You should also take a look at smtpd from Obtuse (ftp://ftp.obtuse.com/pub/smtpd/beta) It allows you to block relaying in many different ways some of which you dont see in sendmail filters. For instance, you can refuse relaying for IP X because ip X's authorative name servers dont include Y. Its also flexible in deploying a single file across all your mail servers which takes care of relaying and spam. On Fri, 5 Sep 1997, Rod Nayfield wrote:
At 04:35 PM 9/5/97 -0400, Jeremy Elson wrote:
The answer, of course, is that the mail really originated from a PSInet dialup, using IConNet.NET as a spam relay; the bottom Received: line is an utter forgery, presuambly added by the spam-mailing software. In fact, it's not even a very good forgery, because the supposed IP address of alt2.bethere.net is invalid (the 2nd octet is 756).
Yes, it seems that once a spammer finds your site (fs.iconnet.net, mine) they share it with others. What was a trickle (in April, when you got spammed) became a flood as the "disposable dial-ppp / third-party relay" technique became widespread. At the time we had approximately 15 "open" mail servers - but only one was ever abused - they either share with each other or have common sources/techniques of scanning for "open" servers.
X-Disclaimer: if you're not interested in sendmail techniques to keep spam off your network, delete now.
Anyway, we were able to dig up with a nice simple solution that solves some problems that ISPs have. The reason I'm posting is because it took a long time to find the solution and most sources of information (spam.abuse.net, etc) are aimed at small sites, not ISPs who provide mail-relay and MX backup for their customers. The solution is located at
http://www.informatik.uni-kiel.de/%7Eca/email/check.html http://www.informatik.uni-kiel.de/%7Eca/email/rules/check.tar
what we do now, with most help from Claus A�mann's site:
= We now have four files that control our anti-abuse sendmail (in order):
1. Spammer These user addresses can't send mail 2. SpamDomains These domains can't send mail 3. LocalIP These IP addresses can relay mail 4. RelayTo Mail destined to these domain names can go through
Thus, our customers can use our mail servers to relay (#3), and anyone else must be sending to our customers (#4) or they get rejected. Plus we can block any spammer, customer or non-customer (#1,2). Now we only have to worry about our downstreams spamming, where we actually have leverage.
Things that need work: script to dynamically create localip file (point a program at your cisco and let it "sh ip bgp filter x" to get your list, which you can then edit) . merge spammer and spamdomains into one file with wildcards (*@*.b.com , user@*.c.com , *@port15.dial.d.net) . cidr and substring matching are not the same (you can take 10.1.0.0/17 and make 128 /24 entries, or one /16 entry and allow the other /17 through)
I'm thinking of building on this and sharing my results with Claus and any other interested parties. Suggestions / Comments / Ideas please e-mail me. Thanks for your time.
-Rod
Regards Peter Marelas -- Phase One Interactive - Sun Solaris/Unix/Networking Consultant P.O Box 549, Templestowe 3106 Melbourne, Australia URL: http://www.phase-one.com.au/