By the time the packet hits badmail from you've already done a lot of work
to just reject the connection.
Filter it as soon as possible. BEFORE it get to you SMTP port.... so you
don't have to spawn an ident child, then a qmail-smtpd then reject the
packet. I'm not sure of exactly how far up the chain you would go to
finally get to the badmailfrom file..... but it has to be slower than
ipfwadm.
Paul Farber
Farber Technology
[EMAIL PROTECTED]
Ph 570-628-5303
Fax 570-628-5545
On Mon, 27 Sep 1999, Abel Lucano wrote:
> On Sun, 26 Sep 1999 [EMAIL PROTECTED] wrote:
>
> > I would not think so. Filtering is based on a simple premise... don not
> > accept packets from a specific IP address or range of IP's. If you don't
> > know what IP 's to filter, then you must find a way to get that
> > information. Try netstat -n or grep your mail logs for the IP's in
> > question.... sooner or later you wil have a bunch of IP's to filter...
> > that's a good starting point.
> >
>
> Paul
>
> thanks for your approach.
>
> Finally i had to filter spammer with ipfwadm to prevent my mail server of
> one denial of service.
> But ipfwadm it's not a qmail topic.
>
> Under qmail, i was able (until yesterday) to filter undesirable spam
> mostly with /var/qmail/control/badmailfrom
>
> The question here arises in one spammer (206.221.224.187)
> who's spamming aol.com from one ppp session with a bogus domain "ba.net"
> that doesn't belongs to him.
> (from ba.net (ppp187.champaign.advancenet.net [206.221.224.187]))
>
> AOL's DNS "resolves" ba.net (badly in my opinion) and the aol's
> relays were sending tons of bounce emails to my mailserver. (the
> real ba.net domain).
>
> I'll try at first with @rly-yc04.mx.aol.com in badmailfrom.
> If this interest you, see one of the bounces below.
> Aol's relays rotates, then i tried (one domain by line obviously)
>
> @[205.188.156.79], [EMAIL PROTECTED], @[205.188.156.78],@rly-bza01.mx.aol.com
> @rly-yb05.mx.aol.com, @rly-yd01.mx.aol.com ,@rly-yc05.mail.aol.com
>
> I've put the line @aol.com in badmailfrom; i couldn't stop the bombing
> with this approach.
>
> Finally i give up and i use ipfwadm (a UNIX tool, not an QMAIL tool) (as
> you and other kind guys advise to me in this list);
>
> that's the whole history; i'm remains filtering aol.com today until the
> attack passes. It's not my desire and it's not a 'professional' solution
> but..
>
> Excuse me all for this maybe long email
>
> Regards
>
> Abel Lucano
> email: [EMAIL PROTECTED]
> [EMAIL PROTECTED]
>
>
> ---------------------------------------------------------------------------
> Return-Path: <>
> Received: (qmail 19037 invoked from network); 26 Sep 1999 09:50:32 -0000
> Received: from aolmbr03.mx.aol.com (198.81.17.131)
> by ferro.ba.net with SMTP; 26 Sep 1999 09:50:32 -0000
> Received: from rly-yc04.mx.aol.com (rly-yc04.mail.aol.com [172.18.149.36])
> by aolmbr03.mx.aol.com (8.8.8/8.8.5/AOL-2.0.0)
> with ESMTP id IAA15844 for <[EMAIL PROTECTED]>;
> Sun, 26 Sep 1999 08:31:39 -0400 (EDT)
> Received: from localhost (localhost)
> by rly-yc04.mx.aol.com (8.8.8/8.8.5/AOL-4.0.0)
> with internal id IAA16080;
> Sun, 26 Sep 1999 08:40:12 -0400 (EDT)
> Date: Sun, 26 Sep 1999 08:40:12 -0400 (EDT)
> From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
> Message-Id: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> MIME-Version: 1.0
> Content-Type: multipart/report; report-type=delivery-status;
> boundary="IAA16080.938349612/rly-yc04.mx.aol.com"
> Subject: Returned mail: User unknown
> Auto-Submitted: auto-generated (failure)
>
> This is a MIME-encapsulated message
>
> --IAA16080.938349612/rly-yc04.mx.aol.com
>
> The original message was received at Sun, 26 Sep 1999 08:40:00 -0400 (EDT)
> from ppp187.champaign.advancenet.net [206.221.224.187]
>
> * ATTENTION ***
>
> Your e-mail is being returned to you because there was a problem with its
> delivery. The AOL address which was undeliverable is listed in the
> section
> labeled: "----- The following addresses had permanent fatal errors -----".
>
> The reason your mail is being returned to you is listed in the section
> labeled: "----- Transcript of Session Follows -----".
>
> The line beginning with "<<<" describes the specific reason your e-mail
> could
> not be delivered. The next line contains a second error message which is
> a
> general translation for other e-mail servers.
>
> Please direct further questions regarding this message to your e-mail
> administrator.
>
> --AOL Postmaster
>
> ----- The following addresses had permanent fatal errors -----
> <[EMAIL PROTECTED]>
>
> ----- Transcript of session follows -----
> ... while talking to air-yc02.mail.aol.com.:
> >>> RCPT To:<[EMAIL PROTECTED]>
> <<< 550 MAILBOX NOT FOUND
> 550 <[EMAIL PROTECTED]>... User unknown
>
> --IAA16080.938349612/rly-yc04.mx.aol.com
> Content-Type: message/delivery-status
>
> Reporting-MTA: dns; rly-yc04.mx.aol.com
> Arrival-Date: Sun, 26 Sep 1999 08:40:00 -0400 (EDT)
>
> Final-Recipient: RFC822; [EMAIL PROTECTED]
> Action: failed
> Status: 2.0.0
> Remote-MTA: DNS; air-yc02.mail.aol.com
> Last-Attempt-Date: Sun, 26 Sep 1999 08:40:12 -0400 (EDT)
>
> --IAA16080.938349612/rly-yc04.mx.aol.com
> Content-Type: message/rfc822
>
> Received: from ba.net (ppp187.champaign.advancenet.net [206.221.224.187])
> by
> rly-yc04.mx.aol.com (v61.9) with ESMTP; Sun, 26 Sep 1999 08:39:55 -0400
> From: <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: Hey man
> Date: Sun, 26 Sep 1999 07:40:03
> Message-Id: <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> Mime-Version: 1.0
> Content-Type: text/html; charset="us-ascii"
>
>
> <HEAD>
> <TITLE>(Type a title for your page here)</TITLE>
>
> </HEAD>
>
> <BODY BACKGROUND="" BGCOLOR="#000000" TEXT="white" LINK="red" VLINK=""
> ALINK="#ff0000">
>
> <A HREF="http://3470651298/barney/"><FONT SIZE="+2">Click Here</FONT>>
> <B><A HREF="http://3470651298/barney/"><FONT SIZE="+1" color="cyan">Hi
> There...My names is Amber. My girlfriends Elaine and Louise came over
> this
> past weekend with their new digital camera, and after a little wine, and a
> lot
> of foolin' around, we got a little crazy...Anyways, now that the pictures
> are
> taken, we might as well show them to SOMEONE, so how about
> you?</FONT></a></B><BR>
> <A HREF="http://3470651298/barney/"><FONT SIZE="+2">Click Here</FONT>
>
> </BODY>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
