[wplug] Since we're talking iptables...

James O'Kane jo2y at midnightlinux.com
Wed Mar 3 23:01:50 EST 2004


On Wed, 3 Mar 2004, Brandon Kuczenski wrote:
> Also, does this indicate some kind of relaying hole in my configuration?

I don't believe that to be the case. I'm doing secondary mx for wplug.org
among other domains, and what sometimes happens is the spammer tries the
primary, it fails, so they try the secondary.

In the simplest/easiest configuration, the secondary doesn't have
knowledge of legitimate accounts on the primary, so it accepts the mail
from the spammer, closes that connection, and opens one to the primary to
deliver the message.

Now, the primary still says the message is for a bogus account, so the
secondary tried to open a connection to the sender. Since more often than
not, that is a bogus address, the secondary is stuck with a bounce message
that it can't deliver.

After a few days, it expires and notification of that goes to root.

There are different tarpits and automatic blockers for various spammers
that work at the IP level. If you're a member of Usenix (www.usenix.org) I
could point you to some conference papers on the subject.

-james




More information about the wplug mailing list