From owner-freebsd-isp Fri Feb 6 12:24:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA19047 for freebsd-isp-outgoing; Fri, 6 Feb 1998 12:24:13 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from netgazer.net (netgazer.net [209.83.225.63]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA18971 for ; Fri, 6 Feb 1998 12:23:56 -0800 (PST) (envelope-from dwoods@netgazer.com) Received: from dwoods.rch.mci.com ([166.32.137.45]) by netgazer.net (8.8.5/8.7.3) with SMTP id OAA20195; Fri, 6 Feb 1998 14:30:45 GMT Message-Id: <3.0.32.19980206142216.00694dfc@netgazer.net> X-Sender: dwoods@netgazer.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Fri, 06 Feb 1998 14:23:48 -0600 To: David Babler From: "Darrin R. Woods" Subject: Re: spammer problem - help! Cc: isp@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org X-To-Unsubscribe: mail to majordomo@FreeBSD.org "unsubscribe freebsd-isp" [my problem deleted] >Easiest block is on the domain 't-1net.com' - they are 100% spam and sell >spam software and lists. The general place this check is made is in Claus >Assman's 'check_mail' rule. However, since they are widely known (and >blocked - and their domain name is currently 'on hold' from the InterNIC, >they simply hijack mail servers around the web - as they did here with the >Stafford Texas UU.net account. Complain to abuse@UU.net (might work, but >don't hold your >breath). Blocking the envelope's claimed domain, not the relay's IP or >resolved name, might work until they change it (since it is forged >anyway). The claimed envelope address is what is sent to the check_mail >rule. How are you using your 'spammer db'? I have applied the spammer patches found at sendmail.org, they include disallowing relaying and blocking of hosts. The spammers db file has the following entry: mail.t-1net.com 550 Access Denied realizing that the "550..." is pretty much ignored and not really sent. I build the db file with the following command: makemap hash /etc/spammers.db < /etc/spammers but they still seem to be getting through. Alex Nash suggested using ipfw, and I already use the equivilent on my router; a cisco; by adding an "access-list" command for the various ip addresses that I'm tired of recieving email from. My access-list statement is only set "eq smtp" which seems to work well. But, I don't understand (1) why mail.t-1net.com is still getting my server to take its mail and (2) why/how t-1net is forging the email to come from my mailer-daemon to my users. They are not using me as a relay as that part of sendmails patch seems to be working just fine. >If you've applied the normal anti-relaying rules they can only send to >*your* domain (and that's confirmed by my tests - see >http://maps.vix.com/ar-test.html for a quick check on relay hijacking >vulnerability) so they're just spamming you, so at least they aren't >spamming the whole planet *through* you. If you've picked up the specific >IP blocking rules (highly recommended), then you could also just block the >specific dialup, though unless it's dedicated I'd expect to see a >different IP each time. I have considered setting up Pauls "black hole" sendmail stuff, but just haven't taken the time. :-( Any other suggestions/comments are welcome. Thanks, Darrin R. Woods dwoods@netgazer.com Director Operations Emeritus Netgazer Solutions, Inc. "UNiX IS user friendly. It's just particular about who it's friends are"