From owner-freebsd-questions@FreeBSD.ORG Mon Oct 20 16:45:33 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E62B71065673; Mon, 20 Oct 2008 16:45:32 +0000 (UTC) (envelope-from prvs=pauls=1728808ac@utdallas.edu) Received: from ip-relay-002.utdallas.edu (ip-relay-002.utdallas.edu [129.110.20.112]) by mx1.freebsd.org (Postfix) with ESMTP id A28A58FC27; Mon, 20 Oct 2008 16:45:32 +0000 (UTC) (envelope-from prvs=pauls=1728808ac@utdallas.edu) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.33,453,1220245200"; d="scan'208";a="559759" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-002.utdallas.edu with ESMTP; 20 Oct 2008 11:16:31 -0500 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id 5A7B08044; Mon, 20 Oct 2008 11:16:31 -0500 (CDT) Date: Mon, 20 Oct 2008 11:16:31 -0500 From: Paul Schmehl To: "Michael K. Smith - Adhost" , Jeremy Chadwick , eculp@casasponti.net Message-ID: <72F12B8A0320E2A18685A679@utd65257.utdallas.edu> In-Reply-To: <17838240D9A5544AAA5FF95F8D52031604D8C7BA@ad-exh01.adhost.lan> References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016145255.GA12638@icarus.home.lan> <17838240D9A5544AAA5FF95F8D52031604D8C7BA@ad-exh01.adhost.lan> X-Mailer: Mulberry/4.0.6 (Linux/x86) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========03B5997CC8624B8EA3CC==========" X-Mailman-Approved-At: Mon, 20 Oct 2008 16:47:09 +0000 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: RE: I've just found a new and interesting spam source - legitimatebounce messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 16:45:33 -0000 --==========03B5997CC8624B8EA3CC========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Monday, October 20, 2008 10:24:28 -0500 "Michael K. Smith - Adhost"=20 wrote: >> >> Let me know if you do find a reliable, decent solution that does not >> involve SPF or postfix header_checks or body_checks. >> > > The following doesn't fix the problem but it does help mitigate the deluge. > We use a PERL script to tail our maillogs looking for any source IP that > tries to send mail to more than 4 invalid addresses. When flagged, that IP > is then added to a PF table that blocks the address and issues RST's for 12 > hours. Of course, we also have a whitelist for "valid" SMTP servers. Like I > said, it doesn't catch it all, but it catches *a lot* and generates almost no > complaints. This does help obfuscate the valid/invalid addresses because all > mail is accepted as far as the sender is concerned until the IP is blocked at > the network layer. > > The usual complaint is from an remote office that has 12 real estate agents > behind a single IP, all with Outlook set to check mail "sooner than now." = :-) > The best solution *by far* that I have found for spam (using Postfix) is=20 mail/postfix-policyd-weight. It routinely rejects 50 to 70% of incoming mail=20 with no false positives. It took *very* little tweaking to get it to this=20 point, and it rejects the mail before postfix even deals with it. I use=20 spamassassin as well, but policyd-weight does the heavy lifting. Here's one example of a rejected email: Oct 20 11:11:16 mail postfix/policyd-weight[77973]: weighted check:=20 IN_DYN_PBL_SPAMHAUS=3D3.25 NOT_IN_SBL_XBL_SPAMHAUS=3D-1.5 NOT_IN_SPAMCOP=3D-1.5 = NOT_IN_BL_NJABL=3D-1.5 CL_IP_NE_HELO=3D4.75 REV_IP_EQ_HELO=3D-1.25=20 NOK_HELO_SEEMS_DIALUP=3D5 (check from: .hinet. - helo:=20 .dsl.dynamic8121373125.ttnet. - helo-domain: .ttnet.)=20 FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=3D4.85 CLIENT_NOT_MX/A_FROM_DOMAIN=3D4.75 = CLIENT/24_NOT_MX/A_FROM_DOMAIN=3D4.75; =20 =20 ; rate: 21.6 Oct 20 11:11:16 mail postfix/policyd-weight[77973]: decided action=3D550 Mail=20 appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO=20 and DNS MX settings or to get removed from DNSBLs; please relay via your ISP=20 (ms35.hinet.net); Please use DynDNS; =20 =20 ; delay: 8s Anything above 1 is rejected. This email scored 21.6, which is off the charts. It even does greylisting. Oct 20 10:45:47 mail postfix/policyd-weight[28339]: decided action=3D550=20 temporarily blocked because of previous errors - retrying too fast. penalty: 30 = seconds x 0 retries.; =20 =20 ; delay: 0s Oct 20 10:46:51 mail postfix/policyd-weight[28339]: decided action=3D550=20 temporarily blocked because of previous errors - retrying too fast. penalty: 30 = seconds x 0 retries.; =20 ; delay: 0s It does let some spam through, which spamassassin catches, but it rejects all=20 the bogus stuff (fake hostnames, bogus MTAs, forged from addresses, etc., etc.) --=20 Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========03B5997CC8624B8EA3CC==========--