Okay, spamming the server to death...

Hey you guys, I need some help. Some sort of spam bot or whatever is hitting us hard enough to take down our servers twice in 24 hour period and flooding our emails with spam... out of nowhwere almost and all at once.

Here is the header of one of the spam mails:
Received: from <69.149.150.54> (helo=127.0.0.1)
by mx.perfora.net with ESMTP (Nemesis),
id 0MKv6A-1Dlhk73ZQM-0005ui for editor@rawstory.com; Fri, 24 Jun 2005 02:32:47 -0400
SUBJECT: Read this
FROM: mahorna@teleline.es
TO: editor@rawstory.com
DATE: <[ Fri, 24 Jun 2005 1:32:08 AM >]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--------bound--"
Message-ID: <0MKv6A-1Dlhk73ZQM-0005ui@mx.perfora.net>

Return-Path: <mwagner@ksu.edu>
Delivery-Date: Fri, 24 Jun 2005 02:39:07 -0400
Received: from <69.149.150.54> (helo=127.0.0.1)
by mx.perfora.net with ESMTP (Nemesis),
id 0MKv6A-1DlhqA0DE2-0006Vk for editor@rawstory.com; Fri, 24 Jun 2005 02:39:02 -0400
SUBJECT: toxic
FROM: mwagner@ksu.edu
TO: editor@rawstory.com
DATE: <[ Fri, 24 Jun 2005 1:38:25 AM >]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--------bound--"
Message-ID: <0MKv6A-1DlhqA0DE2-0006Vk@mx.perfora.net>

Whois has started ...

SBC Internet Services - Southwest SBCIS-SBIS-6BLK (NET-69-148-0-0-1)
69.148.0.0 - 69.155.255.255
KANSAS STATE UNIVERS-041029014249 SBC06914915004829041029014439 (NET-69-149-150-48-1)
69.149.150.48 - 69.149.150.55
Lookup has started ...


; <<>> DiG 9.2.2 <<>> 69.149.150.54 any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29351
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;69.149.150.54. IN ANY

;; AUTHORITY SECTION:
. 10661 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2005062301 1800 900 604800 86400

;; Query time: 137 msec
;; SERVER: 209.244.0.3#53(209.244.0.3)
;; WHEN: Fri Jun 24 00:49:56 2005
;; MSG SIZE rcvd: 106

If running Windows, run anti-spyware/virus. If no go, get an anti-spam app and block that email.

If Linux, do Windows tip #2.

If it still happens, contact the ISP and let them know they are flooding your server.

If so the fist thing to do is block the suspect IP address, from all traffic, at that firewall. If it is the spam that you are most concerned about you will have fought a losing battle though. Another open relay will take it's place and the spam will flow freely again. I recommend a good spam filter. I have had great success with a little program called "open relay filter" by VAMSoft.

http://www.vamsoft.com/orf/

It sits between your IP stack and your SMTP or exchange server so the email is never processed by your mail server. It's very good software.

Jay

what kind of servers, etc.

On my "no-name" domain, I've turned off my catch-all account and now return all non-known user mail without having to download the whole msg.

The point is that on only one of my private domains, this week alone I've turned away over *7,000* emails from some "dictionary" spammer...

This is getting ugly, and the government is too busy tracking down teens trading Metallica MP3's and mediocre movies to track down phishing scams, identity theft hackers and this crap.

The attacks are coming from what must be "Zombie" computers, as they are coordinated at times yet come from different ISP's from around the country.

IF you're using sendmail (another poster seems to think you're running Microsoft) I'd installed the realtime blacklist utilities, but I really can't get into it unless I were to know more of what you're running there.

Either way a blacklist(s) is a must.

Jay