attachment. In today's case it was a file called fvegyx.exe which appears
> >> ghosted in the attachment list. I can only assume somewhere that some server
> >> stripped off this attachment.
> >>
> >> Does anyone have some clues as to what may be happening here. If my address
> >> which I just started last week has already gotten into someone's junk mail
> >> list that's one thing. But if someone is using or trying to use my sever for
> >> relay, which my sendmail settings don't allow, or using the port 25 telnet,
> >> which my ISP would block anyway, I would like to find out. The security logs
> >> and email of the runs don't show anything out of the ordinary.
> >>
> >>
> >> Here are the properties of the e-mail that arrives claiming a message was
> >> not delivered.
> >>
> >> Return-Path:
> >> Received: from snifit.smb.utfors.se (snifit.smb.utfors.se [195.58.112.20])
> >> by phoenix.agent99.dynip.com (8.12.9p2/8.12.9) with ESMTP id hACGpavh002674
> >> for ; Wed, 12 Nov 2003 11:51:38 -0500 (EST)
> >> (envelope-from backner.RemoveThis@hem.utfors.se)
> >> Received: from jmtuczj (md4691611.utfors.se [212.105.22.17])
> >> by snifit.smb.utfors.se
> >> (iPlanet Messaging Server 5.2 Patch 1 (built Aug 19 2002))
> >> with SMTP id for
> >> max29.RemoveThis@agent99.dynip.com; Wed, 12 Nov 2003 17:49:45 +0100 (MET)
> >> Date: Wed, 12 Nov 2003 17:49:17 +0100 (MET)
> >> Date-warning: Date header was inserted by snifit.smb.utfors.se
> >> From: tmailbot.RemoveThis@rocketmail.com
> >> Subject: abort letter
> >> To: inet user
> >> Message-id:
> >> MIME-version: 1.0
> >> Content-type: multipart/alternative;
> >> boundary="Boundary_(ID_dCqq39GVivgPjgJaoyhF0A)"
> >> X-UIDL: QbX!!X8n"!$o8!!<J\!!
> >
> >You've just invited another load of them by your newsgroup posting.
> >They are from PCs infected with the Swen virus. It's unusual in that
> >it grabs From: and Reply-to: addresses from newsgroup postings. It
> >appears that it doesn't use names containing the text 'delete' or
> >'nospam'.
>
> >At it's peak it was near to filling my hard drive each time I
> >collected email with about 200 x 150 KB approx emails per hour. The
> >original form had capitalised headers rather than as above so making
> >it easier to reject. There are different flavours from a few KB up
> >to bounces from various broken AV systems at 300 KB. I set a reject
> >rule for all emails above 80 KB until I'd worked out a better method
> >to deal with it (see my Reply-to:).
>
> I have sendmail, and I automatically route all email with
> .exe attachments to /dev/null. I've have yet to fill that
> destination to overflowing.
>
> This is the rule that does that:
>
> * B ?? name=.*\.(com|exe|bat|scr|pif|binary|hta|shs|vb[es]|ws[fh]|exe.txt)\
> >/dev/null
>
> I don't seem to have any problems using the ReplyTo: address
> in my headers. But I've only been using that one since 1995 
>
> If you don't have SpamAssassin I highly recommend it. It's in the
> ports and the only problem is if you get a LOT of mail and run on a
> slow machine - say a 150MHz CPU - you will notice little
> performance snags - as SA is written in Perl.
>
> There are levels of spam and after a few months of seeing what is
> filtered I just lowered the level to throw more and more stuff away
> completely. I wind up with 2 or 3 real spam in my regular mbox
> each day with maybe 50-100 in the possible mailbox and 99% of those
> are with one or two I need to save, and those get whitelisted.
My smtp mail server since early 90's has been the DOS program ka9q,
and in August when I swapped from 56K dialup to ADSL, I was forced to
move from smtp delivery to pop3 collection. The dos partition is only
126 MB with about 10 MB free so no real possibility for filtering
email after delivery/collection when apart from only just getting to
grips with configuring pop3, the volume shot from < 500 KB / week
to > 30 MB / hr. Ka9q pop3 client has limited filtering on To: From:
Subject: and size whilst on the server and can dump the collected
emails to a queue for further filtering or direct to user mailboxes.
Until Swen I hadn't protected the reply-to and there was minimal
spam to that address, about 2%, whilst snews and a previous posting
address accounted for about 97% all being rejected as invalid user.
I'm fairly new to FreeBSD, having setup Samba and local DNS on a
couple of pcs earlier this year. Setting up a mailserver on
FreeBSD is a future project (I was going to try Postfix but saw
an article hereabouts that gave a favourable report about XMail
and will possibly give that a try).
David
--
David Lord - david.RemoveThis@lordynet.demon.co.uk
>> Stay informed about: Suspicious E-Mail Arriving at Private Server 
FAQ
Search
Profile
Private Messages
Log in
