Spam protection for larger networks (Was Re: Spammer Bust)
Peter Marelas
maral at phase-one.com.au
Sun Sep 7 04:07:07 UTC 1997
You should also take a look at smtpd from Obtuse (ftp://ftp.obtuse.com/pub/smtpd/beta)
It allows you to block relaying in many different ways some of which you dont
see in sendmail filters. For instance, you can refuse relaying for
IP X because ip X's authorative name servers dont include Y.
Its also flexible in deploying a single file across all your mail servers
which takes care of relaying and spam.
On Fri, 5 Sep 1997, Rod Nayfield wrote:
> At 04:35 PM 9/5/97 -0400, Jeremy Elson wrote:
> >The answer, of course, is that the mail really originated from a PSInet
> >dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
> >utter forgery, presuambly added by the spam-mailing software. In fact,
> >it's not even a very good forgery, because the supposed IP address of
> >alt2.bethere.net is invalid (the 2nd octet is 756).
>
>
> Yes, it seems that once a spammer finds your site (fs.iconnet.net, mine)
> they share it with others. What was a trickle (in April, when you got
> spammed) became a flood as the "disposable dial-ppp / third-party relay"
> technique became widespread. At the time we had approximately 15 "open"
> mail servers - but only one was ever abused - they either share with each
> other or have common sources/techniques of scanning for "open" servers.
>
> X-Disclaimer: if you're not interested in sendmail techniques to keep spam
> off your network, delete now.
>
> Anyway, we were able to dig up with a nice simple solution that solves some
> problems that ISPs have. The reason I'm posting is because it took a long
> time to find the solution and most sources of information (spam.abuse.net,
> etc) are aimed at small sites, not ISPs who provide mail-relay and MX
> backup for their customers. The solution is located at
>
> http://www.informatik.uni-kiel.de/%7Eca/email/check.html
> http://www.informatik.uni-kiel.de/%7Eca/email/rules/check.tar
>
> what we do now, with most help from Claus Aßmann's site:
>
> =
> We now have four files that control our anti-abuse sendmail (in order):
>
> 1. Spammer These user addresses can't send mail
> 2. SpamDomains These domains can't send mail
> 3. LocalIP These IP addresses can relay mail
> 4. RelayTo Mail destined to these domain names can go through
>
> Thus, our customers can use our mail servers to relay (#3), and anyone else
> must be sending to our customers (#4) or they get rejected. Plus we can
> block any spammer, customer or non-customer (#1,2). Now we only have to
> worry about our downstreams spamming, where we actually have leverage.
>
> Things that need work:
> script to dynamically create localip file
> (point a program at your cisco and let it "sh ip bgp filter x" to get
> your list, which you can then edit)
> . merge spammer and spamdomains into one file with wildcards
> (*@*.b.com , user@*.c.com , *@port15.dial.d.net)
> . cidr and substring matching are not the same
> (you can take 10.1.0.0/17 and make 128 /24 entries, or one /16 entry and
> allow
> the other /17 through)
>
>
> I'm thinking of building on this and sharing my results with Claus and any
> other interested parties. Suggestions / Comments / Ideas please e-mail me.
> Thanks for your time.
>
> -Rod
>
Regards
Peter Marelas
--
Phase One Interactive - Sun Solaris/Unix/Networking Consultant
P.O Box 549, Templestowe 3106 Melbourne, Australia
URL: http://www.phase-one.com.au/
More information about the NANOG
mailing list