Date: Tue, 2 Jun 1998 03:04:30 -0700 (PDT) From: "Jonathan M. Bresler" <jmb> To: shredder@hack.babel.dk (chrw) Cc: freebsd-isp@FreeBSD.ORG Subject: Re: spammer utilizing fake msgID bypassing my filter Message-ID: <199806021004.DAA23294@hub.freebsd.org> In-Reply-To: <Pine.BSF.3.95.980602110716.20579A-100000@hack.babel.dk> from chrw at "Jun 2, 98 11:28:57 am"
next in thread | previous in thread | raw e-mail | index | archive | help
chrw wrote: > > Im under spam attack, and implemented the "Refuse Mail From Selected > Relays" from sendmail.org. It doesnt block relaying at all, but blocks > access from sites stored in /etc/mail/DeniedNames > > Refuse Mail From Selected Relays > > Problem: Spam -- persistent, offensive mail from various sites. > > Solution: Refuse connections from the spamming sites. This involves > keeping a database of those sites; the key will be the host name > of the site and the value will be what you want to say to them. > > Code: (Downloadable version) > > Kspammers hash /etc/spammers > > Scheck_relay > R$+ $| $+ $: $(spammers $1 $: OK $) > ROK $@ OK > R$+ $#error $: 521 $1 check_relay works on the "hostname.domainname $| ip address" of the host that connects to your smtp port, in your case is "1Cust160.tnt19.atl2.da.uu.net $| 153.36.120.160". so, unless you have uu.net 1Cust160.tnt19.atl2.da.uu.net listed in your spammers database, this will not block the mail. (you have to match exactly, cause you dont try to find the last two components of the domainname, you might want to they the rule as listed in /etc/mail/sendmail.cf.additions.) > > > It works fine, and filters most of the spammers. However one spammer > continues to spam via my server, bypassing the filter. > > Jun 1 23:32:04 6C:dns sendmail[18136]: XAA18136: > from=<sirei9@earthlink.net>, size=634, class=0, pri=450634, nrcpts=15, > msgid=<199806011887KAA40415@uunet.com.MY.DOMAINNAMEB>, proto=SMTP, > relay=1Cust160.tnt19.atl2.da.uu.net [153.36.120.160] since this mail is coming from earthlink.net, you can add a new rulseset: check_mail. check_mail works on the "user@hostname.domainname" provided with the "mail from: " part of the smtp conversation. so add the check_mail ruleset from /etc/mail/sendmail.cf.additions. (here is an exerpt, but read the whole ruleset, dont cut'n'paste, tabs may be converted to spaces.) R$+ @$+ $: <$1@$2> $2 R<$*> $+.$+.$+ <$1> $3.$4 R<$*> $* $: $(spamsites $2 $: OK $) R$+.REJECT $#error $: 521 $1 R<$*> $* $: $1 > > > look at the msgid: can this by why he succesfully bypasses the filter??? > Both uunet.com and earthlink.net has been included in the DeniedNames > filter, and the message shoudl therefore be rejected, but it doesnt! It > works well with alot of other spammers, I can see in the log that the > filter traps the mail and throws it away, but not with the spammer > earthlink.net using this false msgID, which carries my domain name > appended in the end of the msgID. I have inserted MY.DOMAINNAME instead > of my real domain. the message-id has nothing to do with it, rather they are being nasty and trying to sow FUD. jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806021004.DAA23294>