From owner-freebsd-questions@FreeBSD.ORG Wed Oct 25 16:32:34 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D01D16A4D0 for ; Wed, 25 Oct 2006 16:32:34 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1657143E0F for ; Wed, 25 Oct 2006 16:31:16 +0000 (GMT) (envelope-from cpghost@cordula.ws) Received: from epia2.farid-hajji.net (epia-2 [192.168.254.11]) by fw.farid-hajji.net (Postfix) with ESMTP id C2358DEA96; Wed, 25 Oct 2006 18:25:55 +0200 (CEST) Date: Wed, 25 Oct 2006 10:31:23 -0600 From: cpghost To: Jack Stone Message-ID: <20061025163123.GA61917@epia2.farid-hajji.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-questions@freebsd.org Subject: Re: Shell question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2006 16:32:34 -0000 On Wed, Oct 25, 2006 at 09:53:47AM -0500, Jack Stone wrote: > I have managed to piece together a shell script that is able to retrieve > the domains from the spams of the day and summarize those in a special file > that can then be added to the sendmail's rejects in the access.db. But, > first I have to eyeball the list and remove any obvious good-guy domains. The domains from the spams? That's almost always pretty useless: 1. The only reliable information is what's in the SMTP envelope. Headers like From: etc... are always spoofed and almost always pointing to either inexistant or innocent victim domains (which then get flooded by bounces). 2. The IP-Addresses from the senders (from the SMTP envelope or at most the last Received: header, if you don't operate your own MTA), will almost always point to PTR of some big broadband ISPs hosting some infected Windows spam drones. Blocking the *domain* name of the ISP (esp. the big ones) would be is silly, because that would lock out a lot of legitimate users that send mails through their (ISPs) mailers. The bottom line: you'll end up banning 99% of innocent domains, and still get flooded with spams, since spammers can and do fake a HUGE amount of domain names. However, blocking IP addresses using RBLs like spamhaus.org, greylisting, and, to a lesser extent, using SPF (once it gets more widely adopted) can do wonders, if you operate your own MTA. E.g. the following Postfix configuration in /usr/local/etc/postfix/main.cf is a bit tight, but very effective in most setups: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, # check_sender_access hash:/usr/local/etc/postfix/sender_access, # check_recipient_access hash:/usr/local/etc/postfix/recipient_access, # check_helo_access hash:/usr/local/etc/postfix/secondary_mx_access, # reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org, # reject_rbl_client dnsbl.sorbs.net, check_policy_service unix:private/spfpolicy, check_policy_service inet:127.0.0.1:10023, # The following are a bit tight, but they won't do any harm reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, # check_client_access hash:/usr/local/etc/postfix/client_access, reject_unknown_client One can do even more, but that should be enough for now, considerung the current "state of the art" of the spam engines. If you prefer sendmail, a sendmail guru will certainly help translating most directives from this config... ;) > Jack Good luck, -cpghost. -- Cordula's Web. http://www.cordula.ws/