Re: [spamdyke-users] spamdyke configuration finetuneing

[Ulrich C. Manns]

Just add your domain to the senders blacklist with a . as wildchard. Example: 
u...@spam.com -> .spam.com

Your Users should use authentification. So they can send e-mail through 
spamdyke.

Regards,
Ulrich

Am 15.12.2009 um 21:54 schrieb Magnus Ringdahl:

> Hi.
> I have been using spamdyke for quite some time now, and it reduces my
> spammails alot.
> But it have a hell of a problem with spammers (often viagra) the spoof
> the localdomains.
> I often get spammails where the sending address is the same as my
> receiving address.
> And i dint know how to block them.
> 
> I have pasted my configurationfiles so you coould see if there is some
> issues. Using Debian and Plesk 9.2.
> 
> spamdyke.conf
> ------------------------------------
> log-level=verbose
> filter-level=normal
> local-domains-file=/var/qmail/control/rcpthosts
> max-recipients=20
> idle-timeout-secs=60
> graylist-level=only
> graylist-dir=/var/qmail/spamdyke/greylist
> graylist-min-secs=300
> graylist-max-secs=1814400
> 
> sender-whitelist-file=/var/qmail/spamdyke/whitelisted_senders
> rdns-whitelist-file=/var/qmail/spamdyke/whitelisted_rdns
> ip-whitelist-file=/var/qmail/spamdyke/whitelisted_ip
> 
> sender-blacklist-file=/var/qmail/spamdyke/blacklisted_senders
> recipient-blacklist-file=/var/qmail/spamdyke/blacklisted_recipients
> ip-blacklist-file=/var/qmail/spamdyke/blacklisted_ip
> dns-blacklist-entry=zen.spamhaus.org
> 
> reject-empty-rdns
> reject-unresolvable-rdns
> greeting-delay-secs=5
> reject-missing-sender-mx
> 
> policy-url=http://www.your-domain-here.com/spam_policy
> --------------------------------------------------------------------
> 
> smtp_psa
> --------------------------------------------------
> service smtp
> {
>        socket_type     = stream
>        protocol        = tcp
>        wait            = no
>        disable         = no
>        user            = root
>        instances       = UNLIMITED
>        env             = SMTPAUTH=1
>        server          = /var/qmail/bin/tcp-env
>        server_args     = -Rt0 /usr/local/bin/spamdyke -f
> /etc/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd
> /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw
> /var/qmail/bin/true
> }
> ---------------------------------------------------------
> 
> The whitelisted_ip file contains the mailservers ip-addresses.
> The blacklisted_senders file contains the localdomains (@domain.tld).
> The blacklisted_words contains alot of words like .t-dialin.net,
> .t-ipconnect.de, .in-addr.arpa, .dhcp, .net, in-addr.arpa, dhcp,
> dynamic, and so on.
> 
> I understand the spamdyke filters that they work something like this. If
> the sending server is listed in whitelisted_ip the mail passes the
> filter. If its not listed in whitelisted_ip it then checks the
> blabklisted_senders if the sending address is listed it drops the mail.
> Is that correct?
> 
> Here is a sample of the mail.log of a spammail that in my opinion should
> have been dropped but passes all filters.
> 
> Dec 15 17:52:55 web01 spamdyke[24928]: TLS_ENCRYPTED from: (unknown) to:
> (unknown) origin_ip: 80.179.197.221 origin_rdns:
> 80.179.197.221.cable.012.net.il auth: (unknown)
> Dec 15 17:52:56 web01 qmail-queue-handlers[24946]: Handlers Filter
> before-queue for qmail started ...
> Dec 15 17:52:56 web01 qmail-queue-handlers[24946]:
> from=vioirecyf8...@012.net.il
> Dec 15 17:52:56 web01 qmail-queue-handlers[24946]: to=i...@domain.tld
> Dec 15 17:52:56 web01 spf filter[24947]: Starting spf filter...
> Dec 15 17:52:56 web01 spf filter[24947]: SPF result: neutral
> Dec 15 17:52:56 web01 spf filter[24947]: SPF status: PASS
> Dec 15 17:52:56 web01 qmail: 1260895976.491935 new msg 4252544
> Dec 15 17:52:56 web01 qmail: 1260895976.491935 info msg 4252544: bytes
> 2246 from <vioirecyf8...@012.net.il> qp 24948 uid 2020
> Dec 15 17:52:56 web01 qmail-local-handlers[24949]: Handlers Filter
> before-local for qmail started ...
> Dec 15 17:52:56 web01 qmail-local-handlers[24949]:
> from=vioirecyf8...@012.net.il
> Dec 15 17:52:56 web01 qmail-local-handlers[24949]: to=i...@domain.tld
> Dec 15 17:52:56 web01 qmail-local-handlers[24949]: mailbox:
