Jump to content
Sign in to follow this  
jmann

Which of my customers is abusing my relay?

Recommended Posts

Hi folks.

I'm the admin for the mail server on 194.117.129.35. This server is currently listed on bl.spamcop.net.

We are an ISP, and the server in question is an outgoing mail relay for the use of our business customers. It is restricted to relaying for the IP ranges that we assign to those customers only. We DO have a no-spam policy.

Unfortunately, from time to time, we get a customer who is either deliberately sending spam through the relay in defiance of our policy, or unknowingly has an insecure mail server themselves, and has it set to use our relay as a smart host.

In such cases, our standard course of action is to immediately block the offending customer from using the relay and then contact them to inform them of what is happening. Only after they have told us that they have secured their mail server do we lift the block on the relay server.

I would like to do that in this case, but I don't have enough information to proceed. To identify the customer, I need to see all the Received: headers of the spam message so that I can identify the IP address that sent the mail to our relay.

However, the listing on spamcop only shows a small portion of the headers of the offending mail, with much of the information masked out.

I'm stuck now. I'm unable to identify the abuser of our relay, and thus I'm unable to stop them. I DO want to act responsibly here and prevent this spam from being sent.

Can anyone suggest what I should do?

Thanks.

Jason Mann

Share this post


Link to post
Share on other sites

Since most of us here are spamcop users and not administrators, we are not allowed to see any more evidence than you are. Your best resource will be to email deputies<at>spamcop.net and try to get more information.

Be fore warned however, that your listing includes a reference to mail received at spamtraps, addresses setup to catch unauthorized email. The deputies are very protective of any information sent to the spamtraps in order to protect them.

http://www.spamcop.net/w3m?action=checkblo...=194.117.129.35

Good luck.

Share this post


Link to post
Share on other sites
Hi folks.

I'm the admin for the mail server on 194.117.129.35. This server is currently listed on bl.spamcop.net.

<snip>

I would like to do that in this case, but I don't have enough information to proceed. To identify the customer, I need to see all the Received: headers of the spam message so that I can identify the IP address that sent the mail to our relay.

However, the listing on spamcop only shows a small portion of the headers of the offending mail, with much of the information masked out.

I'm stuck now. I'm unable to identify the abuser of our relay, and thus I'm unable to stop them. I DO want to act responsibly here and prevent this spam from being sent.

Can anyone suggest what I should do?

Thanks.

Jason Mann

HELO STJOHNS.NEILSONS.CO.UK

The latest trap hit is less than an hour ago.

Share this post


Link to post
Share on other sites

Thank you all for your replies.

I'm using qmail, and subject lines are not included in the logs.

STJOHNS.NEILSONS.CO.UK doesn't resolve to anything.

Still stuck. :(

Share this post


Link to post
Share on other sites

I've just searched through the queue for more mails with the string "NEILSONS" in it, and found quite a few.

I have now blocked the sending IP address and will delete any already-queued mails.

Hopefully the spam will stop and we can be unlisted in 48 hours.

Thanks for your help.

Jason

Share this post


Link to post
Share on other sites

No problem, I just wanted to know so I could add to my personal BL. But sooner or later all the spammers get into it :-)

Share this post


Link to post
Share on other sites

I'll say this much:

The customer in question was one of those who had an insecure mail server without realising it. The spam originated from a 3rd party outside their network.

The customer was notified and they have corrected the configuration of their mail server.

I have just now carried out an open-relay check on their server, and it seems to be ok, so we have already unblocked them from using our relay.

I shall be keeping a close eye on them though, and they will be blocked instantly if I see any more spam.

Share this post


Link to post
Share on other sites
The customer in question was one of those who had an insecure mail server without realising it. The spam originated from a 3rd party outside their network.

The customer was notified and they have corrected the configuration of their mail server.

I have just now carried out an open-relay check on their server, and it seems to be ok, so we have already unblocked them from using our relay.

I shall be keeping a close eye on them though, and they will be blocked instantly if I see any more spam.

If they were running exchange you might also want to check role accounts (admin, guest, webmaster, postmaster, etc) for weak passwords.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×