Date: Mon, 20 Oct 2008 11:16:31 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: "Michael K. Smith - Adhost" <mksmith@adhost.com>, Jeremy Chadwick <koitsu@FreeBSD.org>, eculp@casasponti.net Cc: freebsd-questions@freebsd.org Subject: RE: I've just found a new and interesting spam source - legitimatebounce messages Message-ID: <72F12B8A0320E2A18685A679@utd65257.utdallas.edu> In-Reply-To: <17838240D9A5544AAA5FF95F8D52031604D8C7BA@ad-exh01.adhost.lan> References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016145255.GA12638@icarus.home.lan> <17838240D9A5544AAA5FF95F8D52031604D8C7BA@ad-exh01.adhost.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========03B5997CC8624B8EA3CC========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Monday, October 20, 2008 10:24:28 -0500 "Michael K. Smith - Adhost"=20 <mksmith@adhost.com> wrote: >> >> Let me know if you do find a reliable, decent solution that does not >> involve SPF or postfix header_checks or body_checks. >> > > The following doesn't fix the problem but it does help mitigate the deluge. > We use a PERL script to tail our maillogs looking for any source IP that > tries to send mail to more than 4 invalid addresses. When flagged, that IP > is then added to a PF table that blocks the address and issues RST's for 12 > hours. Of course, we also have a whitelist for "valid" SMTP servers. Like I > said, it doesn't catch it all, but it catches *a lot* and generates almost no > complaints. This does help obfuscate the valid/invalid addresses because all > mail is accepted as far as the sender is concerned until the IP is blocked at > the network layer. > > The usual complaint is from an remote office that has 12 real estate agents > behind a single IP, all with Outlook set to check mail "sooner than now." = :-) > The best solution *by far* that I have found for spam (using Postfix) is=20 mail/postfix-policyd-weight. It routinely rejects 50 to 70% of incoming mail=20 with no false positives. It took *very* little tweaking to get it to this=20 point, and it rejects the mail before postfix even deals with it. I use=20 spamassassin as well, but policyd-weight does the heavy lifting. Here's one example of a rejected email: Oct 20 11:11:16 mail postfix/policyd-weight[77973]: weighted check:=20 IN_DYN_PBL_SPAMHAUS=3D3.25 NOT_IN_SBL_XBL_SPAMHAUS=3D-1.5 NOT_IN_SPAMCOP=3D-1.5 = NOT_IN_BL_NJABL=3D-1.5 CL_IP_NE_HELO=3D4.75 REV_IP_EQ_HELO=3D-1.25=20 NOK_HELO_SEEMS_DIALUP=3D5 (check from: .hinet. - helo:=20 .dsl.dynamic8121373125.ttnet. - helo-domain: .ttnet.)=20 FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=3D4.85 CLIENT_NOT_MX/A_FROM_DOMAIN=3D4.75 = CLIENT/24_NOT_MX/A_FROM_DOMAIN=3D4.75; <client=3D81.213.73.125>=20 <helo=3Ddsl.dynamic8121373125.ttnet.net.tr> <from=3Dalan0730@ms35.hinet.net>=20 <to=3Dabeinlets@stovebolt.com>; rate: 21.6 Oct 20 11:11:16 mail postfix/policyd-weight[77973]: decided action=3D550 Mail=20 appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO=20 and DNS MX settings or to get removed from DNSBLs; please relay via your ISP=20 (ms35.hinet.net); Please use DynDNS; <client=3D81.213.73.125>=20 <helo=3Ddsl.dynamic8121373125.ttnet.net.tr> <from=3Dalan0730@ms35.hinet.net>=20 <to=3Dabeinlets@stovebolt.com>; delay: 8s Anything above 1 is rejected. This email scored 21.6, which is off the charts. It even does greylisting. Oct 20 10:45:47 mail postfix/policyd-weight[28339]: decided action=3D550=20 temporarily blocked because of previous errors - retrying too fast. penalty: 30 = seconds x 0 retries.; <client=3D189.141.58.189>=20 <helo=3Ddsl-189-141-58-189.prod-infinitum.com.mx> <from=3Dii7jam@hotmail.com>=20 <to=3Dmilliman@stovebolt.com>; delay: 0s Oct 20 10:46:51 mail postfix/policyd-weight[28339]: decided action=3D550=20 temporarily blocked because of previous errors - retrying too fast. penalty: 30 = seconds x 0 retries.; <client=3D65.110.50.188> <helo=3Dboomfm.dnsalias.com>=20 <from=3Daw-confirm@ebay.com> <to=3Dtsp@stovebolt.com>; delay: 0s It does let some spam through, which spamassassin catches, but it rejects all=20 the bogus stuff (fake hostnames, bogus MTAs, forged from addresses, etc., etc.) --=20 Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========03B5997CC8624B8EA3CC==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?72F12B8A0320E2A18685A679>