North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Spam protection for larger networks (Was Re: Spammer Bust)

  • From: Peter Marelas
  • Date: Sun Sep 07 00:41:17 1997

You should also take a look at smtpd from Obtuse (ftp://ftp.obtuse.com/pub/smtpd/beta)
It allows you to block relaying in many different ways some of which you dont
see in sendmail filters. For instance, you can refuse relaying for
IP X because ip X's authorative name servers dont include Y.

Its also flexible in deploying a single file across all your mail servers
which takes care of relaying and spam.

On Fri, 5 Sep 1997, Rod Nayfield wrote:

> At 04:35 PM 9/5/97 -0400, Jeremy Elson wrote:
> >The answer, of course, is that the mail really originated from a PSInet
> >dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
> >utter forgery, presuambly added by the spam-mailing software.  In fact,
> >it's not even a very good forgery, because the supposed IP address of
> >alt2.bethere.net is invalid (the 2nd octet is 756).
> 
> 
> Yes, it seems that once a spammer finds your site (fs.iconnet.net, mine)
> they share it with others.  What was a trickle (in April, when you got
> spammed) became a flood as the "disposable dial-ppp / third-party relay"
> technique became widespread.  At the time we had approximately 15 "open"
> mail servers - but only one was ever abused - they either share with each
> other or have common sources/techniques of scanning for "open" servers.
> 
> X-Disclaimer: if you're not interested in sendmail techniques to keep spam
> off your network, delete now.
> 
> Anyway, we were able to dig up with a nice simple solution that solves some
> problems that ISPs have.  The reason I'm posting is because it took a long
> time to find the solution and most sources of information (spam.abuse.net,
> etc) are aimed at small sites, not ISPs who provide mail-relay and MX
> backup for their customers.  The solution is located at
> 
> http://www.informatik.uni-kiel.de/%7Eca/email/check.html
> http://www.informatik.uni-kiel.de/%7Eca/email/rules/check.tar
> 
> what we do now, with most help from Claus A▀mann's site:
> 
> =
> We now have four files that control our anti-abuse sendmail (in order):
> 
> 1. Spammer		These user addresses can't send mail
> 2. SpamDomains	These domains can't send mail
> 3. LocalIP		These IP addresses can relay mail
> 4. RelayTo		Mail destined to these domain names can go through
> 
> Thus, our customers can use our mail servers to relay (#3), and anyone else
> must be sending to our customers (#4) or they get rejected.  Plus we can
> block any spammer, customer or non-customer (#1,2).  Now we only have to
> worry about our downstreams spamming, where we actually have leverage.
> 
> Things that need work:
>  script to dynamically create localip file
>   (point a program at your cisco and let it "sh ip bgp filter x" to get
>    your list, which you can then edit)
> . merge spammer and spamdomains into one file with wildcards
>   (*@*.b.com , [email protected]*.c.com , *@port15.dial.d.net)
> . cidr and substring matching are not the same
>   (you can take 10.1.0.0/17 and make 128 /24 entries, or one /16 entry and
> allow
>    the other /17 through)
> 
> 
> I'm thinking of building on this and sharing my results with Claus and any
> other interested parties.  Suggestions / Comments / Ideas please e-mail me.
>  Thanks for your time.
> 
> -Rod
> 

Regards
Peter Marelas
--
Phase One Interactive - Sun Solaris/Unix/Networking Consultant
P.O Box 549, Templestowe 3106 Melbourne, Australia
URL: http://www.phase-one.com.au/