Our IMGate server also does SMTP Authenticated outbound relaying for our customers. Do you know if there is a way to tell anvil to ignore SMTP Authenticated connections?
Thanks, Bill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Len Conrad Sent: Saturday, February 07, 2004 11:32 AM To: [EMAIL PROTECTED] Subject: [IMGate] anvil results and analysis using that script I posted here yesterday, here's an anvil results for 10c/30min through about 9 AM Sat: 12.129.205.44 mail3044.flowgo.com. 12.129.205.45 mail3045.flowgo.com. 12.129.205.47 mail3047.flowgo.com. 12.129.205.49 mail3049.flowgo.com. 12.129.205.50 mail3050.flowgo.com. 12.129.205.51 mail3051.flowgo.com. 12.129.205.52 mail3052.flowgo.com. 12.129.205.54 mail3054.flowgo.com. 12.129.205.58 mail3058.flowgo.com. 12.129.205.62 mail3062.flowgo.com. 12.129.205.63 mail3063.flowgo.com. 12.129.205.68 mail3068.flowgo.com. 12.129.205.73 mail3073.flowgo.com. 12.129.205.74 mail3074.flowgo.com. 12.129.205.75 mail3075.flowgo.com. 12.217.186.17 12-217-186-17.client.mchsi.com. 139.131.194.130 ns1.openbank.com. 155.239.180.229 tbnb-ip-nas-1-p229.telkom-ipnet.co.za. 157.151.53.122 ned3cat.com. 157.22.112.139 157.22.112.141 192.193.226.97 mail0.citigroup.com. 195.92.168.142 tmailb2.svr.pol.co.uk. 198.65.163.25 pacific15.optinmailbox.com. 198.87.25.12 mx02.keen.com. 200.223.214.154 host-200-223-214-154.eunanet.com.br. 200.53.64.99 occmta10a.terra.com.mx. 202.108.203.42 203.162.240.211 203.210.221.112 localhost. 205.251.212.237 206.104.159.5 weather.internetpro.net. 206.239.24.18 list.worldnex.net. 207.111.220.100 s100.ClickVolt.com. 207.182.132.242 207.182.132.243 207.218.65.13 gcb13.lnk2c.com. 209.210.70.56 mail.everton.com. 209.245.91.28 la03mail28.powerfulquotes.com. 209.25.84.66 210.58.77.185 210-58-77-185.cm.apol.com.tw. 211.239.159.153 213.17.252.34 netghost.biz. 213.222.180.202 catv-d5deb4ca.bp13catv.broadband.hu. 213.245.120.159 sal-ubr-01-213245120159.chello.fr. 213.6.70.181 A46b5.a.pppool.de. 216.127.143.138 out2.pirmail.com. 216.42.116.218 lemur.harrispollonline.com. 216.52.164.191 smtp1.ediets.com. 216.52.165.222 z01.zephermedia.net. 217.199.183.24 ns.company-formation-house.co.uk. 217.42.193.89 host217-42-193-89.range217-42.btcentralplus.com. 217.5.49.220 pD90531DC.dip.t-dialin.net. 218.107.188.83 218.107.188.84 218.107.188.85 218.107.188.86 218.107.188.87 218.162.205.3 218-162-205-3.HINET-IP.hinet.net. 218.81.180.49 218.81.185.223 218.87.232.127 218.94.209.74 220.189.21.106 24.175.19.33 cs2417519-33.austin.rr.com. 24.222.85.92 s85n92.syd.eastlink.ca. 24.87.251.75 h24-87-251-75.vc.shawcable.net. 35.11.228.79 user-eee11f.user.msu.edu. 61.17.107.96 61.173.46.86 61.191.231.190 61.191.231.240 62.46.64.153 L0005P25.dipool.highway.telekom.at. 63.237.252.118 118.fdaol.com. 64.123.144.35 adsl-64-123-144-35.dsl.okcyok.swbell.net. 64.156.186.51 host51.sampleclub.net. 64.156.187.122 mailer122.gossipflash.com. 64.156.187.150 mailer150.yourbigvote.com. 64.156.187.151 mailer151.yourbigvote.com. 64.191.35.124 ns1.nuiale9028jka.com. 64.191.35.125 ns2.nuiale9028jka.com. 64.191.83.88 64.191.83.89 64.191.83.90 64.201.103.58 64.201.103.62 64.201.120.247 64.253.207.120 64.253.207.121 64.253.207.122 64.253.207.123 64.28.67.130 64.41.183.130 em1.proffiliates.com. 64.62.133.205 64.70.17.138 64.70.17.141 64.70.17.142 64.70.17.67 64.70.17.68 64.70.17.75 64.70.17.76 64.70.17.77 64.70.17.78 64.70.53.132 64.70.53.140 64.70.53.142 64.88.151.68 close-1.closeout-special.com. 64.95.116.103 mercury.netoes.com. 64.95.116.104 venus.netoes.com. 64.95.116.105 earth.netoes.com. 64.95.116.106 mars.netoes.com. 64.95.116.107 jupiter.netoes.com. 64.95.116.108 saturn.netoes.com. 64.95.116.109 uranus.netoes.com. 64.95.116.110 neptune.netoes.com. 64.95.116.111 pluto.netoes.com. 64.95.116.112 zeus.netoes.com. 64.95.116.113 maia.netoes.com. 64.95.116.114 atlas.netoes.com. 65.161.206.140 adsl-206-140.webshoppe.net. 65.182.136.70 65.182.137.48 65.213.231.49 newsletter1.traderonline.com. 65.248.59.131 m131.eyonkers.com. 65.248.59.132 m132.eyonkers.com. 66.111.231.82 ywndp.your-world-news.com. 66.111.254.7 wti7.warmtimes.com. 66.117.18.153 host153.bigtimebargains.net. 66.117.21.18 host18.try4free.net. 66.117.22.242 host242.winnersdaily.net. 66.117.30.126 host126.samplesdirect.net. 66.12.28.14 bdsl.66.12.28.14.gte.net. 66.151.41.179 consumer-marketplace.com. 66.225.220.5 unknown.servercentral.net. 66.239.204.133 newd3.sm66.com. 66.239.205.115 offd15.cw69.com. 66.239.205.117 offd17.cw69.com. 66.55.165.16 66.55.165.19 66.55.165.20 