Dear Savid, > I'm just trying to understand why you got ALLOWED status for that > spammer and i think that comes from the scenario whith that > inter-server, i think that's why the rdns resolves don't fail, right?
For receiving Internet emails wia SMTP it doesn't matter my special scenario with SMTP perimeter server for incoming Internet e-mails. Perimeter server does just filtering connections via SPAMDYKE and then relay message to our main mail-server running Lotus Domino. SPAMDYKE runs only on linux qmail server. Reason why spammers who using sender and recipent with same address won't be stoped I will explain and I will explain solution for it. In my case origin RDNS are correct so SPAMDYKE wouldn't intercept it at any case. I know this mail is SPAM because I'm human I know that sender and recipent can't be same when origin IP is not mail server where domain @example.com is defined. But SPAMDYKE has no option to block it by default. I had a lot of messages like you mention and I did stop it by adding @example.com into sender-blacklist-file. That way I did solve all SPAM where sender and recient were same. I have domains @intertech.cz and @dantin.cz. I were getting a lot e-mails like From: [email protected] To: [email protected] comming from IPs which has regular RNDS and these messages was not denied by SPAMDYKE no matter what I did until I simply put these two domains in sender-blacklist-file. I just did try explain with Ulrich it will not stop regular e-mails from @intertech.cz or @dantin.cz from users of my domains sending theirs mail into Internet. Because if they do send e-mail they doing it by authorized with SMTP connection and in that case SPAMDYKE don't doing any check against blacklist files. Also Ulrich did say he hosting many virtual domains so adding all these domains do blacklist file could lead into lot of work. He asking for adding option to deny any e-mail (where sender and recipent are same) to any domain. Just check once more these log lines: May 6 06:53:05 fw spamdyke[23725]: ALLOWED from: [email protected] to:[email protected] origin_ip: 82.144.185.107 origin_rdns: adsl-185-107.globonet.hu auth: (unknown) May 6 06:19:47 fw spamdyke[23487]: ALLOWED from: @intertech.cz to: @intertech.cz origin_ip: 124.109.52.214 origin_rdns: mbl-109-52-214.dsl.net.pk auth: (unknown) May 6 07:29:49 fw spamdyke[24011]: ALLOWED from: [email protected] to: [email protected] origin_ip: 88.100.218.39 origin_rdns: 39.218.broadband5.iol.cz auth: (unknown) As you see IP is resolved into regular RDNS and IP address in RDNS don't contain complete IP. RNDS check will not recognize it as wrong. Result is ALLOWED. It was at start DENIED_GRAYLISTED, but it become ALLOWED because new zombies sending e-mail more than once after 15 or 30 minutes with same sender and recipient so it goes thru graylisting. In sum adding my domains into sender-blacklist-file solved that problem forever. Even messages passing thru RDNS check will be stoped with DENIED_SENDER_BLACKLISTED and that's correct. Cheers Eduard David Stiller <[email protected]> wrote on 07.05.2009 16:42:43: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Yes,i saw that and searched my servers for something silimar. I > found several of these: > > DENIED_RDNS_RESOLVE > from: [email protected] > to: [email protected] > origin_ip: 189.120.10.40 > origin_rdns: bd780a28.virtua.com.br > auth: (unknown) > > I'm just trying to understand why you got ALLOWED status for that > spammer and i think that comes from the scenario whith that > inter-server, i think that's why the rdns resolves don't fail, right? > > I didn't want to say one of you and Ulrich were wrong, no not in anyway. > I just wanted to learn. :) > > > Eduard Svarc schrieb: > > > > Hi David, > > > >> isn't it a quite usual method to send mails to yourself, to keep a copy > >> or something? If you really want to do this, check also if the sending > > > > I think not is not usual. Why would someone send from own mailbox to > > same mailbox same mail what he already have it in mail-inbox? Yes I do > > send e-mails to myself but with diferent Sender address usualy from > > other e-mail to my main e-mail address. Even in this case sender and > > recipient aren't same. With 99.9% probablity when sender and recipient > > are same then it is SPAM. And I did say we have perimeter SMTP inbound > > relay so only e-mails from foreing servers are received by that server. > > In this case it is always SPAM, because sender form foreing server can't > > have same e-mail as our local user. > > > > In rare case if user from our server sending e-mail directly to self > > then it will never hit SPAMDYKE check because it will be local delivery. > > SMTP where SPAMDYKE intercept messages is only for inter server mail > > transfer (ie. is resposible for handling inter-domain mails). Internal > > mails are handled by server without using SMTP where SPAMDYKE doing check. > > > > In your scenario I guess there can't be case when it would hit SPAMDYKE > > check. I believe you don't allow open SMTP-relay from client computers > > (making open relay). You always want user authentication from e-mail > > clients using your mail server. In that case when SMTP transfer is > > authorized SPAMDYKE don't doing any check. > > > > Cheers > > Eduard > > [email protected] wrote on 