Date: Mon, 20 Oct 2008 11:16:31 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: "Michael K. Smith - Adhost" <mksmith@adhost.com>, Jeremy Chadwick <koitsu@FreeBSD.org>, eculp@casasponti.net Cc: freebsd-questions@freebsd.org Subject: RE: I've just found a new and interesting spam source - legitimatebounce messages Message-ID: <72F12B8A0320E2A18685A679@utd65257.utdallas.edu> In-Reply-To: <17838240D9A5544AAA5FF95F8D52031604D8C7BA@ad-exh01.adhost.lan> References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016145255.GA12638@icarus.home.lan> <17838240D9A5544AAA5FF95F8D52031604D8C7BA@ad-exh01.adhost.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Monday, October 20, 2008 10:24:28 -0500 "Michael K. Smith - Adhost" <mksmith@adhost.com> wrote: >> >> Let me know if you do find a reliable, decent solution that does not >> involve SPF or postfix header_checks or body_checks. >> > > The following doesn't fix the problem but it does help mitigate the deluge. > We use a PERL script to tail our maillogs looking for any source IP that > tries to send mail to more than 4 invalid addresses. When flagged, that IP > is then added to a PF table that blocks the address and issues RST's for 12 > hours. Of course, we also have a whitelist for "valid" SMTP servers. Like I > said, it doesn't catch it all, but it catches *a lot* and generates almost no > complaints. This does help obfuscate the valid/invalid addresses because all > mail is accepted as far as the sender is concerned until the IP is blocked at > the network layer. > > The usual complaint is from an remote office that has 12 real estate agents > behind a single IP, all with Outlook set to check mail "sooner than now." :-) > The best solution *by far* that I have found for spam (using Postfix) is mail/postfix-policyd-weight. It routinely rejects 50 to 70% of incoming mail with no false positives. It took *very* little tweaking to get it to this point, and it rejects the mail before postfix even deals with it. I use spamassassin as well, but policyd-weight does the heavy lifting. Here's one example of a rejected email: Oct 20 11:11:16 mail postfix/policyd-weight[77973]: weighted check: IN_DYN_PBL_SPAMHAUS=3.25 NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_NE_HELO=4.75 REV_IP_EQ_HELO=-1.25 NOK_HELO_SEEMS_DIALUP=5 (check from: .hinet. - helo: .dsl.dynamic8121373125.ttnet. - helo-domain: .ttnet.) FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=4.85 CLIENT_NOT_MX/A_FROM_DOMAIN=4.75 CLIENT/24_NOT_MX/A_FROM_DOMAIN=4.75; <client=81.213.73.125> <helo=dsl.dynamic8121373125.ttnet.net.tr> <from=alan0730@ms35.hinet.net> <to=abeinlets@stovebolt.com>; rate: 21.6 Oct 20 11:11:16 mail postfix/policyd-weight[77973]: decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (ms35.hinet.net); Please use DynDNS; <client=81.213.73.125> <helo=dsl.dynamic8121373125.ttnet.net.tr> <from=alan0730@ms35.hinet.net> <to=abeinlets@stovebolt.com>; delay: 8s Anything above 1 is rejected. This email scored 21.6, which is off the charts. It even does greylisting. Oct 20 10:45:47 mail postfix/policyd-weight[28339]: decided action=550 temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; <client=189.141.58.189> <helo=dsl-189-141-58-189.prod-infinitum.com.mx> <from=ii7jam@hotmail.com> <to=milliman@stovebolt.com>; delay: 0s Oct 20 10:46:51 mail postfix/policyd-weight[28339]: decided action=550 temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; <client=65.110.50.188> <helo=boomfm.dnsalias.com> <from=aw-confirm@ebay.com> <to=tsp@stovebolt.com>; delay: 0s It does let some spam through, which spamassassin catches, but it rejects all the bogus stuff (fake hostnames, bogus MTAs, forged from addresses, etc., etc.) -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?72F12B8A0320E2A18685A679>