Re: How to block spammers appearing as local users?
On ons 02 sep 2009 03:28:20 CEST, Sahil Tandon wrote ppp-124-122-30-5.revip2.asianet.co.th[124.122.30.5] WHy are you accepting mail from an obvious DHCP address? who says this ip is dynamic, just becurse the hostname look like it is ? Oh please; just use some common sense and basic heuristics. http://www.robtex.com/ip/124.122.30.5.html#blacklists rbl listed yes, but where is it dynamic ? i have seen enough static hostname on dynamic ip to not count on reverse ptr -- xpoint
Re: How to block spammers appearing as local users?
please don't reply off- list On 1-Sep-2009, at 02:48, nunatarsuaq wrote: 2009/9/1 LuKreme krem...@kreme.com: On 31-Aug-2009, at 08:07, nunatarsuaq wrote: Aug 30 11:46:28 ghost postfix/smtpd[26223]: connect from ppp-124-122-30-5.revip2.asianet.co.th[124.122.30.5] WHy are you accepting mail from an obvious DHCP address? How to determine and block all dynamic addresses? Assuming that the address is not caught by zen (and most all of them are) then there are a number of strategies used that you can find searching the list archives. This is what I use for postfix. smtpd_recipient_restrictions = [ Stuff ] check_client_access pcre:$config_directory/check_client_fqdn.pcre, check_recipient_access pcre:$config_directory/recipient_checks.pcre, check_client_access hash:$config_directory/access, reject_rbl_client zen.spamhaus.org, permit check_client_fqdn.pcre: /\.?(dhcp|dialup|dynamic|ppp|pool)\.?/ REJECT Dynamic addresses must use a real mailserver /\.(dsl|\d+dsl|dsl\d+)\./REJECT Dynamic DSL looking address /([[:digit:]]{1,3}[.-]){3}[[:digit:]]{1,3}/ REJECT Too many numbers in HELO/EHLO The first line would have caught that zombie, as would the third. On 1-Sep-2009, at 14:30, Benny Pedersen wrote: who says this ip is dynamic, just becurse the hostname look like it is ? Erm don't be naive. If they can't be bothered to have a better rDNS then I can't be bothered to get their spam. -- I said pretend you've got no money, she just laughed and said, 'Eh you're so funny.' I said, 'Yeah? Well I can't see anyone else smiling in here.'
Re: How to block spammers appearing as local users?
On 2-Sep-2009, at 05:00, Benny Pedersen wrote: On ons 02 sep 2009 03:28:20 CEST, Sahil Tandon wrote ppp-124-122-30-5.revip2.asianet.co.th[124.122.30.5] WHy are you accepting mail from an obvious DHCP address? who says this ip is dynamic, just becurse the hostname look like it is ? Oh please; just use some common sense and basic heuristics. http://www.robtex.com/ip/124.122.30.5.html#blacklists rbl listed yes, but where is it dynamic ? i have seen enough static hostname on dynamic ip to not count on reverse ptr It doesn't matter, does it? If they have a static IP on a ppp-###-###- ### sort of PTR, then they can *STILL* piss off, and I will *STILL* consider them to be dynamic until the end of days. -- Can I borrow your underpants for 10 minutes?
Re: How to block spammers appearing as local users?
On ons 02 sep 2009 18:07:27 CEST, LuKreme wrote who says this ip is dynamic, just becurse the hostname look like it is ? Erm don't be naive. If they can't be bothered to have a better rDNS then I can't be bothered to get their spam. who is naive now ?, i have seen dynamic ip with a static looking hostname, should you just accept it ? -- xpoint
Re: How to block spammers appearing as local users?
On 2-Sep-2009, at 10:22, Benny Pedersen wrote: On ons 02 sep 2009 18:07:27 CEST, LuKreme wrote who says this ip is dynamic, just becurse the hostname look like it is ? Erm don't be naive. If they can't be bothered to have a better rDNS then I can't be bothered to get their spam. who is naive now ?, i have seen dynamic ip with a static looking hostname, should you just accept it ? If they have valid PTR and their rDNS checks out and they aren't in the zen list then chances are very good I will accept it. -- Anybody who tells me what happens to me after I'm dead is either a liar or a fool because they DON'T KNOW --Stephen Fry
Re: How to block spammers appearing as local users?
On Wed, 2009-09-02 at 18:22 +0200, Benny Pedersen wrote: On ons 02 sep 2009 18:07:27 CEST, LuKreme wrote who says this ip is dynamic, just becurse the hostname look like it is ? Erm don't be naive. If they can't be bothered to have a better rDNS then I can't be bothered to get their spam. who is naive now ?, i have seen dynamic ip with a static looking hostname, should you just accept it ? 1. ppp = point to point protocol? Tends to smell a bit of dsl/dialup 2. The IP is in the PBL because it is dynamic. Forgive Benny, he is just a bit odd. -- --- C Werclick .Lot Technical incompetent Loyal Order Of The Teapot. This e-mail and its attachments is intended only to be used as an e-mail and an attachment. Any use of it for other purposes other than as an e-mail and an attachment will not be covered by any warranty that may or may not form part of this e-mail and attachment.
Re: How to block spammers appearing as local users?
On tir 01 sep 2009 02:20:26 CEST, LuKreme wrote On 31-Aug-2009, at 08:07, nunatarsuaq wrote: Aug 30 11:46:28 ghost postfix/smtpd[26223]: connect from ppp-124-122-30-5.revip2.asianet.co.th[124.122.30.5] WHy are you accepting mail from an obvious DHCP address? who says this ip is dynamic, just becurse the hostname look like it is ? it would have being wonderfull if it was that easy -- xpoint
Re: How to block spammers appearing as local users?
