Spammers abusing U of MN OIT email servers

Some spammers have been abusing the University of Minnesota OIT email servers for months, up to dozens of attempts per day. Abuse@ and postmaster@ were notified with overwhelming evidence months ago but the spam continues to trickle through.

Some (but not all) are being rejected due to existing Spamhaus DBL listings on the SMTP from domain.

Of course the U of MN OIT email servers in net block 134.84.196.192/27 also deliver a lot of legitimate messages so it’s difficult to separate the wheat from the chaff simply by using traditional IP/SMTP DNSbls.

Here are some recent example mail logs. In these cases, the spammer is being blocked with a hard 554 SMTP error code but they keep trying over and over. There are many more duplicate/similar lines.

May 19 X 554 5.7.1 <mta-p17.oit.umn.edu[134.84.196.217]>:X; from=<bounce-X@learnwhat.info>
May 15 X 554 5.7.1 <mta-p12.oit.umn.edu[134.84.196.212]>:X; from=<bounce-X@learnwhat.info>
Apr 17 X 554 5.7.1 <mta-p10.oit.umn.edu[134.84.196.210]>:X; from=<bounce-X@greenglasses.info>
Apr  9 X 554 5.7.1 <mta-p12.oit.umn.edu[134.84.196.212]>:X; from=<msaldivia@panbo.cl>
Mar 30 X 554 5.7.1 <mta-p14.oit.umn.edu[134.84.196.214]>:X; from=<unmorally@xadkq.com>

3 Responses to Spammers abusing U of MN OIT email servers

  1. Welcome, Joshua. Good to have you here.

    Would be interesting to see samples of actual traffic. I couldn’t find anything myself in my usual sources.

    • Joshua Peabody

      Thank you.

      The reality is that the U of MN OIT email admins could easily block these spammers by requiring strong SMTP AUTH and also limiting the from addresses to their own controlled domains. I don’t see a good reason for University email servers to be a proxy/forward for a bunch of unrelated spammy domains.

      The evidence so far is very user and domain-specific, likely the same abused email addresses are passed around by spammers. As I mentioned in the original post, the U of MN abuse handlers have been notified but apparently are not able to stem the tide yet. I am hopeful that this post will encourage them to take a closer look at their MTAs.

  2. Welcome to the newest blogger on the Mainsleaze Spam blog, “Joshua Peabody”!

    Spam sent through cracked accounts, compromised servers, and open relays at universities is a major problem these days. Some of that spam advertises legitimate companies, many of whom are either running their own affiliate programs or signing up for third-party affiliate programs. As B2B and other types of mainsleaze spam adapt to new conditions, the Mainsleaze blog will address the issues that these new methods cause for recipients who did not ask for and do not want the spam.

Leave a Reply

Go back to top