headers
Larry Weldon | 1 Jun 2006 13:39

Re: OT: opinion on DNSBL

On Wed, 2006-05-31 at 11:26 -0400, Roger Merchberger wrote:
> I'm wondering if anyone's 
> had better luck than me at mapping these rascals.

I have been making a list. It started as just an analysis so I could get
a better understanding of the stuff. I realized if I shut off every
dynamically assigned IP address I would just about get rid of all spam.

I only implemented the tests on all servers last week and in the process
found one server with a lot less spam. It was my first qmail server and
had the tcpserver -p (paranoid) switch set to refuse connections where
there is no reverse dns.

So I set that on all the other servers and it reduced the spam.

But you're right - there are lots of dynamic IPs in IPV4.

Larry
Permalink | Reply | 3 comments |
headers
Charles Cazabon | 1 Jun 2006 16:31
Picon

Re: OT: opinion on DNSBL

Larry Weldon <lweldon <at> weldoncomputers.com> wrote:
> On Wed, 2006-05-31 at 11:26 -0400, Roger Merchberger wrote:
> > I'm wondering if anyone's had better luck than me at mapping these
> > rascals.
> 
> I have been making a list. It started as just an analysis so I could get a
> better understanding of the stuff. I realized if I shut off every
> dynamically assigned IP address I would just about get rid of all spam.

Why stop there?  You'll also stop a statistically significant percentage of
spam if you do any of the following:

  -reject all mail where the envelope sender address contains an "e"

  -reject all mail from clients where the third octet of their IP address
  modulo 7 gives no remainder

  -refuse all SMTP connections between 13:58:01 and 16:43:41 UTC each day

Reminder: *every* half-assed, poorly-thought-out "anti-spam" technique out
there that currently reduces the usability and reliability of email started
out with one email admin thinking "this gets rid of a lot of spam".  Don't do
it.

Charles
--

-- 
--------------------------------------------------------------------------
Charles Cazabon                               <qmail <at> discworld.dyndns.org>
Read http://pyropus.ca/personal/writings/12-steps-to-qmail-list-bliss.html
My services include qmail consulting.  See http://pyropus.ca/ for details.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Sergio D. Caplan | 1 Jun 2006 16:38

VRFY

Hello All,

I have a question about qmail, and am not a programmer in the Unix/Linux
arena, but I do know enough to not just cause damage, but waste people's
time by not asking questiosn the right way.  Let's hope this isn't one of
those times.

I am under the impression that some email gateways (to catch spam) will
verify not just the sending email domain, but also that the sending email
address is valid.

Can I assume that if my email server has qmail, it is qmail that responds to
these verification requests?

Many thanks,

Sergio
Permalink | Reply | 3 comments |
headers
Markus Stumpf | 1 Jun 2006 16:47
Favicon

Re: OT: opinion on DNSBL

On Thu, Jun 01, 2006 at 07:39:58AM -0400, Larry Weldon wrote:
> On Wed, 2006-05-31 at 11:26 -0400, Roger Merchberger wrote:
> > I'm wondering if anyone's 
> > had better luck than me at mapping these rascals.
> 
> I have been making a list. It started as just an analysis so I could get
> a better understanding of the stuff. I realized if I shut off every
> dynamically assigned IP address I would just about get rid of all spam.

About a year ago I patched qmail-smtpd to send "notifies" via UDP
to a small old server with a mysql and powerdns (solely because it interfaces
MySQL easily and natively). The notifies contain a IP address and a
"detail" information. The UDP receiver on that host took the message
and fed it to the MySQL in a format usable as a DNSBL with the detail
information mapped to 127.0.0.* to make it distinguishable.

The mailserver used for collecting this information is medium sized
(around 100000 messages a day).

The details used were
    badhelo	if the receiving server is  mail.example.com [100.0.1]
		and the sender uses "HELO mail.example.com" or "HELO
		10.0.0.1" or some other HELOs from a list (localhost,
		localhost.localdomain, friend, BABY, YOUR.HOST.NAME,
		microsoft.com, ...)
    helomatchrcpt	the mailserver has virtualdomains configured.
		If the sending hosts uses "HELO example.com" and a
		RCPT TO: with " <at> example.com" the "HELO matches the RCPT"
		and we reject the mail (cannot happen legally with our setup)
    permdns	The envelope sender domain used does not have a valid A
(Continue reading)

Permalink | Reply | 0 comments |
headers
Markus Stumpf | 1 Jun 2006 17:00
Favicon

Re: VRFY

On Thu, Jun 01, 2006 at 10:38:13AM -0400, Sergio D. Caplan wrote:
> I am under the impression that some email gateways (to catch spam) will
> verify not just the sending email domain, but also that the sending email
> address is valid.

Yes, but they will not use VRFY, but RCPT TO.

> Can I assume that if my email server has qmail, it is qmail that responds to
> these verification requests?

Yes. It even answers to VRFY requests:
    VRFY joe <at> example.com
    252 send some mail, i'll try my best
Implementing VRFY these days would be a wonderland for spammers to
clear/create lists (from dictionaries) fast and easy.

