Dave, Use the following sendmail options with /etc/mail/mailhost containing your valid user email accounts. I create mailhost from an export of an LDAP database, if available.
LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldap_domains')dnl FEATURE(`ldap_routing', `hash /etc/mail/mailhost', `null', `bounce')dnl Regards, Damian Mendoza http://www.spamgate.us -----Original Message----- From: Dave Duffner - NWCWEB.com [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 8:57 AM To: 'Eric W. Bates'; 'Pierre Thomson' Cc: users@spamassassin.apache.org Subject: RE: slightly OT: sudden rise in Rumplestiltskin attacks? We've had these, especially from some of the sources listed below, for quite some time. But we've also seen that same spike lately and a couple of worthless attempts to hack into our servers and gain more ID's. When that doesn't work, it's dictionary time and they spew tons at us. If that fails, their next tactic is to do dictionary hits to other destinations, but use our domains and IP's to forge us as the source. We've firewalled and sendmail rejected most of the domains listed and all the APNIC, RIPE and other IP ranges from overseas. If we get complaints, then we investigate the source to determine it's genuine and open that smaller range back up. Sad, but it's reduced the workload by 75%. Is there a way, possibly with SpamAssassin, to simply reject anything not going to a valid user account? I know you can /dev/null everything but then you miss what's being spewed at you and the problem is never really solved. They get their payloads to valid accounts and the spam just continues. What I'm asking for is some routing in SA or some other program that could use some format to kill dictionary- style attacks but let the normal name-based stuff pass to be dealt with. Bob (even if there isn't one) would pass, but [EMAIL PROTECTED] would instantly be tossed. Any options like that? David J. Duffner VP Operations NWC Corporation NWCWEB.com ============================================ NWCWEB.com - Your Design & Hosting Solution! Featuring Ensim Pro/Linux Servers, Hosted Accounts, Web Design and e-Commerce services NWC Corporation - Global e-Pay Solutions ============================================ > -----Original Message----- > From: Eric W. Bates [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 26, 2004 11:39 AM > To: Pierre Thomson > Cc: users@spamassassin.apache.org > Subject: Re: slightly OT: sudden rise in Rumplestiltskin attacks? > > > We got slammed with a whole series of dictionary attacks in June (as > many as 500k per day against a variety of domains). And, yes, it > brought SA to it's knees. Prior to the flood, we had always > configured our customer's domains such that > [EMAIL PROTECTED] was delivered to the customer's > default address. This worked very well for the past 9 years; but we > had to stop. > > Pierre Thomson wrote: > > One of our relays got 8500 name-guessing spams yesterday, > up from an > > average of 2500 per day last week. So far today we have seen 6600, > > and the day isn't half over. If our MTA weren't checking > recipients > > against our userlist, SA would be struggling to process > these sudden > > "blasts" of spam. > > > > The sending relays seem to be predominantly in Europe, and > often make > > about a dozen tries in rapid succession. Here are the relays that > > sent name-guessing spams in a 2-minute period in the last hour: > > > > dsl-082-082-054-141.arcor-ip.net [82.82.54.141] > > dsl-082-082-054-141.arcor-ip.net [82.82.54.141] > > dsl-082-082-054-141.arcor-ip.net [82.82.54.141] > > [EMAIL PROTECTED] [62.64.219.183] > > omr-m01.mx.aol.com [64.12.138.1] m96.net81-65-0.noos.fr [81.65.0.96] > > m96.net81-65-0.noos.fr [81.65.0.96] m96.net81-65-0.noos.fr > > [81.65.0.96] m96.net81-65-0.noos.fr [81.65.0.96] > > m96.net81-65-0.noos.fr [81.65.0.96] m96.net81-65-0.noos.fr > > [81.65.0.96] m96.net81-65-0.noos.fr [81.65.0.96] > > m96.net81-65-0.noos.fr [81.65.0.96] m96.net81-65-0.noos.fr > > [81.65.0.96] m96.net81-65-0.noos.fr [81.65.0.96] > > m96.net81-65-0.noos.fr [81.65.0.96] [EMAIL PROTECTED] > > mailout08.sul.t-online.com [194.25.134.20] omr-m03.mx.aol.com > > [64.12.138.3] rega.bezeqint.net [192.115.104.10] > > seaattsmtp.avanade.com [12.129.10.40] mailout04.sul.t-online.com > > [194.25.134.18] mail.f-tech.net [65.161.2.16] [219.128.36.245] > > [219.128.36.245] [210.206.241.100] [EMAIL PROTECTED] > > [82.103.206.234] [EMAIL PROTECTED] [82.103.206.234] > > [EMAIL PROTECTED] [82.103.206.234] > > [EMAIL PROTECTED] [82.103.206.234] > > [EMAIL PROTECTED] [82.103.206.234] > > [EMAIL PROTECTED] [82.103.206.234] > > [EMAIL PROTECTED] [82.103.206.234] > > [EMAIL PROTECTED] [82.103.206.234] > > [EMAIL PROTECTED] [82.103.206.234] > > [EMAIL PROTECTED] [82.103.206.234] > > [EMAIL PROTECTED] [82.103.206.234] > > rh9150195.aspadmin.net [216.98.150.195] mailout09.sul.t-online.com > > [194.25.134.84] [219.128.36.245] [219.128.36.245] [219.128.36.245] > > [219.128.36.245] omr-m13.mx.aol.com [64.12.136.11] > > [EMAIL PROTECTED] [80.140.55.203] > > [EMAIL PROTECTED] [80.140.55.203] > > [EMAIL PROTECTED] [80.140.55.203] > > [EMAIL PROTECTED] [80.140.55.203] > > [EMAIL PROTECTED] [80.140.55.203] > > [EMAIL PROTECTED] [80.140.55.203] > > [EMAIL PROTECTED] [80.140.55.203] > > [EMAIL PROTECTED] [80.140.55.203] > > [EMAIL PROTECTED] [80.140.55.203] > > [EMAIL PROTECTED] [80.140.55.203] > > [EMAIL PROTECTED] [80.140.55.203] > > > > Are others seeing this? Any plausible explanation? > > > > Pierre Thomson > > BIC > > -- > Message scanned by MailScanner, and is believed to be clean. > CONFIDENTIALITY NOTICE: This transmission intended for the specified > destination and person. If this is not you, this > e-mail must be deleted immediately. www.nwcweb.com > -- Message scanned by MailScanner, and is believed to be clean. CONFIDENTIALITY NOTICE: This transmission intended for the specified destination and person. If this is not you, this e-mail must be deleted immediately. www.nwcweb.com
