Matus UHLAR - fantomas wrote:
... and I thought I explained it in the sentence before. Since DNS lookup is
not made by MTA and SA expects it to be, the case where the RDNS is not in Received:
is taken as there is not rdns. Since there is verison's HELO but not RDNS,
it's
Matus UHLAR - fantomas wrote:
[snip]
IIRC there was already case provided when MTA didn' dns lookup so it was
made to be done via SA (and afaik SA did it before). If my memory is
correct, this would be just another case
(sorry, no time to search archives/bugs/google by now)
yes, it is
Hi All,
My server CentOS 4, Sendmail, MailScanner (SA ClamAV) is being buried by
spoofed emails that are bounced back to my domain by the recipient's
servers. Virtually all these emails are being sent from a zombie at a single
IP.
i.e.: All the messages contain the following line somewhere
In postfix I have /etc/postfix/header_checks
/x.x.x.x/DROP
I'm sure sendmail has something similar?
thadcoco wrote:
Hi All,
My server CentOS 4, Sendmail, MailScanner (SA ClamAV) is being buried by
spoofed emails that are bounced back to my domain by the recipient's
servers. Virtually
On Sun, 29 Jun 2008 07:07:58 -0700 (PDT), thadcoco
[EMAIL PROTECTED] wrote:
Hi All,
My server CentOS 4, Sendmail, MailScanner (SA ClamAV) is being buried by
spoofed emails that are bounced back to my domain by the recipient's
servers. Virtually all these emails are being sent from a zombie at
On Sun, 29 Jun 2008 07:07:58 -0700 (PDT), thadcoco
[EMAIL PROTECTED] wrote:
Can you not block them at your router or firewall? Then
they are not taking up threads either. It's how I deal
with heavy hitters.
Nigel
I understood that the d04m-89-83-98-193.d4.club-internet.fr was the
--On Sunday, June 29, 2008 7:07 AM -0700 thadcoco [EMAIL PROTECTED]
wrote:
i.e.: All the messages contain the following line somewhere within:
Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193])
I can't figure out how to mark any messages that originally sourced from
Hello,
on our private mail server we now have quite some forwards from freemail
providers like yahoo, gmx and such. This wasn't a big problem previously
but there is quite some spam arriving now over those forwards that isn't
tagged as such (mainly I think because RBLs can't strike on
Nigel Frankcom-2 wrote:
Can you not block them at your router or firewall? Then they are not
taking up threads either. It's how I deal with heavy hitters.
Nigel
No, I wish I could, but these bounced emails are not coming To Me from a
single IP. It goes like this:
1. Some doofus'
Hi!
i.e.: All the messages contain the following line somewhere within:
Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193])
I can't figure out how to mark any messages that originally sourced from
that IP so that that can be dropped by Procmail (that approach would appears
to
Joseph Brennan wrote:
Why not just tell procmail to drop them?
: 0
* ^Received: .* 89.83.98.193
/dev/null
Joseph Brennan
Columbia University Information Technology
I just tried, but it doesn't work either. Recall that the nasty IP is
wrapped as part of an attachment. I need to
Matus UHLAR - fantomas wrote:
IIRC there was already case provided when MTA didn' dns lookup so it was
made to be done via SA (and afaik SA did it before). If my memory is
correct, this would be just another case
(sorry, no time to search archives/bugs/google by now)
On 29.06.08 16:04, mouss
Raymond Dijkxhoorn wrote:
Hi!
And exactly why dont you block those on your MTA? Bit waste on CPU cycles
like this... first process then, and then trash it anyway.
Bye,
Raymond.
Well, mostly because I don't have any idea how to do so at the MTA level and
also I would think it would
Hi!
And exactly why dont you block those on your MTA? Bit waste on CPU cycles
like this... first process then, and then trash it anyway.
Well, mostly because I don't have any idea how to do so at the MTA level
and also I would think it would be harder to add other offending IPs in
the
thadcoco wrote:
Hi All,
My server CentOS 4, Sendmail, MailScanner (SA ClamAV) is being buried by
spoofed emails that are bounced back to my domain by the recipient's
servers. Virtually all these emails are being sent from a zombie at a single
IP.
i.e.: All the messages contain the following
On Sun, 2008-06-29 at 10:55 -0700, thadcoco wrote:
While if I can make this work at the procmail level, I would think it would
be better to use SA, because rules can be tested more easily using --lint.
Thoughts?
Where you do it depends on what tool chain you're using. Since you want
to
On Sun, 2008-06-29 at 20:44 +0200, Raymond Dijkxhoorn wrote:
And exactly why dont you block those on your MTA? Bit waste on CPU cycles
like this... first process then, and then trash it anyway.
Well, mostly because I don't have any idea how to do so at the MTA level
and also I would
Hi!
You can even drop the IP with a route command.
Do: route add -host ip reject
Not if the IP address you want to block is several MTA relay hops
removed from you.
Ok. I think i missed that ;)
Bye,
Raymond.
decoder wrote:
Hello,
on our private mail server we now have quite some forwards from
freemail providers like yahoo, gmx and such. This wasn't a big problem
previously but there is quite some spam arriving now over those
forwards that isn't tagged as such (mainly I think because RBLs can't
Matt Kettler wrote:
Nearly all positive-score RBLs will check all untrusted hosts in
Received: headers, except the DUL RBLs and XBL which only check the
first untrusted because they are designed to be used in that manner.
ie: SBL will be tested against *ALL* untrusted hosts, including the IP
decoder wrote:
Matt Kettler wrote:
Nearly all positive-score RBLs will check all untrusted hosts in
Received: headers, except the DUL RBLs and XBL which only check the
first untrusted because they are designed to be used in that manner.
ie: SBL will be tested against *ALL* untrusted hosts,
John Hardin wrote:
Another alternative if you're using sendmail is to use milter-regex to
look for that IP in a Received: header and reject the message with a 550
at SMTP time.
--
That would certainly appear to be the best solution so far. However, I can't
get milter-regex to make on
body TEMP_BLOCKADE/Received: from
d04m-89-83-98-193\.d4\.club-internet\.fr \(\[89\.83\.98\.193\]\)/
describe TEMP_BLOCKADE Temporary blockade of club-internet.fr joe job
score TEMP_BLOCKADE 15
This might be enough to be unambiguous.
body TEMP_BLOCKADE/Received: from
23 matches
Mail list logo