66.55.165.21 66.55.167.133 66.55.167.134 66.55.167.135 66.55.167.136 66.55.167.137 l4.promdly.com. 66.55.167.152 66.55.167.153 66.55.167.155 o1.fryrinfo.com. 66.55.169.113 66.55.169.73 66.55.169.76 66.55.179.14 66.55.179.15 66.63.163.99 99.gd-aol.com. 67.108.25.121 67-108-25-121.hopebytheorange.com. 67.108.25.122 67-108-25-122.hopebytheorange.com. 67.108.25.123 67-108-25-123.hopebytheorange.com. 67.108.25.124 67-108-25-124.hopebytheorange.com. 67.108.25.126 67-108-25-126.hopebytheorange.com. 67.127.229.43 adsl-67-127-229-43.dsl.irvnca.pacbell.net. 67.127.246.23 adsl-67-127-246-23.dsl.irvnca.pacbell.net. 67.81.81.28 ool-4351511c.dyn.optonline.net. 67.85.33.17 ool-43552111.dyn.optonline.net. 68.122.105.48 adsl-68-122-105-48.dsl.irvnca.pacbell.net. 69.1.232.151 69.1.232.231 69.44.153.103 qyou2.com. 69.56.165.102 102.69-56-165.reverse.theplanet.com. 80.235.55.199 80-235-55-199-dsl.kjj.estpak.ee. 82.44.16.203 82-44-16-203.cable.ubr03.blac.blueyonder.co.uk. For the apparently legits above (eg, citibank), each was able to send up to 10 msgs before getting anvilled. In the case of citibank, here is its anvil record: Feb 7 05:36:22 im1 postfix/smtpd[88596]: warning: Too frequent connections: 11 from 192.193.226.97 for service smtp Feb 7 05:36:29 im1 postfix/smtpd[88592]: warning: Too frequent connections: 12 from 192.193.226.97 for service smtp Feb 7 06:06:19 im1 postfix/smtpd[88745]: warning: Too frequent connections: 11 from 192.193.226.97 for service smtp Feb 7 06:11:25 im1 postfix/smtpd[88667]: warning: Too frequent connections: 12 from 192.193.226.97 for service smtp Feb 7 07:40:03 im1 postfix/smtpd[89193]: warning: Too frequent connections: 11 from 192.193.226.97 for service smtp Feb 7 07:46:26 im1 postfix/smtpd[89232]: warning: Too frequent connections: 12 from 192.193.226.97 for service smtp Feb 7 07:52:13 im1 postfix/smtpd[89222]: warning: Too frequent connections: 13 from 192.193.226.97 for service smtp Feb 7 08:22:17 im1 postfix/smtpd[89810]: warning: Too frequent connections: 11 from 192.193.226.97 for service smtp You can see the "10" value above, with anvil logging starting only at 11. Noting the timestamp, you can see that citibank seems to have 1 hour retry value (reasonable) which gets citigroup de-anvilled. Finally, everything from citibank was delivered, on the order of 50 or so messages. And note that citigroups' MTA gives up on IMGate after only 2 or 3 anvil 421's, while other MTAs can run up 100s or 1000s of consecutive retries (bad behavior, deserves to be blocked) The 10c/30 anvil settings seem to be working for an IMGate with these 9 AM (Saturday) stats: Grand Totals ------------ messages 5136 received 4728 delivered 0 forwarded 26 deferred (134 deferrals) 72 bounced 78219 rejected (93%) 9441 reject warnings 0 held 468 discarded (0%) 64172k bytes received 77238k bytes delivered 2422 senders 1164 sending hosts/domains 2343 recipients 287 recipient hosts/domains Obviously, a couple of items to "except from anvil", which is not the same as whitelisting. A legit IP getting anvilled dynamically doesn't mean it was unable to deliver any messages at all, just that it can't deliver 10+ messages in under 30 minutes. I expect that anvil will produce very few if any complaints blocked mail. Also note that, eg, flowgo is blacklisted anyway, so even if it got past anvil using low rates, it still would be SMTP rejected. The anvil report above shows IPs, esp Class Cs without PTR, that should be blacklisted, if not already, for their connection behavior alone, independent of envelope info or content. ie, I expect anvil is a very good identifier of Spammers Behaving Badly. Anvil blocking is dynamic, meaning temporary, because it's a real-time connection rate manager, not a permanent blacklist. With connections = 10, that means an IP that gets anvilled will "421 reject" for back off+retry. If the retry is too short, it stays anvilled. If its retry is longer (but I don't know how long), it will get de-anvilled and be able to send at 10 msgs again, or an infinite number of msgs as long as it remains under 10 connects per 30 minutes. Also note, that a single connect (which what anvil counts) could contain multiple RCPT TO:, so list server that chunk recipients into, say, 20 recipients/connect, would be able to send 10 x 20 = 200 msgs and not get anvilled. If somebody could come up with that script I asked for yesterday, you could run it on a week or two of your maillogs and identify your set of legit MTAs to be anvil-excepted. Len