On Tue, 01 Sep 2009 22:30:48 +0200 Benny Pedersen m...@junc.org wrote: On tir 01 sep 2009 02:20:26 CEST, LuKreme wrote On 31-Aug-2009, at 08:07, nunatarsuaq wrote: Aug 30 11:46:28 ghost postfix/smtpd[26223]: connect from ppp-124-122-30-5.revip2.asianet.co.th[124.122.30.5] WHy are you accepting mail from an obvious DHCP address? who says this ip is dynamic, just becurse the hostname look like it is ? it would have being wonderfull if it was that easy I can tell from looking at it that it's not only a dynamic IP address, but that the hostname was originally configured for dialup, but that's not to say that I would want to try to maintain a regex filter. That's what PBL is for: http://www.spamhaus.org/pbl/index.lasso All that's being said here is to use the standard tools first. Breaking protocol isn't clever. We have enough annoyances as mail administrators with the large operations that knowingly do aggravating things without providing tech support for those who try to be clever without the payroll to handle the problems they cause themselves. Do you honestly think that you're the first one to think of this 'solution' to this class of spam? Chris signature.asc Description: PGP signature
Re: How to block spammers appearing as local users?
Benny Pedersen a écrit : On tir 01 sep 2009 02:20:26 CEST, LuKreme wrote On 31-Aug-2009, at 08:07, nunatarsuaq wrote: Aug 30 11:46:28 ghost postfix/smtpd[26223]: connect from ppp-124-122-30-5.revip2.asianet.co.th[124.122.30.5] WHy are you accepting mail from an obvious DHCP address? who says this ip is dynamic, just becurse the hostname look like it is ? it doesn't matter whether it's dynamic or not. if they want to send mail, they can find a better PTR. if you know about legitimate mail from *.revip2.asianet.co.th, please share. it would have being wonderfull if it was that easy in this particular case, it's easy.
Re: How to block spammers appearing as local users?
On Tue, 01 Sep 2009, Benny Pedersen wrote: On tir 01 sep 2009 02:20:26 CEST, LuKreme wrote On 31-Aug-2009, at 08:07, nunatarsuaq wrote: Aug 30 11:46:28 ghost postfix/smtpd[26223]: connect from ppp-124-122-30-5.revip2.asianet.co.th[124.122.30.5] WHy are you accepting mail from an obvious DHCP address? who says this ip is dynamic, just becurse the hostname look like it is ? Oh please; just use some common sense and basic heuristics. -- Sahil Tandon sa...@tandon.net
Re: How to block spammers appearing as local users?
On Mon, 31 Aug 2009 16:07:03 +0200, nunatarsuaq nunatars...@gmail.com wrote: I'm getting spam messages appearing to be sent remotely from local users. and smtpd_sender_login_maps is not a help ? fight back with openspf.org or google postfwd equal sender recipient -- Benny Pedersen
Re: How to block spammers appearing as local users?
nunatarsuaq a écrit : I'm getting spam messages appearing to be sent remotely from local users. Here's my log: Aug 30 11:46:28 ghost postfix/smtpd[26223]: connect from ppp-124-122-30-5.revip2.asianet.co.th[124.122.30.5] Aug 30 11:46:30 ghost postfix/smtpd[26223]: 42593163773: client=ppp-124-122-30-5.revip2.asianet.co.th[124.122.30.5] Aug 30 11:46:31 ghost postfix/cleanup[26225]: 42593163773: message-id=20090830094630.42593163...@ghost.emg-systems.com Aug 30 11:46:31 ghost postfix/qmgr[21028]: 42593163773: from=mylocalu...@emg-systems.com, size=2438, nrcpt=1 (queue active) Aug 30 11:46:31 ghost amavis[25393]: (25393-11) ESMTP::10024 /var/spool/amavis/tmp/amavis-20090830T075552-25393: mylocalu...@emg-systems.com - mylocalu...@emg-systems.com SIZE=2438 Received: from ghost.emg-systems.com [... here checking by amavis and spam-tagging...] Aug 30 11:46:37 ghost postfix/cleanup[26225]: AC044163811: message-id=20090830094630.42593163...@ghost.emg-systems.com Aug 30 11:46:37 ghost postfix/qmgr[21028]: AC044163811: from=mylocalu...@emg-systems.com, size=3431, nrcpt=1 (queue active) Aug 30 11:46:37 ghost postfix/smtpd[26229]: disconnect from localhost[127.0.0.1] Aug 30 11:46:37 ghost amavis[25393]: (25393-11) FWD via SMTP: mylocalu...@emg-systems.com - mylocalu...@emg-systems.com, 250 2.6.0 Ok, id=25393-11, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as AC044163811 [...] Aug 30 11:46:38 ghost postfix/lmtp[26232]: AC044163811: to=mylocalu...@emg-systems.com, relay=ghost.emg-systems.com[/var/lib/imap/socket/lmtp], delay=0.43, delays=0.12/0.04/0.02/0.25, dsn=2.1.5, status=sent (250 2.1.5 Ok) Aug 30 11:46:38 ghost postfix/qmgr[21028]: AC044163811: removed How come my server accepts deliveries of this kind? Instead of cousing on the sender, focus on the client. that client has no business sending mail to anyone. try this smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_rbl_client zen.spamhaus.org [snip]
Re: How to block spammers appearing as local users?
On 31-Aug-2009, at 08:07, nunatarsuaq wrote: Aug 30 11:46:28 ghost postfix/smtpd[26223]: connect from ppp-124-122-30-5.revip2.asianet.co.th[124.122.30.5] WHy are you accepting mail from an obvious DHCP address? -- and I lift my glass to the Awful Truth / which you can't reveal to the Ears of Youth / except to say it isn't worth a dime