Subject: Re: More spammer questions
From: Mike Tibor (tibor@lib.uaa.alaska.edu)
Date: Wed Feb 13 2002 - 14:42:19 AKST
On Wed, 13 Feb 2002, Mike Barsalou wrote:
>
> I found a feature in sendmail called blacklist_recipients that I believe
> will work for my needs.
>
> Has anyone successfully used this feature?
>
> Would you please share your experiences with us?
Sendmail's blacklist_recipients feature isn't bad, but the problem is that
you have to enter into a text file each domain that you want to reject
mail from. This means you have to have prior knowledge that the domain is
a spam source. In my experience this is only effective against persistent
spammers who relay from the same hosts, and useless against the garbage
that gets relayed through unsecured third-party open relays. Granted it's
a good tool for the toolbox, but there are bigger wrenches available.
I'm using Postfix, but the basic concept works fine for Sendmail as
well--although I don't know the exact translation into sendmail.cf, so
hopefully others will help with that.
Here's what I've got in /etc/postfix/main.cf:
maps_rbl_domains = blackholes.mail-abuse.org
dialups.mail-abuse.org
relays.mail-abuse.org
inputs.orbz.org
(the following should be all on one line, but I've wrapped it hoping it'll
be a little more readable)
smtpd_client_restrictions = hash:/etc/postfix/reject, \
permit_mynetworks, reject_maps_rbl
The first one (maps_rbl_domains) defines all the blackhole databases that
should be checked.
The second, (smtpd_client_restrictions) lists all the checks that should
be done against the source IP address anytime an smtp connection is
initiated:
1. check the source IP against my locally maintained file
(this part would equivalent to blacklist_domains)
2. if the source IP is a local one, let it pass
3. lookup the IP in all the blackhole databases listed in
$maps_rbl_domains
In my opinion, the importance of checking the source IP of the connecting
host is overlooked by most mail sysadmins, and is downplayed in all the
docs I've seen available on the 'net. Most docs seem to emphasize
checking other aspects of the session (whether the From: header uses a
resolvable domain name, or has a username consisting entirely of numbers,
whether the connecting IP resolves back to anything, etc.) which are of
limited usefulness these days. In the old days before MAPS, ORBS, ORBZ,
SpamCop, etc. these were important things to check, simply because there
were no actively maintained centralized databases of spam sources. Of
course now that we have these databases, I *do* still make use of the
other methods.
The blackhole databases work very well, and I would say that probably 49
out of 50 rejected smtp sessions are via inputs.orbz.org. ORBS is
shutdown now, and may have been the predecessor to ORBZ, or may not have
been related in any way, I'm not sure. MAPS also appears to be
effectively down, but at one time they were very good. There was talk
that MAPS was moving to a completely fee-based subscription service, so it
may be that I would have to feed them money before my mail-abuse.org
lookups would return any hits. I will probably just remove them from my
$maps_rbl_domains list.
Hopefully all that rambling made sense--I'm awake right now only because
of my coffee, having taken some people to the airport very early this
morning.
Mike
-- Mike Tibor Univ. of Alaska Anchorage (907) 786-1001 voice Network Technician Consortium Library (907) 786-6050 fax tibor@lib.uaa.alaska.edu http://www.lib.uaa.alaska.edu/~tibor/ http://www.lib.uaa.alaska.edu/~tibor/pgpkey for PGP public key
This archive was generated by hypermail 2a23 : Wed Feb 13 2002 - 14:42:22 AKST