Mail2

[Danl]

Now that Mail0 and Mail1 are back up to speed, mail2 is getting hit hard, I'd just assume block every ip from hitting the server till I find out which IP it is but for some reason David doesn't want that to happen. I'm slowly going through the mail queue and killing spam and blacklisting people

[dcsweb]

Any idea of when we can expect mail to begin flowing again?
I'm getting complaints on this server.

Thanks!

[treeves]

I am getting complaints on Mail2 as well.

[thanna]

Please provide update on the status of this problem. I have customers who are not receiving email containing contracts and other business transactions. How soon do you expect to resolve this problem?
btw, what issues were there with mail0 and mail1 ?

[WalkerL55]

I am also getting 1 client that is having issues with mail2. any news on this yet. i am going submit a trouble ticket in a minute, to follow protocol.

Walker

[WillieCee]

Telling me about an hour more on mail 2
but I see a trickle of mail coming in ....

[dcsweb]

An update?

[Danl]

I'm hoping to find the idiots who are doing this, when I do they will be turned off, I'm tempted to just block entire countries until we figure out what country this spam issue is coming from.

[WillieCee]

Dan,
with all the trojans out there it might very well be me or anyone else on the box I have gone machine by machine scaning with latist Dr. web on top of symantic endpoint. Do you have any recommendations for a scanner to check customer boxes with? I might add before I get some kerosen of my own ....

[WillieCee]

Quote:

Originally Posted by Danl

I'm hoping to find the idiots who are doing this, when I do they will be turned off, I'm tempted to just block entire countries until we figure out what country this spam issue is coming from.

As I said on the phone I am getting a ton of bounce back messages for email I did not send 90% of it states I sent a message to some .ru address if thats a clue or not????

[dcsweb]

You can pretty much bet that you're not getting any legit email from pl or ru right now since it's midnight there

Can you shut down everything and work on processing the queue? At least showing some mail trickling through would ease everyone's mind.

---
I'm moving sites right now to another host due to this outage..for what it's worth.

[dcsweb]

@WillieCee

You would have most likely already been blocked at the SMTP layer by vortech because you would have been reported via the CBL.

Trojans can spew tons of email and it does not take long to get picked up as a spam source.

If your curious, just check here, put in your networks IP
http://cbl.abuseat.org/lookup.cgi

[WillieCee]

DCSweb

I checked my external IP on the link you sent says not blocked

Here is a header from Mailer Deamon Failure

Hi. This is the qmail-send program at fs.spdop.ru.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<knwcxcur@spdop.ru>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <pro@eedata.com>
Received: (qmail 98654 invoked from network); 30 Sep 2008 19:43:59 -0000
Received: from unknown (HELO smtp.spdop.ru) (195.34.31.35)
by 0 with SMTP; 30 Sep 2008 19:43:59 -0000
Received: from localhost (localhost [127.0.0.1])
by smtp.spdop.ru (Postfix) with ESMTP id ACC04A5D161
for <knwcxcur@spdop.ru>; Wed, 1 Oct 2008 00:17:57 +0400 (MSD)
X-Virus-Scanned: SomeProgram on host: AZAZELLO
X-Spam-Score: -1.496
X-Spam-Level:
X-Spam-Status: No, score=-1.496 required=6.2 tests=[BAYES_00=-2.599,
HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=1.102]
Received: from smtp.spdop.ru ([127.0.0.1])
by localhost (azazello.spdop.ru [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 0b0mHb+ke1BX for <knwcxcur@spdop.ru>;
Wed, 1 Oct 2008 00:17:54 +0400 (MSD)
Received: from mail1.hsphere.cc (mail1.hsphere.cc [216.157.145.21])
by smtp.spdop.ru (Postfix) with SMTP id 9E0C9A5D0EB
for <knwcxcur@spdop.ru>; Wed, 1 Oct 2008 00:17:52 +0400 (MSD)
Received: (qmail 33808 invoked by uid 399); 30 Sep 2008 20:16:47 -0000
Received: from unknown (HELO IBM2102TTI) (pro@eedata.com@216.201.213.97)
by mail1.hsphere.cc with SMTP; 30 Sep 2008 20:16:47 -0000
From: "Will" <pro@eedata.com>
To: '=?koi8-r?Q?p.r.i.n.t.i.n.g._-i.n.d.u.s.t.r.=D5.?=' <knwcxcur@spdop.ru>

[dcsweb]

Looks like standard backscatter,

it works like this:
someone forges an email and lie about who it's too and from.
SENT TO: knwcxcur@spdop.ru

Then they forge your email address into the email as the reply-to:
Return-Path: <pro@eedata.com>

When the mail cannot be delivered:
<knwcxcur@spdop.ru>:
Sorry, no mailbox here by that name. (#5.1.1)

it bounces back into your inbox as designed by the MTA and outlined in the RFCs for e-mail.

It's tough to stop this type of attack. It's typical to see groups of 5 or so emails structured the same way from a bunch of different addresses ending up in your inbox.

This is nothing you've done, just more tricks the spammers use to circumvent the anti-spam solutions out there.

[WillieCee]

Ok whats the point in sending to a dead address other then to just piss me off with all the bounce messages which I might add have manages to junk mail themselves now... (I made some type of MX recorded at the advise of V-tech support that tells the reciever that I did not send the message but this has not had any effect as of yet in curving the problem.
SPAM Following Wall Street now right down the chitter