07.05.2009 11:11:44: > > > >> Yes, but in this case i am authenticated. > >> > >> Von: David Stiller <[email protected]> > >> Antworten an: spamdyke users <[email protected]> > >> Datum: Thu, 7 May 2009 11:03:49 +0200 > >> An: spamdyke users <[email protected]> > >> Betreff: Re: [spamdyke-users] Posibility to blacklist messages where > >> sender and recipient are exactly same > >> > > Ulrich C. Manns schrieb: > >> @Sam Clippinger > > > >> Hi Sam, > > > >> my whishes: > > > >> 1. A new parameter to reject emails if sender=recipient (because > >> we?re hosting many domains an Eduard method won?t work for us) > > > > Hi Ulrich, > > > > isn't it a quite usual method to send mails to yourself, to keep a copy > > or something? If you really want to do this, check also if the sending > > mx is not local domain, regardings this i would think that spamdyke > > might deny such a mail anyway with the reverse dns lookup checks. > > > >> 2. SPF .... (DENIED_SPF) > >> 3. MySQL extension from haggybear.de > > > > > >> Regards, > >> Ulrich > > > >> ------------------------------------------------------------------------ > >> *Von: *Eduard Svarc <[email protected]> > >> *Antworten an: *<[email protected]>, spamdyke users > >> <[email protected]> > >> *Datum: *Wed, 6 May 2009 10:29:11 +0200 > >> *An: *spamdyke users <[email protected]> > >> *Betreff: *Re: [spamdyke-users] Posibility to blacklist messages where > >> sender and recipient are exactly same > > > > > >> Hi Ulrich, > > > >> thanks for idea and it works. I did add into > >> /etc/spamdyke.d/sender-blacklist-file all our local domain in form: > > > >> @intertech.cz > > > >> and now SPAMDYKE works as I do expecting: > > > >> May 6 10:23:29 fw spamdyke[27819]: DENIED_SENDER_BLACKLISTED from: > >> [email protected] to: [email protected] origin_ip: 89.189.3.74 > >> origin_rdns: lissant.kis.ru auth: (unknown) > > > >> Heureka! I hope it will helps someone else than me. But it is perfectly > >> what I do expect to happens. > > > >> Eduard > > > >> [email protected] wrote on 06.05.2009 09:51:17: > > > > > >>> Dear Ulrich, > > > >>> I guess it couldn't be denied by DENIED_IP_IN_RDNS because > >> s0106000625a2b407 > >>> is not hexadecimal representation of IP address. I pick may be wrong > >>> example there are partially regular reverse DNS too where sender and > >>> recipent are same like: > > > >>> May 6 09:35:03 fw spamdyke[27053]: ALLOWED from: @domain.cz to: > >>> @domain.cz origin_ip: 95.48.168.162 origin_rdns: jum162.internetdsl. > >>> tpnet.pl auth: (unknown) > > > >>> Thanks to your answer to another thread I got idea how to block > >>> these messages. I could put our domain in sender-blacklist-file and > >>> it will definetely stop all messages containing SPAM with fake > >>> sender from our domain. Users using another mail server for outgoing > >>> mail and that mail will never reach perimeter SMTP server where > >>> SPAMDYKE does run. > > > >>> Thnak you! > >>> Eduard > > > >>> "Ulrich C. Manns" <[email protected]> wrote on 06.05.2009 > >> 08:59:15: > > > >>> > I think this should be a new parameter in the config for the next > >> version? > >>> > > >>> > But this should be rejected with DENIED_IP_IN_RDNS with .net in > >> the file > >>> > ip-in-rdns-keyword-blacklist-file? > >>> > > >>> > Von: Eduard Svarc <[email protected]> > >>> > Antworten an: <[email protected]>, spamdyke users <spamdyke- > >>> > [email protected]> > >>> > Datum: Wed, 6 May 2009 08:32:10 +0200 > >>> > An: spamdyke users <[email protected]> > >>> > Betreff: [spamdyke-users] Posibility to blacklist messages where > >>> > sender and recipient are exactly same > >>> > > >>> > > >>> > Dears, > >>> > > >>> > I'm looking for right place where I could reject messages containing > >>> > with 100% probability SPAM. These messages I could easily indetify > >>> > as SPAM because sender and recipient are exactly same. My server is > >>> > perimeter SMTP relay only. In this case is not simply possible that > >>> > he could deliver this kind of messages. In case when user of local > >>> > domain acidentaly sending message to self it would be handled by > >>> > main mail server not by perimeter SMTP server. > >>> > > >>> > I would like simply DENY all messages like these: > >>> > > >>> > May 6 06:57:48 fw spamdyke[23773]: ALLOWED from: [email protected] to: > >>> > [email protected] origin_ip: 24.84.53.252 origin_rdns: > >>> > s0106000625a2b407.vc.shawcable.net auth: (unknown) > >>> > > >>> > TIA > >>> > Eduard > >>> > _______________________________________________ > >>> spamdyke-users mailing list > >>> [email protected] > >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > > > >> ------------------------------------------------------------------------ > > > >> _______________________________________________ > >> spamdyke-users mailing list > >> [email protected] > >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > ------------------------------------------------------------------------ > > > _______________________________________________ > > spamdyke-users mailing list > > [email protected] > > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkoC82IACgkQWFnhIgg1RRrHmwCggui9Ck5ygIPd7O2I0voTzy1/ > LG0AoIxGHYDNP4NLBLfANU2mqDHZ8QnS > =ckLu > -----END PGP SIGNATURE-----
_______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
