Jump to content

Which of my customers is abusing my relay?


jmann

Recommended Posts

Hi folks.

I'm the admin for the mail server on 194.117.129.35. This server is currently listed on bl.spamcop.net.

We are an ISP, and the server in question is an outgoing mail relay for the use of our business customers. It is restricted to relaying for the IP ranges that we assign to those customers only. We DO have a no-spam policy.

Unfortunately, from time to time, we get a customer who is either deliberately sending spam through the relay in defiance of our policy, or unknowingly has an insecure mail server themselves, and has it set to use our relay as a smart host.

In such cases, our standard course of action is to immediately block the offending customer from using the relay and then contact them to inform them of what is happening. Only after they have told us that they have secured their mail server do we lift the block on the relay server.

I would like to do that in this case, but I don't have enough information to proceed. To identify the customer, I need to see all the Received: headers of the spam message so that I can identify the IP address that sent the mail to our relay.

However, the listing on spamcop only shows a small portion of the headers of the offending mail, with much of the information masked out.

I'm stuck now. I'm unable to identify the abuser of our relay, and thus I'm unable to stop them. I DO want to act responsibly here and prevent this spam from being sent.

Can anyone suggest what I should do?

Thanks.

Jason Mann

Link to comment
Share on other sites

Since most of us here are spamcop users and not administrators, we are not allowed to see any more evidence than you are. Your best resource will be to email deputies<at>spamcop.net and try to get more information.

Be fore warned however, that your listing includes a reference to mail received at spamtraps, addresses setup to catch unauthorized email. The deputies are very protective of any information sent to the spamtraps in order to protect them.

http://www.spamcop.net/w3m?action=checkblo...=194.117.129.35

Good luck.

Link to comment
Share on other sites

Hi folks.

I'm the admin for the mail server on 194.117.129.35. This server is currently listed on bl.spamcop.net.

<snip>

I would like to do that in this case, but I don't have enough information to proceed. To identify the customer, I need to see all the Received: headers of the spam message so that I can identify the IP address that sent the mail to our relay.

However, the listing on spamcop only shows a small portion of the headers of the offending mail, with much of the information masked out.

I'm stuck now. I'm unable to identify the abuser of our relay, and thus I'm unable to stop them. I DO want to act responsibly here and prevent this spam from being sent.

Can anyone suggest what I should do?

Thanks.

Jason Mann

HELO STJOHNS.NEILSONS.CO.UK

The latest trap hit is less than an hour ago.

Link to comment
Share on other sites

I've just searched through the queue for more mails with the string "NEILSONS" in it, and found quite a few.

I have now blocked the sending IP address and will delete any already-queued mails.

Hopefully the spam will stop and we can be unlisted in 48 hours.

Thanks for your help.

Jason

Link to comment
Share on other sites

I'll say this much:

The customer in question was one of those who had an insecure mail server without realising it. The spam originated from a 3rd party outside their network.

The customer was notified and they have corrected the configuration of their mail server.

I have just now carried out an open-relay check on their server, and it seems to be ok, so we have already unblocked them from using our relay.

I shall be keeping a close eye on them though, and they will be blocked instantly if I see any more spam.

Link to comment
Share on other sites

The customer in question was one of those who had an insecure mail server without realising it. The spam originated from a 3rd party outside their network.

The customer was notified and they have corrected the configuration of their mail server.

I have just now carried out an open-relay check on their server, and it seems to be ok, so we have already unblocked them from using our relay.

I shall be keeping a close eye on them though, and they will be blocked instantly if I see any more spam.

If they were running exchange you might also want to check role accounts (admin, guest, webmaster, postmaster, etc) for weak passwords.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...