On Wed, 15 Sep 2004, Matt Kettler wrote:
At 07:13 PM 9/15/2004, Dan Mahoney, System Admin wrote:For example, my father's wife peggy has the domain peggytaggart.com, she ONLY gives out the peggy@ email address for this.
For some unknown reason, the whole domain is popular with spammers. I've added a global rule in my virtusertable to just drop anything not-destined for peggy:
Sep 15 04:07:37 prime sm-mta[42929]: i8F87Mn1042929: <[EMAIL PROTECTED]>...
Not just spammers, but viruses now do this kind of thing, purely automated, common as dirt.
(What's really annoying is that sendmail doesn't log the ip of the remote connection until it's done (if you're blocking them) -- I'd love to be able to create an RBL on this and nip it in the bud).
Yeah, but it's not really that hard to parse it.. Find an "unknown user" message, grab the SMTP ID find the relay line with the same SMTP id.
Yes, I know this. I actually wrote something to create a RBL based on virus senders. I'd just like to be able to drop (or maybe teergrube) the connection in the BEGINNING instead of after the hangup.
Simple example using grep:
# grep "User unknown" /var/log/maillog:
Sep 14 09:10:03 xanadu sendmail[14940]: i8EDA3Cw014940: <[EMAIL PROTECTED]>... User unknown
<snip>
# grep "i8EDA3Cw014940" /var/log/maillog
Sep 14 09:10:03 xanadu milter-greylist: i8EDA3Cw014940: testmode: skipping greylist for recipient "<[EMAIL PROTECTED]>"
Sep 14 09:10:03 xanadu sendmail[14940]: i8EDA3Cw014940: <[EMAIL PROTECTED]>... User unknown
Sep 14 09:10:04 xanadu sendmail[14940]: i8EDA3Cw014940: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daem
on=MTA, relay=66.49.69.146.nw.nuvox.net [66.49.69.146]
Also, wouldn't it be a good idea for SpamAssassin to start going off on multiple emails to the same domain from the same address/ip?
IMO, not really.. this is so much better handled by properly configuring your MTA layer tools so you don't accept mail for unknown users.
Viruses, I handle for them, I am sure they don't want them. Email, I don't know about. I don't know at a given moment which email addresses (on a server hosting ~450 domains) are "good" or not. I leave it to my users to take procmail by the horns and handle this themselves. Still, something other than BLACK or WHITE is a good thing. A list of actually EXPECTED email addresses for spamassassin is what I'm looking for.
Beyond that, a quick procmail rule to check for the x-spam-report that this rule hits on could be used to submit the ip to a checking program and a further blacklist.
I'm pretty forgiving about blocking IP ranges (I let spamassassin
Peggy was a unique case because she was able to tell me "YES I ONLY USE peggy@" with complete certainty. None of my other users can tell me that, and I'm not quite in the mood to edit /etc/mail/virtusertable everytime each of 400 users decides to change it.
I'm running with local_procmail, so there's no real ability to have sendmail do an unknown bit.
Although I'm sure I could write a settings file that culled this on an hourly basis or something -- the idea is that the email address is already created. Users are filling out a web-form on (say) survey.org, and it wants their email address. Fine. [EMAIL PROTECTED] If spam starts coming in, they can shut it off.
A milter which auto-detects dictionary attacks by watching the unknown user errors and greylists the offending IP for 24 hours would be a great tool.
Having spamassassin track this kind of thing and add points based on it is a bit of a stretch..
Possibly not adding points, but definitely reporting it somewhere centrally is a good thing. Unfortunately, this would take an interesting amount of code that I'm not ready to write yet.
It could be effective, but only for domains that don't have proper tables set up so they only accept email for valid users (ie: secondary MX servers without a call-ahead or ldap check milter). However, on my primary MX it would be useless, as any unknown users instantly bounce with a 500 user unknown and SA will never see it.
Heh. Almost makes me want to set up a bogus secondary MX for the purpose of trapping all this shit. Maybe we can make spammers give us the secondary MX'es back. Eh, I won't hold my breath.
--
"...Somebody fed you sugar. Shit!"
--Tracy, after noticing Gatorade on my desk.
Ezzi Computers, October 18th 2003 Approx 11PM
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
