Date: Fri, 06 Feb 1998 14:23:48 -0600 From: "Darrin R. Woods" <dwoods@netgazer.com> To: David Babler <dbabler@Rigel.orionsys.com> Cc: isp@FreeBSD.ORG Subject: Re: spammer problem - help! Message-ID: <3.0.32.19980206142216.00694dfc@netgazer.net>
next in thread | raw e-mail | index | archive | help
[my problem deleted] >Easiest block is on the domain 't-1net.com' - they are 100% spam and sell >spam software and lists. The general place this check is made is in Claus >Assman's 'check_mail' rule. However, since they are widely known (and >blocked - and their domain name is currently 'on hold' from the InterNIC, >they simply hijack mail servers around the web - as they did here with the >Stafford Texas UU.net account. Complain to abuse@UU.net (might work, but >don't hold your >breath). Blocking the envelope's claimed domain, not the relay's IP or >resolved name, might work until they change it (since it is forged >anyway). The claimed envelope address is what is sent to the check_mail >rule. How are you using your 'spammer db'? I have applied the spammer patches found at sendmail.org, they include disallowing relaying and blocking of hosts. The spammers db file has the following entry: mail.t-1net.com 550 Access Denied realizing that the "550..." is pretty much ignored and not really sent. I build the db file with the following command: makemap hash /etc/spammers.db < /etc/spammers but they still seem to be getting through. Alex Nash suggested using ipfw, and I already use the equivilent on my router; a cisco; by adding an "access-list" command for the various ip addresses that I'm tired of recieving email from. My access-list statement is only set "eq smtp" which seems to work well. But, I don't understand (1) why mail.t-1net.com is still getting my server to take its mail and (2) why/how t-1net is forging the email to come from my mailer-daemon to my users. They are not using me as a relay as that part of sendmails patch seems to be working just fine. >If you've applied the normal anti-relaying rules they can only send to >*your* domain (and that's confirmed by my tests - see >http://maps.vix.com/ar-test.html for a quick check on relay hijacking >vulnerability) so they're just spamming you, so at least they aren't >spamming the whole planet *through* you. If you've picked up the specific >IP blocking rules (highly recommended), then you could also just block the >specific dialup, though unless it's dedicated I'd expect to see a >different IP each time. I have considered setting up Pauls "black hole" sendmail stuff, but just haven't taken the time. :-( Any other suggestions/comments are welcome. Thanks, Darrin R. Woods dwoods@netgazer.com Director Operations Emeritus Netgazer Solutions, Inc. "UNiX IS user friendly. It's just particular about who it's friends are"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19980206142216.00694dfc>