Date: Wed, 25 Oct 2006 10:31:23 -0600 From: cpghost <cpghost@cordula.ws> To: Jack Stone <antennex@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Shell question Message-ID: <20061025163123.GA61917@epia2.farid-hajji.net> In-Reply-To: <BAY106-F3222330AF276AB9714149FCC060@phx.gbl> References: <BAY106-F3222330AF276AB9714149FCC060@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 25, 2006 at 09:53:47AM -0500, Jack Stone wrote: > I have managed to piece together a shell script that is able to retrieve > the domains from the spams of the day and summarize those in a special file > that can then be added to the sendmail's rejects in the access.db. But, > first I have to eyeball the list and remove any obvious good-guy domains. The domains from the spams? That's almost always pretty useless: 1. The only reliable information is what's in the SMTP envelope. Headers like From: etc... are always spoofed and almost always pointing to either inexistant or innocent victim domains (which then get flooded by bounces). 2. The IP-Addresses from the senders (from the SMTP envelope or at most the last Received: header, if you don't operate your own MTA), will almost always point to PTR of some big broadband ISPs hosting some infected Windows spam drones. Blocking the *domain* name of the ISP (esp. the big ones) would be is silly, because that would lock out a lot of legitimate users that send mails through their (ISPs) mailers. The bottom line: you'll end up banning 99% of innocent domains, and still get flooded with spams, since spammers can and do fake a HUGE amount of domain names. However, blocking IP addresses using RBLs like spamhaus.org, greylisting, and, to a lesser extent, using SPF (once it gets more widely adopted) can do wonders, if you operate your own MTA. E.g. the following Postfix configuration in /usr/local/etc/postfix/main.cf is a bit tight, but very effective in most setups: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, # check_sender_access hash:/usr/local/etc/postfix/sender_access, # check_recipient_access hash:/usr/local/etc/postfix/recipient_access, # check_helo_access hash:/usr/local/etc/postfix/secondary_mx_access, # reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org, # reject_rbl_client dnsbl.sorbs.net, check_policy_service unix:private/spfpolicy, check_policy_service inet:127.0.0.1:10023, # The following are a bit tight, but they won't do any harm reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, # check_client_access hash:/usr/local/etc/postfix/client_access, reject_unknown_client One can do even more, but that should be enough for now, considerung the current "state of the art" of the spam engines. If you prefer sendmail, a sendmail guru will certainly help translating most directives from this config... ;) > Jack Good luck, -cpghost. -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061025163123.GA61917>