[Mimedefang] Faked relay?

Mike Grau mike.spam at kcc.state.ks.us
Fri Jan 2 12:03:06 EST 2004


Hello.

In filter_relay I've blocked an entire netblock
owned by Atriks, LLC - 216.204.150.0/24 and
216.204.151.0/24.

Now, however, a ton of mail is getting through because
the relay host.domain resolves to an IP that is not within
the Atriks netblock even though the domain does. They
use a jillion different domain names.

Errors-To: LM18509767-10365176-125291818486396 at hst.vanityemailserver.com
From: "Optimum Deals"<125291818486396 at 6z2h8n7px459ufze3.4mails.com>
Reply-To: "Optimum Deals"<125291818486396 at 6z2h8n7px459ufze3.emailserver14.com>

These all resolve to 216.204.150.230 or another IP within the netblock
I block, but the Received header does not:

Received: by hostdafpqkpadf01r.faxmailserver.com (hostdafpqkpadf01r.faxmailserver.com
[61.50.230.156]) with Will Mail (version 9.0) Thu, 1 Jan 2004 01:45:27 -0500

Depending on the message, the host.domain resolves to a variety
of addresses outside Atriks' netblock, yet the domain itself
(faxmailserver.com) resolves to an Atriks' address (216.204.151.247
in this case.)

All the mail has a sender address similiar manner.
All headers resolve to a Atriks IP, except the
relay, which resolves to a different netblock, yet the
domain of the relay resolving to Atriks netblock.
These don't appear to be open relays.

I've blocked many sendmail's access.db, but they send mail
with an endless supply of domain names. Spamassassin stops them,
but why feed someting to SA if I know it's SPAM anyway?

Can someone explain to me what Atriks is doing and how?

-- Mike G



More information about the MIMEDefang mailing list