[qmailtoaster] Re: help with some spam
David Milholen wrote: The blacklist_rdns would be the place to list my domain? --Dave - No, that wouldn't be effective, as the spammers aren't using your rdns. Put @mydomain.com in the /etc/spamdyke/blacklist_senders file. If you want to avoid any problems with this, I think whitelisting your IP address blocks (whitelist_ip file) would eliminate the need to authenticate: 63.147.8.0/23 etc. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: help with some spam
If all of your submissions come from authenticated connections (which they should), you can blacklist your own domain. I know this sounds counter-intuitive, but since all of your domains authenticate, the only rejections will be those who claim to come from your domain but fail to authenticate, since authenticated connections pass all filters. It works well to block all spam that forges your domain in the sender's address. Note, if you use squirrelmail, you should modify your SM configuration to authenticate smtp submissions, and probably use port 587 as well (instead of the default port 25). The stock squirrelmail configuration does not authenticate by default. In case all of your submissions aren't authenticated (perhaps you have a web app that doesn't authenticate), the new version of spamdyke (v4.1.0, just released a week or so ago) contains a new option that will reject emails where the sender and recipient address is the same. This is often the case with such spam, and is the next best thing to blacklisting your own domain. FWIW, when you use qtp-install-spamdyke to upgrade to the latest spamdyke version, it will now also install qtp-prune-graylist so your graylist stays pruned optimally. You should be sure to have the latest qmailtoaster-plus package installed before upgrading spamdyke: # yum update qmailtoaster-plus # qtp-install-spamdyke You can also use badmailto for restricting some of these spam messages that contain numbers. See http://wiki.qmailtoaster.com/index.php/Account_verification_using_badmailto but I expect this would not be necessary if you're blacklisting your domain(s). -- -Eric 'shubes' David Milholen wrote: I have these in my logs .. Found it when I was trimming some entries in my domain greylist This is not an account I have in my domain.. 44b2a950.4000106 My domain is wletc.com Looks like multiple ips with some multiple rdns. I am just going to add this one to the senders blacklist file. Is there a another method for blocking these types of numerical senders? Also, what steps can I take from getting false positives by listing my domain from sending to itself like some these entries. @40004c3b4f4d10acf19c spamdyke[11976]: TIMEOUT from: 44b2a950.4000...@wletc.com to: 44b2a950.4000...@wletc.com origin_ip: 213.190.211.147 origin_rdns: (unknown) auth: (unknown) reason: TIMEOUT @40004c3b56d128b184c4 CHKUSER accepted sender: from 44b2a950.4000...@wletc.com:: remote [94.65.155.4]:unknown:94.65.155.4 rcpt : sender accepted @40004c3b56d13709d9f4 spamdyke[18424]: DENIED_IP_IN_CC_RDNS from: 44b2a950.4000...@wletc.com to: 44b2a950.4000...@wletc.com origin_ip: 94.65.155.4 origin_rdns: ppp-94-65-155-4.home.otenet.gr auth: (unknown) @40004c3b570f0a02a51c spamdyke[18424]: TIMEOUT from: 44b2a950.4000...@wletc.com to: 44b2a950.4000...@wletc.com origin_ip: 94.65.155.4 origin_rdns: ppp-94-65-155-4.home.otenet.gr auth: (unknown) reason: TIMEOUT @40004c3b5e45242165b4 CHKUSER accepted sender: from 44b2a950.4000...@wletc.com:: remote [89.123.30.150]:unknown:89.123.30.150 rcpt : sender accepted @40004c3b5e45314303ec spamdyke[25343]: DENIED_RBL_MATCH from: 44b2a950.4000...@wletc.com to: 44b2a950.4000...@wletc.com origin_ip: 89.123.30.150 origin_rdns: (unknown) auth: (unknown) @40004c3b5e8302297974 spamdyke[25343]: TIMEOUT from: 44b2a950.4000...@wletc.com to: 44b2a950.4000...@wletc.com origin_ip: 89.123.30.150 origin_rdns: (unknown) auth: (unknown) reason: TIMEOUT @40004c3b6b742cb00294 CHKUSER accepted sender: from 44b2a950.4000...@wletc.com:: remote [12.29.111.249]:unknown:12.29.111.133 rcpt : sender accepted @40004c3b6b74336cc98c spamdyke[4241]: DENIED_GRAYLISTED from: 44b2a950.4000...@wletc.com to: 44b2a950.4000...@wletc.com origin_ip: 12.29.111.133 origin_rdns: (unknown) auth: (unknown) @40004c3b786a36a2bb84 spamdyke[15651]: DENIED_BLACKLIST_IP from: oqocegogel1...@satlynx.net to: 44b2a950.4000...@wletc.com origin_ip: 217.159.121.90 origin_rdns: host-217-159-121-90.satlynx.net auth: (unknown) @40004c3b78a914e6bb1c spamdyke[15651]: TIMEOUT from: oqocegogel1...@satlynx.net to: 44b2a950.4000...@wletc.com origin_ip: 217.159.121.90 origin_rdns: host-217-159-121-90.satlynx.net auth: (unknown) reason: TIMEOUT Thanks, -- David Milholen Project Engineer 501-318-1300 Wireless Etc - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail:
Re: [qmailtoaster] Re: help with some spam
