Date: Tue, 2 Jun 1998 11:28:57 +0200 (CEST) From: chrw <shredder@hack.babel.dk> To: freebsd-isp@FreeBSD.ORG Subject: spammer utilizing fake msgID bypassing my filter Message-ID: <Pine.BSF.3.95.980602110716.20579A-100000@hack.babel.dk>
next in thread | raw e-mail | index | archive | help
Im under spam attack, and implemented the "Refuse Mail From Selected
Relays" from sendmail.org. It doesnt block relaying at all, but blocks
access from sites stored in /etc/mail/DeniedNames
Refuse Mail From Selected Relays
Problem: Spam -- persistent, offensive mail from various sites.
Solution: Refuse connections from the spamming sites. This involves
keeping a database of those sites; the key will be the host name
of the site and the value will be what you want to say to them.
Code: (Downloadable version)
Kspammers hash /etc/spammers
Scheck_relay
R$+ $| $+ $: $(spammers $1 $: OK $)
ROK $@ OK
R$+ $#error $: 521 $1
It works fine, and filters most of the spammers. However one spammer
continues to spam via my server, bypassing the filter.
Jun 1 23:32:04 6C:dns sendmail[18136]: XAA18136:
from=<sirei9@earthlink.net>, size=634, class=0, pri=450634, nrcpts=15,
msgid=<199806011887KAA40415@uunet.com.MY.DOMAINNAMEB>, proto=SMTP,
relay=1Cust160.tnt19.atl2.da.uu.net [153.36.120.160]
look at the msgid: can this by why he succesfully bypasses the filter???
Both uunet.com and earthlink.net has been included in the DeniedNames
filter, and the message shoudl therefore be rejected, but it doesnt! It
works well with alot of other spammers, I can see in the log that the
filter traps the mail and throws it away, but not with the spammer
earthlink.net using this false msgID, which carries my domain name
appended in the end of the msgID. I have inserted MY.DOMAINNAME instead
of my real domain.
Any anti-spam or sendmail experts has a comment or some advise?
Id rather NOT implement the other anti-spam scheme where relaying is
disabled for everyone except hosts listed in some access file. I have alot
of customers relaying and would rather avoid maintaining a list of
authorized relayers. i rather want to maintain a blacklist of offending
spammers, but I havent found any implementation of this approach anywhere.
I run sendmail-8.8.7.
Can someone help? This is obviously (as i see it) someone faking msgIDs so
they may look like they originate from my own domain and it therefore is
not captured by the filter.
Reagards,
Christoffer Walther
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980602110716.20579A-100000>