On Fri, Feb 08, 2008 at 10:08:19PM +1100, Rod Whitworth wrote: > On Fri, 8 Feb 2008 11:07:15 +0100, Raimo Niskanen wrote: > : : > > > >* To make the greylist herustics validate the hosts > >by reverse DNS PTR lookup and then forward A lookup > >is apparetly a debatable issue according to the > >current thread "running mail server at home". > >But if it is (fairly) common practice it would > >be a simple thing to do, and certainly decrease > >spam volume. But would it be to narrow? > > Every so often we see a flood of connections trying to deliver bounce > messages to nonexisting mailboxes here where there are two domains > sharing a postfix/OpenBSD box running spamd in greylisting/trapping > mode. > > Mostly: > The sender domains are real and the mail is from valid MTAs for those > domains. > The admins of those senders are incompetent wankers who run MTAs that > accept mail for any address and later bounce it to the purported > sender. > but not 100%. > > My solution was to run a script from cron every four minutes that looks > like: > ========================= > #!/bin/sh > spamdb|grep GREY|cut -d "|" -f2|tr -d "<"|tr -d ">"|tr "|" " " > >>/var/db/slice > s > while read villain; do > /usr/local/sbin/postmap -q $targ /etc/postfix/vmailbox
Where did the $targ variable come from? I do not run postfix. What do you search for in what database? > >/dev/null > if [ $? -ne 0 ] ; then > spamdb -ta $villain > fi > done < /var/db/slices > rm /var/db/slices > ========================== > > Caveat: This script will tarpit otherwise innocent senders who have > clients who use a mailbox name with a tyop in it because it traps ALL > messages addressed to invalid mailboxes. Using another grep to select > on a match of <> will eliminate all but bounces to invalid addresses Does a sender (spamdb field 5 (starting at 1)) == <> indicate a bounce. And you say it is OK to tarpit hosts that bounce to invalid addresses? > from the null sender. They would not have reached a mailbox anyway. > > I figure that maybe, just maybe, some admins will see the log message > repeating during all the trapitting and get a clue. It is easier than > sending an email complaining about their cluelessness. > > As to load: The box is a Celeron 1.3GHz with 256 MB RAM. It handles > lots of mail with reasonably large PDF and graphics attached and runs a > POP3 daemon as well that is polled regularly by about 70 "always on" > accounts. I cannot see any degradation of performance when these storms > are peaking. spamd rocks! > > What does "lsof -ni:spamd | wc -l" say during the peaks? On my machine spamd ran out of sockets (about 670). > > Rod/ > (CC not needed, thanx.) > > Rod/ > > >From the land "down under": Australia. > Do we look <umop apisdn> from up over? -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