On 7/12/2010 8:28 PM, Eric Shubert wrote: If all of your submissions come from authenticated connections (which they should), you can blacklist your own domain. I know this sounds counter-intuitive, but since all of your domains authenticate, the only rejections will be those who claim to come from your domain but fail to authenticate, since authenticated connections pass all filters. It works well to block all spam that forges your domain in the sender's address. There may be a small problem with this but should not be a major issue.. Most not all of my customers have their mail client authentication required box unchecked if they are INSIDE my network but if they are outside of my network they must have this checked. For example I own 208.44.160.xxx/24, 63.147.8.0/23,65.44.158.0/23,63.144.48.0/24 networks and they are all on my wireless topology. If my customers are home on these networks then the only path out is thru my data center which has the main dns and mx services. If they are not home say on vacation then they must set this box for authentication. 2 yrs ago we started this by default to set them. So there may be a few still out there with this not checked. I am not scared to list my nets because I do welcome an attack from outside. I do love my iptables and the unix scripting in image stream :) Note, if you use squirrelmail, you should modify your SM configuration to authenticate smtp submissions, and probably use port 587 as well (instead of the default port 25). The stock squirrelmail configuration does not authenticate by default. Already configured this and works great:) In case all of your submissions aren't authenticated (perhaps you have a web app that doesn't authenticate), the new version of spamdyke (v4.1.0, just released a week or so ago) contains a new option that will reject emails where the sender and recipient address is the same. This is often the case with such spam, and is the next best thing to blacklisting your own domain. FWIW, when you use qtp-install-spamdyke to upgrade to the latest spamdyke version, it will now also install qtp-prune-graylist so your graylist stays pruned optimally. You should be sure to have the latest qmailtoaster-plus package installed before upgrading spamdyke: # yum update qmailtoaster-plus # qtp-install-spamdyke You can also use badmailto for restricting some of these spam messages that contain numbers. See http://wiki.qmailtoaster.com/index.php/Account_verification_using_badmailto but I expect this would not be necessary if you're blacklisting your domain(s). The blacklist_rdns would be the place to list my domain? --Dave - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: help with some spam
I was able to get rid of that sort of spam by signing all outgoing mail with Domainkeys and setting the policy record for Domainkeys to signify: This server signs ALL outgoing mail. Incoming policy can be adjusted to reject mail where there is no signature in such a case. Martin Am 13.07.2010 um 04:57 schrieb David Milholen: On 7/12/2010 8:28 PM, Eric Shubert wrote: If all of your submissions come from authenticated connections (which they should), you can blacklist your own domain. I know this sounds counter-intuitive, but since all of your domains authenticate, the only rejections will be those who claim to come from your domain but fail to authenticate, since authenticated connections pass all filters. It works well to block all spam that forges your domain in the sender's address. There may be a small problem with this but should not be a major issue.. Most not all of my customers have their mail client authentication required box unchecked if they are INSIDE my network but if they are outside of my network they must have this checked. For example I own 208.44.160.xxx/24, 63.147.8.0/23,65.44.158.0/23,63.144.48.0/24 networks and they are all on my wireless topology. If my customers are home on these networks then the only path out is thru my data center which has the main dns and mx services. If they are not home say on vacation then they must set this box for authentication. 2 yrs ago we started this by default to set them. So there may be a few still out there with this not checked. I am not scared to list my nets because I do welcome an attack from outside. I do love my iptables and the unix scripting in image stream :) Note, if you use squirrelmail, you should modify your SM configuration to authenticate smtp submissions, and probably use port 587 as well (instead of the default port 25). The stock squirrelmail configuration does not authenticate by default. Already configured this and works great:) In case all of your submissions aren't authenticated (perhaps you have a web app that doesn't authenticate), the new version of spamdyke (v4.1.0, just released a week or so ago) contains a new option that will reject emails where the sender and recipient address is the same. This is often the case with such spam, and is the next best thing to blacklisting your own domain. FWIW, when you use qtp-install-spamdyke to upgrade to the latest spamdyke version, it will now also install qtp-prune-graylist so your graylist stays pruned optimally. You should be sure to have the latest qmailtoaster-plus package installed before upgrading spamdyke: # yum update qmailtoaster-plus # qtp-install-spamdyke You can also use badmailto for restricting some of these spam messages that contain numbers. See http://wiki.qmailtoaster.com/index.php/Account_verification_using_badmailto but I expect this would not be necessary if you're blacklisting your domain(s). The blacklist_rdns would be the place to list my domain? --Dave - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Corporation. An ingenious device for obtaining individual profit without individual responsibility. Bierce, Ambrose - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
