Mike Cardwell <[EMAIL PROTECTED]> said, in message [EMAIL PROTECTED]: > > I might be missing the point, or several points, here, but why don't > you just set up a wildcard MX record for *.aber.ac.uk to point at > your real MX? I know that's not much use for the rest of your > tarpitting/portscanning stuff but it should solve your main problem, > no?
Hi Mike, The main problem isn't actually the fact that mail gets queued before being bounced when the Aber user has typed an incorrect address. It's the one that affects legit mail, yes, but we've not had any complaints. For a couple of years I've had a little script tied into our firewall that looks for blocked port 25 connect attempts and adds the source IP to a local blacklist. This works pretty well (you wouldn't believe the number of hits we get on hosts in the A record for aber.ac.uk rather than the MX record, for example) and the blacklist now stands at nearly 300,000 IP addresses. We get very few false positives on matches against this list and it's a fairly lightweight test before we start dropping stuff into spamassassin. The false positives come in those rare cases above, where someone fools a legitimate server into trying to connect to an illegitimate host. To address this we wanted to try to retain tractability (i.e. know what people were trying to conenct to) whilst detecting the false positives. We looked at wildcard MX records, but they appeared to have problems that we didn't want to get into handling. For example, http://www.unix.org.ua/orelly/networking/sendmail/ch21_03.htm says the following: > One compelling weakness of wildcard MX records is that they match any > hostname at all, even for machines that don't exist: > > ; domain is sub.dc.gov > *.dc.gov. IN MX 10 hostB.dc.gov. > > Here, mail to foo.dc.gov will be forwarded to hostB.dc.gov, even if > there is no host foo in that domain. > > Wildcard MX records almost never have any appropriate use on the > Internet. They are often misunderstood and are often used just to > save the effort of typing hundreds of MX records. They do, however, > have legitimate uses behind firewall machines and on non-Internet > networks. Another alternative (MX record for every existing machine) but that would double the size of our DNS and I'd have to rewrite a whole pile of code. Also, bouncing all connects records onto the main mail servers could well have increased our scanning load by actively collecting extra spamming attempts we'd never have seen otherwise. Putting a dummy server on our site firewall sounded an elegant answer and gives us a chance at spotting the spammers before they hit our real servers. The redirect is working fine, and my question was really to be sure that I wasn't missing anything in trying to detect what IP the other end was *trying* to connect to. I mentioned last night that I'd have a bash at wrapping getsockname() with a shared library. This appears to work, so a slightly modified exim startup script will do what I want. I'm going to do some more testing - if that works I'll put it up on the web, just in case it's useful to anyone else. Cheers, Alun. -- Alun Jones [EMAIL PROTECTED] Systems Support, (01970) 62 2494 Information Services, University of Wales, Aberystwyth -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
