Date: Wed, 25 Oct 2006 10:31:23 -0600 From: cpghost <cpghost@cordula.ws> To: Jack Stone <antennex@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Shell question Message-ID: <20061025163123.GA61917@epia2.farid-hajji.net> In-Reply-To: <BAY106-F3222330AF276AB9714149FCC060@phx.gbl> References: <BAY106-F3222330AF276AB9714149FCC060@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 25, 2006 at 09:53:47AM -0500, Jack Stone wrote:
> I have managed to piece together a shell script that is able to retrieve
> the domains from the spams of the day and summarize those in a special file
> that can then be added to the sendmail's rejects in the access.db. But,
> first I have to eyeball the list and remove any obvious good-guy domains.
The domains from the spams? That's almost always pretty useless:
1. The only reliable information is what's in the SMTP envelope.
Headers like From: etc... are always spoofed and almost always
pointing to either inexistant or innocent victim domains (which
then get flooded by bounces).
2. The IP-Addresses from the senders (from the SMTP envelope or
at most the last Received: header, if you don't operate your own
MTA), will almost always point to PTR of some big broadband ISPs
hosting some infected Windows spam drones. Blocking the *domain*
name of the ISP (esp. the big ones) would be is silly, because
that would lock out a lot of legitimate users that send mails
through their (ISPs) mailers.
The bottom line: you'll end up banning 99% of innocent domains,
and still get flooded with spams, since spammers can and do fake
a HUGE amount of domain names.
However, blocking IP addresses using RBLs like spamhaus.org,
greylisting, and, to a lesser extent, using SPF (once it gets
more widely adopted) can do wonders, if you operate your own MTA.
E.g. the following Postfix configuration in
/usr/local/etc/postfix/main.cf is a bit tight, but very effective
in most setups:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
# check_sender_access hash:/usr/local/etc/postfix/sender_access,
# check_recipient_access hash:/usr/local/etc/postfix/recipient_access,
# check_helo_access hash:/usr/local/etc/postfix/secondary_mx_access,
# reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client relays.ordb.org,
reject_rbl_client opm.blitzed.org,
# reject_rbl_client dnsbl.sorbs.net,
check_policy_service unix:private/spfpolicy,
check_policy_service inet:127.0.0.1:10023,
# The following are a bit tight, but they won't do any harm
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
# check_client_access hash:/usr/local/etc/postfix/client_access,
reject_unknown_client
One can do even more, but that should be enough for now,
considerung the current "state of the art" of the spam engines.
If you prefer sendmail, a sendmail guru will certainly help translating
most directives from this config... ;)
> Jack
Good luck,
-cpghost.
--
Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061025163123.GA61917>