North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Spam protection for larger networks (Was Re: Spammer Bust)
You should also take a look at smtpd from Obtuse (ftp://ftp.obtuse.com/pub/smtpd/beta) It allows you to block relaying in many different ways some of which you dont see in sendmail filters. For instance, you can refuse relaying for IP X because ip X's authorative name servers dont include Y. Its also flexible in deploying a single file across all your mail servers which takes care of relaying and spam. On Fri, 5 Sep 1997, Rod Nayfield wrote: > At 04:35 PM 9/5/97 -0400, Jeremy Elson wrote: > >The answer, of course, is that the mail really originated from a PSInet > >dialup, using IConNet.NET as a spam relay; the bottom Received: line is an > >utter forgery, presuambly added by the spam-mailing software. In fact, > >it's not even a very good forgery, because the supposed IP address of > >alt2.bethere.net is invalid (the 2nd octet is 756). > > > Yes, it seems that once a spammer finds your site (fs.iconnet.net, mine) > they share it with others. What was a trickle (in April, when you got > spammed) became a flood as the "disposable dial-ppp / third-party relay" > technique became widespread. At the time we had approximately 15 "open" > mail servers - but only one was ever abused - they either share with each > other or have common sources/techniques of scanning for "open" servers. > > X-Disclaimer: if you're not interested in sendmail techniques to keep spam > off your network, delete now. > > Anyway, we were able to dig up with a nice simple solution that solves some > problems that ISPs have. The reason I'm posting is because it took a long > time to find the solution and most sources of information (spam.abuse.net, > etc) are aimed at small sites, not ISPs who provide mail-relay and MX > backup for their customers. The solution is located at > > http://www.informatik.uni-kiel.de/%7Eca/email/check.html > http://www.informatik.uni-kiel.de/%7Eca/email/rules/check.tar > > what we do now, with most help from Claus A�mann's site: > > = > We now have four files that control our anti-abuse sendmail (in order): > > 1. Spammer These user addresses can't send mail > 2. SpamDomains These domains can't send mail > 3. LocalIP These IP addresses can relay mail > 4. RelayTo Mail destined to these domain names can go through > > Thus, our customers can use our mail servers to relay (#3), and anyone else > must be sending to our customers (#4) or they get rejected. Plus we can > block any spammer, customer or non-customer (#1,2). Now we only have to > worry about our downstreams spamming, where we actually have leverage. > > Things that need work: > script to dynamically create localip file > (point a program at your cisco and let it "sh ip bgp filter x" to get > your list, which you can then edit) > . merge spammer and spamdomains into one file with wildcards > (*@*.b.com , [email protected]*.c.com , *@port15.dial.d.net) > . cidr and substring matching are not the same > (you can take 10.1.0.0/17 and make 128 /24 entries, or one /16 entry and > allow > the other /17 through) > > > I'm thinking of building on this and sharing my results with Claus and any > other interested parties. Suggestions / Comments / Ideas please e-mail me. > Thanks for your time. > > -Rod > Regards Peter Marelas -- Phase One Interactive - Sun Solaris/Unix/Networking Consultant P.O Box 549, Templestowe 3106 Melbourne, Australia URL: http://www.phase-one.com.au/
|