Spam protection for larger networks (Was Re: Spammer Bust)

Rod Nayfield rod at iconnet.net
Fri Sep 5 23:14:39 UTC 1997


At 04:35 PM 9/5/97 -0400, Jeremy Elson wrote:
>The answer, of course, is that the mail really originated from a PSInet
>dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
>utter forgery, presuambly added by the spam-mailing software.  In fact,
>it's not even a very good forgery, because the supposed IP address of
>alt2.bethere.net is invalid (the 2nd octet is 756).


Yes, it seems that once a spammer finds your site (fs.iconnet.net, mine)
they share it with others.  What was a trickle (in April, when you got
spammed) became a flood as the "disposable dial-ppp / third-party relay"
technique became widespread.  At the time we had approximately 15 "open"
mail servers - but only one was ever abused - they either share with each
other or have common sources/techniques of scanning for "open" servers.

X-Disclaimer: if you're not interested in sendmail techniques to keep spam
off your network, delete now.

Anyway, we were able to dig up with a nice simple solution that solves some
problems that ISPs have.  The reason I'm posting is because it took a long
time to find the solution and most sources of information (spam.abuse.net,
etc) are aimed at small sites, not ISPs who provide mail-relay and MX
backup for their customers.  The solution is located at

http://www.informatik.uni-kiel.de/%7Eca/email/check.html
http://www.informatik.uni-kiel.de/%7Eca/email/rules/check.tar

what we do now, with most help from Claus Aßmann's site:

=
We now have four files that control our anti-abuse sendmail (in order):

1. Spammer		These user addresses can't send mail
2. SpamDomains	These domains can't send mail
3. LocalIP		These IP addresses can relay mail
4. RelayTo		Mail destined to these domain names can go through

Thus, our customers can use our mail servers to relay (#3), and anyone else
must be sending to our customers (#4) or they get rejected.  Plus we can
block any spammer, customer or non-customer (#1,2).  Now we only have to
worry about our downstreams spamming, where we actually have leverage.

Things that need work:
. script to dynamically create localip file
  (point a program at your cisco and let it "sh ip bgp filter x" to get
   your list, which you can then edit)
. merge spammer and spamdomains into one file with wildcards
  (*@*.b.com , [email protected]*.c.com , *@port15.dial.d.net)
. cidr and substring matching are not the same
  (you can take 10.1.0.0/17 and make 128 /24 entries, or one /16 entry and
allow
   the other /17 through)


I'm thinking of building on this and sharing my results with Claus and any
other interested parties.  Suggestions / Comments / Ideas please e-mail me.
 Thanks for your time.

-Rod




More information about the NANOG mailing list