On Mon, 11 Aug 1997, Bruce Perens wrote: > I'm building a spam blocking package for Debian. While that is going on,
i notice that the latest sendmail package includes Claus Aßmann's anti-spam stuff. I've been using them for several months now, and they're quite good. not perfect, but they do work. > then you already have "tcpd" filtering your mail connections. If that's > not the case, read the man page on "tcpd". Once "tcpd" is set up, you can > add the following text to the beginning of /etc/hosts.allow . This blocks > connections from AGIS, a haven for spammers. I'd be interested in hearing > about other IP addresses that should be blocked. I have ip firewalling enabled in the kernel and just packet filter them - it's easier to maintain a list of spam nets for distribution to several machines (around 6 major gateways and moderately large mail relays at the moment) than it is to distribute /etc/hosts.deny. here are the addresses that I block. i'm seriously considering blocking all AGIS-related networks. 208.9.64.0/24 # Cyber Promotions (Sprint) 207.14.212.0/24 # Financial Connections, Inc 208.1.117.0/24 # I can't remember (somewhere in Sprint) 205.199.212.0/24 # Cyber Promotions (AGIS) 205.199.2.0/24 # Cyber Promotions (AGIS) 208.12.112.0/23 # MakeItSo, Inc 205.199.4.0/24 # nancynet - added 970529 the sprint cyberpromo network is probably long obsolete - they got booted from there ages ago. > My final version will not simply deny the connections, but will output > an SMTP error to them which will cause an immediate mail bounce at their > end. firewalling them holds the mail in their queue for a few days and then bounces it - slowing down their mail delivery systems at the minor price of having their system attempt a connection every so often. firewalling is also much less work for my system to do than forking tcpd and checking the hosts_access rules. there's advantages and disadvantages to both ways of doing it. > # The following net blocks are denied e-mail access because they belong to > # sites that have not yet established an effective anti-spam policy. > > # AGIS provides net connectivity to most of the well-known spammers. > tcp-env qmail-smtpd in.smtpd in-smtpd smtpd sendmail smail exim: \ I'd convert this to an /etc/mail/SpamNets file like so: # /etc/mail/SpamNets # can be network/netmask (eg 1.2.3.4/255.255.255.0) or # network/bits (eg 1.2.3.4/24) 205.254.160.0/255.255.224.0 # optional comment - who, why, when, etc 206.82.252.0/255.255.255.0 # 207.142.0.0/255.255.0.0 # 207.15.68.0/255.255.252.0 # 208.18.18.0/255.255.255.0 # 208.18.4.0/255.255.252.0 # 209.14.0.0/255.255.0.0 # 204.68.252.0/255.255.255.0 # 204.137.128.0/255.255.128.0 # 205.164.0.0/255.255.0.0 # 206.62.0.0/255.255.0.0 # 205.198.0.0/255.254.0.0 # 206.42.0.0/255.254.0.0 # 206.148.0.0/255.254.0.0 # 206.185.0.0/255.255.0.0 # 206.248.0.0/255.252.0.0 # 206.84.0.0/255.254.0.0 # 204.157.0.0/255.255.0.0 # 208.9.64.0/24 # Cyber Promotions (Sprint) 207.14.212.0/24 # Financial Connections, Inc 208.1.117.0/24 # I can't remember (somewhere in Sprint) 205.199.212.0/24 # Cyber Promotions (AGIS) 205.199.2.0/24 # Cyber Promotions (AGIS) 208.12.112.0/23 # MakeItSo, Inc 205.199.4.0/24 # nancynet - added 970529 (thanks for these network addresses, btw. i'll check out who they belong to and add them to my spamnets file) This could be processed at boot time with a script like the following: #! /bin/sh ANYWHERE=0.0.0.0/0 PORTS=25 # uncomment the following if you want blocked spam packets logged # (requires ip firewall logging enabled in the kernel) # #LOG="-o" # read in /etc/mail/SpamNets for host/network addresses to firewall, # ignoring comments. JUNKMAIL=`sed -e '/^#/d' -e '/^$/d' -e 's/#.*$//' /etc/mail/SpamNets` # block out junkmailing scumbags for i in $JUNKMAIL ; do /sbin/ipfwadm -I -a reject $LOG -P tcp -S $i -D $ANYWHERE $PORTS done I use this on several mail machines/gateways. One of the systems using this is a freebsd system - the ipfw utility is similar to but significantly different from the linux ipfwadm utility....no problem, i just use a slightly different wrapper script. it should also be easy enough to produce firewalling commands for Ciscos and other routers. It would also be easy to put a web or gui front-end onto the script for "easy" (hah! nothing's easier than vi :-) maintainence of the list. craig -- craig sanders networking consultant Available for casual or contract temporary autonomous zone system administration tasks. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .