On Wed, Oct 25, 2006 at 09:53:47AM -0500, Jack Stone wrote:
> I have managed to piece together a shell script that is able to retrieve 
> the domains from the spams of the day and summarize those in a special file 
> that can then be added to the sendmail's rejects in the access.db. But, 
> first I have to eyeball the list and remove any obvious good-guy domains.

The domains from the spams? That's almost always pretty useless:

1. The only reliable information is what's in the SMTP envelope.
Headers like From: etc... are always spoofed and almost always
pointing to either inexistant or innocent victim domains (which
then get flooded by bounces).

2. The IP-Addresses from the senders (from the SMTP envelope or
at most the last Received: header, if you don't operate your own
MTA), will almost always point to PTR of some big broadband ISPs
hosting some infected Windows spam drones. Blocking the *domain*
name of the ISP (esp. the big ones) would be is silly, because
that would lock out a lot of legitimate users that send mails
through their (ISPs) mailers.

The bottom line: you'll end up banning 99% of innocent domains,
and still get flooded with spams, since spammers can and do fake
a HUGE amount of domain names.

However, blocking IP addresses using RBLs like spamhaus.org,
greylisting, and, to a lesser extent, using SPF (once it gets
more widely adopted) can do wonders, if you operate your own MTA.

E.g. the following Postfix configuration in
/usr/local/etc/postfix/main.cf is a bit tight, but very effective
in most setups:

smtpd_recipient_restrictions = 
    permit_mynetworks,
    reject_unauth_destination,
    reject_unauth_pipelining,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    # check_sender_access hash:/usr/local/etc/postfix/sender_access,
    # check_recipient_access hash:/usr/local/etc/postfix/recipient_access,
    # check_helo_access hash:/usr/local/etc/postfix/secondary_mx_access,
    # reject_rbl_client bl.spamcop.net,
    reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client dnsbl.njabl.org,
    reject_rbl_client relays.ordb.org,
    reject_rbl_client opm.blitzed.org,
    # reject_rbl_client dnsbl.sorbs.net,
    check_policy_service unix:private/spfpolicy,
    check_policy_service inet:127.0.0.1:10023,
    # The following are a bit tight, but they won't do any harm
    reject_invalid_hostname, 
    reject_non_fqdn_hostname,
    reject_unknown_hostname,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    # check_client_access hash:/usr/local/etc/postfix/client_access,
    reject_unknown_client

One can do even more, but that should be enough for now,
considerung the current "state of the art" of the spam engines.

If you prefer sendmail, a sendmail guru will certainly help translating
most directives from this config... ;)

> Jack

Good luck,
-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to