does anyone work for an ISP and handle SPAM mail?

Discussion in 'OT Technology' started by IAMwhitey, Nov 3, 2004.

  1. IAMwhitey

    IAMwhitey New Member

    Joined:
    Nov 8, 2001
    Messages:
    1,010
    Likes Received:
    0
    Location:
    Pittsburgh, PA
    I was wondering if anyone here works for an ISP, and in particularly know how they handle all the requests for halting of SPAM mail.

    we are looking for systems that automate the process, so we can see the real requests from the fake requests. Currently we get tons of mail to our spam, or postmaster accounts. we want to rid of this and sort the good and bad.


    am i making sense? any help would be great
     
  2. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    I unfortunatly have to deal with this where I work :(

    IT's a multi-tier process. Start with a good blacklist. Then add on some active scanning -- we use CLAMAV and SpamAssasin. really cpu/memory/disk intensive process!
     
  3. RaginBajin

    RaginBajin Have you punched a donkey today?

    Joined:
    Dec 24, 2001
    Messages:
    8,740
    Likes Received:
    0
    Location:
    NoVA
    Guys should check out projecthoneypot.com .. It's a pretty cool little process that eventually will help in determining spammers.
     
  4. IAMwhitey

    IAMwhitey New Member

    Joined:
    Nov 8, 2001
    Messages:
    1,010
    Likes Received:
    0
    Location:
    Pittsburgh, PA
    well we have blacklists and whitelists in place, thats taken care of. then we use spamassasin, spamcop, spamwatch, i dunno there are a ton of services that report to us when they see someone on our network spamming. but then those services send e-mail to us about the issue. what i am trying to do is to sort out all the message we get saying we are spamming other people.
     
  5. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    set the "catch-all" to go somewhere that doesn't exist... that'll get rid of all the "false" spam messages.

    The problem is that spammers are taking advantage of the way mail works... A receiving mail server will send a "bounce" message back to the address that *claims* to have sent it in the headers. Now, the message may never have actually gone through the claimed server, but that's where the bounce goes. A spammer has full control of these headers, so they put your domain name (usually prefaced by giberish, such as al235sldgj@) and you have to deal with the bounce.

    removing a catch-all account sees that all non-matching addresses (such as al235sldgj@) don't come to you unless you explicitly setup that address.

    This is a huge problem with the way mail servers work today -- we should never have thought that relying on a person's honesty regarding their identity would be sufficient!
     
  6. IAMwhitey

    IAMwhitey New Member

    Joined:
    Nov 8, 2001
    Messages:
    1,010
    Likes Received:
    0
    Location:
    Pittsburgh, PA
    i just don't think i am making myself clear. these e-mails are e-mails that I want. We have a Securty box setup that receives these E-mails.

    here is an example of one

    myNetWatchman Incident [88959125] Src:(206.183.1.) Targets:1


    FYI,

    Based on multiple reports from myNetWatchman users, we believe that the following host is compromised or infected:

    Source IP: 206.183.1.
    Time Zone: UTC

    Event Date Time, Destination IP, IP Protocol, Target Port, Issue Description, Source Port, Event Count
    EventRecord: 2 Nov 2004 11:24:20, 216.83.x.x, 6, 80, Possible Nachi/CodeRed/Nimda, 4374, 1
    EventRecord: 2 Nov 2004 10:03:02, 216.83.x.x, 6, 80, Possible Nachi/CodeRed/Nimda, 2699, 1
    EventRecord: 2 Nov 2004 07:24:37, 216.83.x.x, 6, 80, Possible Nachi/CodeRed/Nimda, 3381, 1
    EventRecord: 2 Nov 2004 02:55:06, 216.83.x.x, 6, 80, Possible Nachi/CodeRed/Nimda, 3977, 1
    EventRecord: 1 Nov 2004 23:12:40, 216.83.x.x, 6, 80, Possible Nachi/CodeRed/Nimda, 2042, 1
    EventRecord: 1 Nov 2004 10:29:37, 216.83.x.x, 6, 80, Possible Nachi/CodeRed/Nimda, 3379, 1
    EventRecord: 1 Nov 2004 05:01:36, 216.83.x.x, 6, 80, Possible Nachi/CodeRed/Nimda, 1850, 1


    Click here to get further details regarding this incident:
    http://www.mynetwatchman.com/LID.as...w.mynetwatchman.com/kb/security/disinfect.htm



    If you have any questions, feel free to contact me.

    IMPORTANT: All replies to this e-mail are automatically posted to a PUBLICLY viewable incident status.

    If possible, please use the following URL to update incident status:


    This allows us to efficiently communicate incident status to all interested parties and minimizes the number of complaints you receive directly.

    Please send PRIVATE communications to: [email protected] Regards,

    Lawrence Baldwin
    Chief Forensics Officer
    http://www.myNetWatchman.com
    The Internet Neighborhood Watch
    Atlanta, Georgia USA

    so this a legitimate e-mail that we get from the service MyNetWatchman. well we have a few other systems that send us mail to this security inbox. We have rules through exchange setup arlready, it works but is not completely effective.

    Well I am looking for some software that takes all this incoming mail sorts it our, reads headers, prioritizes the mail and even can disregard things if that filter is set up.

    hopefully this will help, its hard explaining it i guess
     

Share This Page