I've just found a new and interesting spam source
- legitimatebounce messages
Paul Schmehl
pauls at utdallas.edu
Mon Oct 20 09:45:33 PDT 2008
--On Monday, October 20, 2008 10:24:28 -0500 "Michael K. Smith - Adhost"
<mksmith at adhost.com> wrote:
>>
>> Let me know if you do find a reliable, decent solution that does not
>> involve SPF or postfix header_checks or body_checks.
>>
>
> The following doesn't fix the problem but it does help mitigate the deluge.
> We use a PERL script to tail our maillogs looking for any source IP that
> tries to send mail to more than 4 invalid addresses. When flagged, that IP
> is then added to a PF table that blocks the address and issues RST's for 12
> hours. Of course, we also have a whitelist for "valid" SMTP servers. Like I
> said, it doesn't catch it all, but it catches *a lot* and generates almost no
> complaints. This does help obfuscate the valid/invalid addresses because all
> mail is accepted as far as the sender is concerned until the IP is blocked at
> the network layer.
>
> The usual complaint is from an remote office that has 12 real estate agents
> behind a single IP, all with Outlook set to check mail "sooner than now." :-)
>
The best solution *by far* that I have found for spam (using Postfix) is
mail/postfix-policyd-weight. It routinely rejects 50 to 70% of incoming mail
with no false positives. It took *very* little tweaking to get it to this
point, and it rejects the mail before postfix even deals with it. I use
spamassassin as well, but policyd-weight does the heavy lifting.
Here's one example of a rejected email:
Oct 20 11:11:16 mail postfix/policyd-weight[77973]: weighted check:
IN_DYN_PBL_SPAMHAUS=3.25 NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
NOT_IN_BL_NJABL=-1.5 CL_IP_NE_HELO=4.75 REV_IP_EQ_HELO=-1.25
NOK_HELO_SEEMS_DIALUP=5 (check from: .hinet. - helo:
.dsl.dynamic8121373125.ttnet. - helo-domain: .ttnet.)
FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=4.85 CLIENT_NOT_MX/A_FROM_DOMAIN=4.75
CLIENT/24_NOT_MX/A_FROM_DOMAIN=4.75; <client=81.213.73.125>
<helo=dsl.dynamic8121373125.ttnet.net.tr> <from=alan0730 at ms35.hinet.net>
<to=abeinlets at stovebolt.com>; rate: 21.6
Oct 20 11:11:16 mail postfix/policyd-weight[77973]: decided action=550 Mail
appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO
and DNS MX settings or to get removed from DNSBLs; please relay via your ISP
(ms35.hinet.net); Please use DynDNS; <client=81.213.73.125>
<helo=dsl.dynamic8121373125.ttnet.net.tr> <from=alan0730 at ms35.hinet.net>
<to=abeinlets at stovebolt.com>; delay: 8s
Anything above 1 is rejected. This email scored 21.6, which is off the charts.
It even does greylisting.
Oct 20 10:45:47 mail postfix/policyd-weight[28339]: decided action=550
temporarily blocked because of previous errors - retrying too fast. penalty: 30
seconds x 0 retries.; <client=189.141.58.189>
<helo=dsl-189-141-58-189.prod-infinitum.com.mx> <from=ii7jam at hotmail.com>
<to=milliman at stovebolt.com>; delay: 0s
Oct 20 10:46:51 mail postfix/policyd-weight[28339]: decided action=550
temporarily blocked because of previous errors - retrying too fast. penalty: 30
seconds x 0 retries.; <client=65.110.50.188> <helo=boomfm.dnsalias.com>
<from=aw-confirm at ebay.com> <to=tsp at stovebolt.com>; delay: 0s
It does let some spam through, which spamassassin catches, but it rejects all
the bogus stuff (fake hostnames, bogus MTAs, forged from addresses, etc., etc.)
--
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
More information about the freebsd-questions
mailing list