<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

spam SW, EMS/RFMS


Some time ago a new "player" seems to have entered the spam program
market; it is usually referred to as

    "Express Mail Server" (EMS)
    "Rapid Fire Mail Server" (RFMS)

Example:

    >Return-Path: <>
    >Received: from 166.55.38.53
    >   (usr13-dialup53.mix1.WillowSprings.mci.net [166.55.38.53])
    >   by chalmers.se (8.8.8/8.8.8) with SMTP id KAA15532
    >   for FOO@localhost;
    >   Fri, 6 Mar 1998 10:12:52 +0100 (MET)
    >Date: Fri, 6 Mar 1998 10:12:52 +0100 (MET)
    >Message-Id: <199803060912.KAA15532@localhost
    >From: 
    >To:
    >Subject: Now you can easily have a mail server in your home.

    MX(arch.chalmers.se) = idefix.arch.chalmers.se/0, chalmers.se/100

EMS/RFMS seems to have two "interesting" features:

    1)	"MAIL From: <>"; i.e. there is no real From that can take
	legal action due to fraud etc. Smart.
    
    2)	It makes use of MX hosts that have higher cost than the best
	one. At first this could seem like it just legitimately uses
	MX-records, but the increase in traffic and bounces through
	the host we run, chalmers.se; secondary MX for *.chalmers.se,
	tells us this is not by chance, this is made by will.

	In fact it's a clever way to prevent IP.src filtering at the
	destination hosts - if they refuse chalmers.se [129.16.1.1]
	then our entire MX-record system breaks down. Smart.

In an attempt to "increase the heat" I've gone through our syslog
files and have identified a number of hosts/subdomains/networks
which seem to be populated with spam users that make use of this
EMS/RFMS mailer.

So, starting a few hours ago, host chalmers.se refuses Mail Relaying
from those hosts/subdomains/networks into *.chalmers.se, regardless
that MX-records say otherwise. Return code is "451 Relaying Denied",
so a correct RFC974 implementation will have no problem once the final
recipient host comes up - and I couldn't care less for spammers...

Experience so far is:

    1)	We do "catch some fish" this way; "from=<>".

    2)	I happen to have an account on one of the final recipients'
	mail host and the "fish" I logged at 1) never tried to
	contact them directly... in fact it *never* ever has...

If any of you run such a host-in-the-middle, like chalmers.se, it may
help your final receipients (leased-line customers) for some period
of time - possibly short, but anyway - if you too start refusing to
act as Mail Relay from exactly those external dialups into your net.

A hint is to look for "from=<>" together with some large dialup ISPs
in your syslog files and "451-block" the relay= subdomain/subnet.

	Gunnar Lindberg, Postmaster@localhost




<<< Chronological >>> Author    Subject <<< Threads >>>