Hey all,

As I'm sure is the case with many of you who run your
own Internet-connected servers w/ Linux, I get a lot
of spam relay attempts. I have configured my postfix
to avoid the open relay problem and I have yet to see
anything in the logs which suggests that any of these
attempts have succeeded.

I get an average of 3-4 failed spam attempts each day.
The overwhelming majority come from China or Korea,
though I do sometimes see other types of failed
attacks (mod_proxy, etc) from Europe and other parts
of the world.

Sometimes I do a WHOIS on the originating IP address,
and among other information it returns an email
address along the lines of "report spam to
abuse@<hostname>.com."

My question: How often (or do you?) take the time to
report spam relay, mod_proxy, or crack attempts to the
address provided? And if you do complain, what exactly
do you send them? A snippet of your log entry? Would
there be any additional security concerns raised by
providing the offending ISP with your own hostname or
IP address?

Or do you believe that the ISP's admin is himself
responsible in many of these cases and that
complaining would therefore be futile?

Your thoughts, please.

Thanks

Is that all??? We get on average 3-4 a minute!

I use a number of blacklist to filter them and manage to cut the number down to ones that get through to about 10 a day. Pretty good evidence that blacklists work.

I used to report all spam to www.spamcop.net and KnujOn (www.knujon.com). Spamcop will report spam to the spammer's upstream ISP on your behalf and add the spammer's address to their blacklist.

However I began to suspect that the spammer's ISP was actually in collusion with the spammer as (I think) Spamcop does not hide your email addresses in the reports they forward to the upstream ISP and I got even more spam. I have temporarily stopped using Spamcop since and my spam levels appear to have dropped but I still forward spam to KnujOn.

I am in two minds about using Spamcop but if we all stopped forwarding our spam to blacklist maintainers, then we are on the way to losing the spam war.

My advice is that if you are going to report the spammer to his upstream ISP (at abuse@whatever) and expose your email address anyway, you may as well report it to Spamcop as they will do it for you and add it to their blacklist which we can all use.

I use sendmail, had the same issue for a very long time, the only way i minimized my spam was to rely on DNS, any mail that came in had to verify that it actually comes from the claimed server, and the reverse-dns also confirms, otherwise the server doesnt accept any mail from any non-confirming senders. 2, also removed accept from localhost (the name) and only used my IPs locally as the accepted IPs to relay out.

It's worth reading up on greylisting for postfix too. There's a howto on the postfix site. In short, for new IP's it tells the sender that Postfix isn't accepting mail and to retry later. Most bots don't retry.

Sounds like you are running your own private server. I do the same. The incoming spam, like yours, is little. I report spam (logs) to abuse@ at the offending isp when it originates in my home country. I block IPs (usually the isp's entire range) via iptables for chronic offenders. When a country is particularly nuisancesome (and I know none of my email users will be affected) I block the entire country range.

I block some regions and countries categorically (lacnic (latin america), afrinic (africa), China, Korea, Taiwan, Russia, etc.).

When reporting I include the Target IP, Source IP, Time Zone, Data Port, and log entries showing the infraction. My message looks like this:

An IP registered to XYZ is illegally sending spam. Please take immediate
action against your user(s) to stop this activity. We advise XYZ to
document the handling of this issue; XYZ may be subpoenaed for records
regarding this case.

Source IP: nnn.nnn.nnn.nnn
Target IP: nnn.nnn.nnn.nnn
Data Port: 25
Time Zone: My Time Zone (or GMT if applicable for your logs)

Begin Log:

<pertinent log info here>

You are correct; it is a small private server which hosts a handful of domain names/websites I registered. I am the only user. I would like, however, to put a stop to this waste of my bandwidth.

I block some regions and countries categorically (lacnic (latin america), afrinic (africa), China, Korea, Taiwan, Russia, etc.).


Yeah, I'd like to do that. I am using IPtables; do you block the countries there or in your mail server settings? How do you do it?

I'd be just fine with blocking mainland China, Taiwan, and S Korea completely. Over 90% of the spam attempts seem to originate in one of those three.


When reporting I include the Target IP, Source IP, Time Zone, Data Port, and log entries showing the infraction. My message looks like this:

<snip>

So do you report every individual piece of junk, or do you partially reply on Spamhaus et al like the others mentioned?

Thank you, by the way, to all who wrote. It looks like I've got some more research to do.