Jump to content


  • Posts

  • Joined

  • Last visited

docsmooth's Achievements


Newbie (1/6)



  1. WB / John - I strip all <scri_pt> tags from incoming email, and block emails with offsite image links (image linking can be whitelisted). This is done before the user can see the email, no matter how they access it. I've seen those tags in many places before, which is why I block those pieces outright. Outlook 2000 will render them just as well as any browser. Someone mentioned the 48 hour thing in my original post. I just want to clarify that statement: I waited 48 hours after being listed AND checking my outbound mail traffic for spam (tcpdump of past email, not queues). I'm guessing, based on (I think) Ellen's post, that I didn't go far enough back in my traffic - as far back as I went, there was no spam, because as far back as I went (1-2 days at the time), I must have already had been blacklisted. Because I didn't look far enough back in time, I didn't see any spam, and therefore originally assumed I was being BLed for NDRs (I've had a few complaints for that, and for our order confirmations). i'm still working on closing my NDR hole, but can't find much information regarding that on IIS6 yet. Not Exchange, Just IIS6 SMTP. Again, thanks all for your help - I'm continuing to monitor this thread (obviously) for anything else you say I don't want to miss.
  2. Ellen - yes, that's what I found yesterday, and stopped (domain\guest had been re-enabled by an internal admin). Tur - on my network, outbound and inbound are the same. SMTP is only allowed through (in or out) to a single system). But you're right, you wouldn't know that. WB: I only allow relay from: 1) internal subnet, 2) single external webserver, 3) SMTP AUTH (and I'm slowly pushing users to webmail, so I can turn off SMTP AUTH - the brass are a little slow to change sometimes). I validate domains to determine if the mail is "inbound" or "outbound" in my anti-spam software. Again, I have stopped the particular SMTP AUTH vector that spammer was using. yes, I'm looking to see if I have others.
  3. A few more pieces, to fill out Wazoo's curiousity: IIS6. Firewall blocks SMTP outbound from everything EXCEPT the mail server. I have a 5GB Ethereal buffer on a mirror port on my WAN switch watching SMTP (tcp port 25) only. I don't use server logs except to help get timing right - easier to grep server logs for an IP and time, than the tcpdump. My spam filter only tags things TO my internal domains, so I have to manually watch outbound, or relay, mail. Did I say I hate the lack of accountability here? And why don't I want to move to qmail? I'm still a windows guy with only 15 minutes an evening to learn a new OS, so it takes a while. :/
  4. <insert pissed off yelling at admin who re-enabled the domain guest account> <insert pissed off grumbling about lack of accountability here> The ones you posted ALL were authenticated as domain\guest THANK YOU ALL. OK, now I get to re-look into dropping NDRs without enabling directory harvest attacks. Any thoughts for IIS6, other than "move to qmail"? Postmaster[at]aivia.com
  5. According to the FAQ, one of the biggest reasons for being listed is "non-secure opt-in listservs". I DON"T RUN A LISTSERV. We have an online ordering system which sends a single order confirmation email. Please contact me privately, and I"ll send you the web addresses. As for the senderbase information? I've never seen the site before Monday (linked there by spamcop), so I can't tell you much of anything except: 1) I was an open relay from untill 4/16 due to a poorly secured account. Since then I regularly grep tcpdumps for "smtp auth" commands, and manually go through THAT information to find spammers who may be using the same attacks on me. 2) .178 is a relay server, and does not validate usernames - only domains. Probably 90% of my recieved / sent mail are NDRs. As I'm not just the mail admin, I don't have time (unfortuneately) to delete all the NDRs in the queue which are obviously bad. Last week I turned DOWN the rates at which my server tries to resend messages, to lower my traffic levels. Other than that - I have no idea what they're tracking, to be able to know what they're logging. I'm not sitting back twiddling my thumbs waiting- the first thing I do when I hear of spam reports against me, is I CHECK MY OWN SERVER QUEUES. Yes, I want this solved, not just unlisted.
  6. All I'm seeing coming out of my server is valid email, and NDRs. We send order status notifications to people who place orders on our webservers (reciept of order placed), but have no listserves. how do I get removed - I've waited the appropriate 48 hours. Postmaster[at]aivia.com [edit] IP:, if you don't want to do the work figuring it out from the email address.
  • Create New...