Spam protection for larger networks (Was Re: Spammer Bust)

Peter Marelas maral at
Sun Sep 7 04:07:07 UTC 1997

You should also take a look at smtpd from Obtuse (
It allows you to block relaying in many different ways some of which you dont
see in sendmail filters. For instance, you can refuse relaying for
IP X because ip X's authorative name servers dont include Y.

Its also flexible in deploying a single file across all your mail servers
which takes care of relaying and spam.

On Fri, 5 Sep 1997, Rod Nayfield wrote:

> At 04:35 PM 9/5/97 -0400, Jeremy Elson wrote:
> >The answer, of course, is that the mail really originated from a PSInet
> >dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
> >utter forgery, presuambly added by the spam-mailing software.  In fact,
> >it's not even a very good forgery, because the supposed IP address of
> > is invalid (the 2nd octet is 756).
> Yes, it seems that once a spammer finds your site (, mine)
> they share it with others.  What was a trickle (in April, when you got
> spammed) became a flood as the "disposable dial-ppp / third-party relay"
> technique became widespread.  At the time we had approximately 15 "open"
> mail servers - but only one was ever abused - they either share with each
> other or have common sources/techniques of scanning for "open" servers.
> X-Disclaimer: if you're not interested in sendmail techniques to keep spam
> off your network, delete now.
> Anyway, we were able to dig up with a nice simple solution that solves some
> problems that ISPs have.  The reason I'm posting is because it took a long
> time to find the solution and most sources of information (,
> etc) are aimed at small sites, not ISPs who provide mail-relay and MX
> backup for their customers.  The solution is located at
> what we do now, with most help from Claus Aßmann's site:
> =
> We now have four files that control our anti-abuse sendmail (in order):
> 1. Spammer		These user addresses can't send mail
> 2. SpamDomains	These domains can't send mail
> 3. LocalIP		These IP addresses can relay mail
> 4. RelayTo		Mail destined to these domain names can go through
> Thus, our customers can use our mail servers to relay (#3), and anyone else
> must be sending to our customers (#4) or they get rejected.  Plus we can
> block any spammer, customer or non-customer (#1,2).  Now we only have to
> worry about our downstreams spamming, where we actually have leverage.
> Things that need work:
>  script to dynamically create localip file
>   (point a program at your cisco and let it "sh ip bgp filter x" to get
>    your list, which you can then edit)
> . merge spammer and spamdomains into one file with wildcards
>   (*@* , [email protected]* , *
> . cidr and substring matching are not the same
>   (you can take and make 128 /24 entries, or one /16 entry and
> allow
>    the other /17 through)
> I'm thinking of building on this and sharing my results with Claus and any
> other interested parties.  Suggestions / Comments / Ideas please e-mail me.
>  Thanks for your time.
> -Rod

Peter Marelas
Phase One Interactive - Sun Solaris/Unix/Networking Consultant
P.O Box 549, Templestowe 3106 Melbourne, Australia

More information about the NANOG mailing list