	\Maex

--

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
         Don't claim that you know everything. Besides not being
             true it is very irritating to those of us who do.
Permalink | Reply | 0 comments |
headers
Charles Cazabon | 1 Jun 2006 17:20
Picon

Re: VRFY

Sergio D. Caplan <Sergio <at> WarpTV.com> wrote:
> 
> I have a question about qmail, and am not a programmer in the Unix/Linux
> arena, but I do know enough to not just cause damage, but waste people's
> time by not asking questiosn the right way.  Let's hope this isn't one of
> those times.

:)

> I am under the impression that some email gateways (to catch spam) will
> verify not just the sending email domain, but also that the sending email
> address is valid.

Well, there are some MTAs and such that claim to do this.  What they do is an
"SMTP callback"; when they receive a connection from a client and receive the
envelope, they connect back and try to reverse the client's request.  If the
RCPT TO: command is accepted, they then quit that connection and accept the
(waiting) client's message.

Needless to say, this is a really, really bad idea.  Picture two such servers
with the same feature turned on...

> Can I assume that if my email server has qmail, it is qmail that responds to
> these verification requests?

Yes.

Charles
--

-- 
--------------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 1 comment |
headers
Jason Staudenmayer | 1 Jun 2006 19:28

Is this idea possible?

Hi all,

I was wondering if it would be possible to redirect email that would
normally be dropped by the rblsmtpd setting in my tcp.smtp file to a
"catch all" account either locally or off server to be reviewed. Bellow
is a sample line from my tcp.smtp file.

58.:allow,RBLSMTPD="-We are currently blocking this net (58.0.0.0) due
to spam"

Would I be able to have some program called by the rblsmtpd var and send
that email somewhere else for review?

Thanks

Jason
Permalink | Reply | 8 comments |
headers
Zaid | 1 Jun 2006 19:55
Picon
Favicon

Changing parameters in HELO

Hello, I hope someone can help me with this. My
situation is that I have a PHP application sending
email to qmail via SMTP and qmail delivers it to the
end recepient. What is happening is that the internal
IP is shown in the following line:

Received: from unknown (HELO helo) (192.168.xx.xx)
  by xxx-xxx.com with SMTP; 17 May 2006 16:32:52 -0000

How would I be able to remove the internal IP or even
that entire line since I dont believe its needed in
the header ( I could be wrong though).

When I send email via command line from the qmail
server itself I dont have this problem, just only when
SMTP injects the email.

Any ideas?

Thanks,
Zaid

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
Permalink | Reply | 1 comment |
headers
Jeremy Kitchen | 1 Jun 2006 19:42

Re: Is this idea possible?

On Thursday 01 June 2006 10:28, you wrote:
> Hi all,
>
> I was wondering if it would be possible to redirect email that would
> normally be dropped by the rblsmtpd setting in my tcp.smtp file to a
> "catch all" account either locally or off server to be reviewed. Bellow
> is a sample line from my tcp.smtp file.
>
> 58.:allow,RBLSMTPD="-We are currently blocking this net (58.0.0.0) due
> to spam"

> Would I be able to have some program called by the rblsmtpd var and send
> that email somewhere else for review?

in that case, what you want to do is possible, but not with rblsmtpd.  instead 
of setting RBLSMTPD=, set QMAILQUEUE= (assuming you have the qmailqueue patch 
installed) another qmail-queue binary that either does this for you, or hands 
it off to another queue, or whatnot.

as for messages blocked by rblsmtpd via lookups to the rbls listed in the -r 
arguments, no, this is not possible without modifying rblsmtpd's code.

-Jeremy

--

-- 
Jeremy Kitchen ++ kitchen <at> scriptkitchen.com

http://ipaction.org/ -- defend your rights to fair use
Permalink | Reply | 0 comments |
headers
Charles Cazabon | 1 Jun 2006 20:36
Picon

Re: Changing parameters in HELO

Zaid <zaidthegeek <at> yahoo.com> wrote:
> Hello, I hope someone can help me with this. My situation is that I have a
> PHP application sending email to qmail via SMTP and qmail delivers it to the
> end recepient. What is happening is that the internal IP is shown in the
> following line:
> 
> Received: from unknown (HELO helo) (192.168.xx.xx)
>   by xxx-xxx.com with SMTP; 17 May 2006 16:32:52 -0000
> 
> How would I be able to remove the internal IP or even that entire line since
> I dont believe its needed in the header ( I could be wrong though).

Have your PHP script inject its mail via qmail-inject (or /usr/sbin/sendmail)
instead of SMTP.

Charles
--

-- 
--------------------------------------------------------------------------
Charles Cazabon                               <qmail <at> discworld.dyndns.org>
Read http://pyropus.ca/personal/writings/12-steps-to-qmail-list-bliss.html
My services include qmail consulting.  See http://pyropus.ca/ for details.
--------------------------------------------------------------------------
Permalink | Reply | 0 comments |

Gmane