--On Samstag, 30. August 2003 15:17 -0700 Ricardo Kleemann
<[EMAIL PROTECTED]> wrote:
[reject trojan by helo]
> Yes, the perlfilter does parse the control file... as far as
> the helo string, what should I do with that? What should I
> check for?
the helo should contain a dot and look like a fqdn:
/^[-a-z0-9.]{3,32}\.[a-z]{2,4}$/i
and disallow those helo'ing with your hostname or the domain of the
victim.� Disallowing 'yahoo.com' and similar may be effective too.
Additionally check the header and body for
/^Content-Disposition: attachment;
.*name=.+\.(scr|pif|exe|dll|reg|cmd|com|bat|sh|vxd|rm|chm|vb|ini|hta|reg|lnk|
js|ms|wsh)/
which kills most of the malware, also possible via maildrop.
If you limit MAXPERIP in etc/esmtpd you also could insert a delay of
at least 10..20 seconds before rejection, this limits the hammering
of broken implementations somewhat.
Most spamware will disconnect after 20 seconds anyway if no response
received, some implementations make use of that and delay the initial
greeting and other smtp-dialogs.
But thats not available in perlfilter which runs after DATA, only in
maildropfilter, also known as the whitelist-api, which unfortunately
has no access to the helostring.
[reject trojan by dnsbl]
> Great... any pointers on how to set that up efficiently? As
> for the DNSBL, can someone provide a good, updated list of
> DNSBL servers? I used to have one but it's outdated.
(probably better handled in nanae/nanab since not related to courier)
Each of those trojans has a individual list of victims, the hosts
usually dont show up in the proxy-lists but originating from cable/
adsl ranges.
The most comprehesive and best maintained list for such ranges is
available at dynablock.easynet.nl, you probably also want to add
blackholes.easynet.nl which blocks lots of proxies and opt-out scum.
Both are also available via rsync.
The negative point may be the branding by easynet.nl which could cause
some confusion at the senders end. Easynet.nl (the former Wirehub.nl)
only takes manual remove-requests, but I am not shure if this really
is a negative point or not ;)
dnsbl.sorbs.net lists mostly proxies, but also includes dialup-ranges
and spammers.
The problem with sorbs could be the constant ddos since months, sorbs
maybe will be available only for subscribers soon. And the spamtrap-
listings may be a bit too agressive for some companies, a french isp
for example will have problems with blocking their 'national' rogue
wanadoo.fr, but the rest of the world are better off doing so.
dnsbl.njabl.org has similar policies as the two above, and its also
available via rsync.
The problem with njabl could be the not-so-wide userbase, it may take
longer until somebody reports a closed relay than the two above.
All three lists are well maintained by friendly and responsive people ;)
Using all of the above would be a waste of bandwidth since the share
about 70..90% of the listings. For a detailled comparison see the weekly
updated <http://mirror.bliab.com/stats/0308/0308.compare>
Roland
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