> /var/qmail/mailnames/domain.tld/info
> Dec 15 17:52:56 web01 qmail: 1260895976.515935 starting delivery 2744:
> msg 4252544 to local 9-i...@domain.tld
> Dec 15 17:52:56 web01 qmail: 1260895976.515935 status: local 1/10 remote
> 0/20
> Dec 15 17:52:56 web01 qmail: 1260895976.523935 delivery 2744: success:
> did_0+0+2/
> Dec 15 17:52:56 web01 qmail: 1260895976.523935 status: local 0/10 remote
> 0/20
> Dec 15 17:52:56 web01 qmail: 1260895976.523935 end msg 4252544
> 
> Dec 15 21:22:57 web01 /var/qmail/bin/relaylock[6350]:
> /var/qmail/bin/relaylock: mail from 125.25.15.31:52521
> (125.25.15.31.adsl.dynamic.totbb.net)
> Dec 15 21:22:59 web01 spamdyke[6349]: TLS_ENCRYPTED from: (unknown) to:
> (unknown) origin_ip: 125.25.15.31 origin_rdns:
> 125.25.15.31.adsl.dynamic.totbb.net auth: (unknown)
> Dec 15 21:23:01 web01 qmail-queue-handlers[6354]: Handlers Filter
> before-queue for qmail started ...
> Dec 15 21:23:02 web01 qmail-queue-handlers[6354]: from=kundtja...@domain.tld
> Dec 15 21:23:02 web01 qmail-queue-handlers[6354]: to=kundtja...@domain.tld
> Dec 15 21:23:02 web01 spf filter[6355]: Starting spf filter...
> Dec 15 21:23:02 web01 spf filter[6355]: Error code: (2) Could not find a
> valid SPF record
> Dec 15 21:23:02 web01 spf filter[6355]: Failed to query MAIL-FROM: No
> DNS data for 'domain.tld'.
> Dec 15 21:23:02 web01 spf filter[6355]: SPF result: none
> Dec 15 21:23:02 web01 spf filter[6355]: SPF status: PASS
> Dec 15 21:23:02 web01 qmail-queue[6356]: scan: the
> message(drweb.tmp.Wu6OR3) sent by kundtja...@domain.tld to
> kundtja...@domain.tld is passed
> Dec 15 21:23:02 web01 qmail: 1260908582.819935 new msg 4253887
> Dec 15 21:23:02 web01 qmail: 1260908582.819935 info msg 4253887: bytes
> 2469 from <kundtja...@domain.tld> qp 6357 uid 2020
> Dec 15 21:23:02 web01 qmail-local-handlers[6358]: Handlers Filter
> before-local for qmail started ...
> Dec 15 21:23:02 web01 qmail-local-handlers[6358]: from=kundtja...@domain.tld
> Dec 15 21:23:02 web01 qmail-local-handlers[6358]: to=kundtja...@domain.tld
> Dec 15 21:23:02 web01 qmail-local-handlers[6358]: mailbox:
> /var/qmail/mailnames/domain.tld/kundtjanst
> Dec 15 21:23:02 web01 qmail: 1260908582.855935 starting delivery 2998:
> msg 4253887 to local 98-kundtja...@domain.tld
> Dec 15 21:23:02 web01 qmail: 1260908582.855935 status: local 1/10 remote
> 0/20
> Dec 15 21:23:02 web01 qmail: 1260908582.859935 delivery 2998: success:
> did_0+0+2/
> Dec 15 21:23:02 web01 qmail: 1260908582.859935 status: local 0/10 remote
> 0/20
> Dec 15 21:23:02 web01 qmail: 1260908582.859935 end msg 4253887
> 
> How can i check that smtp_auth is working? Im starting to wonder that
> it's not.
> I hope someone have the time to answer. I have been struggling with this
> for a long time withput getting rid of those annoying mails.
> 
> Kind Regards
> M
> 
> 
> Eduard Svarc skrev:
>> 
>> Hello,
>> 
>> these keywords .net and .com are used just for testing if IP is in
>> reverse DNS listed. Is not done against normal reverse DNS records for
>> servers like mail.somedomain.net. So in combination with keyword
>> reject-ip-in-cc-rdns and .net in file
>> /etc/spamdyke/ip-in-rdns-keyword-blacklist-file it will reject mail
>> from 242-29-179-94.pool.ukrtel.net because that sender will be
>> positively tested as not valid reverse DNS.
>> 
>> use just net without that '.' is not suficient because SPAMDYKE use
>> this '.' as flag for testing end of string only. So listing .com and
>> .net does magic for SPAMDYKE when it testing IP in reverse DNS for
>> country code DNS, like .it,, .uk etc it does same for .com and .net.
>> Personally I did add into that file other ones special domains like
>> .eu, .org, .info, .biz. These should not be used by ISP providers for
>> assigning reverse names, but who knows. Anyway it doesn't hurt my
>> configuration and I'm preparded.
>> 
>> Eduard Švarc
>> 
>> DATA Intertech s.r.o.
>> Kladenská 46
>> 160 00 Praha 6
>> Czech Republic
>> tel. +420-235365267, fax +420-235361446
>> 
>> spamdyke-users-boun...@spamdyke.org wrote on 14.12.2009 09:55:45:
>> 
>>> thanks Eduard Švarc
>>> 
>>> Same query as david stiller raised, .com, .net are valid domain right?
>>> 
>>> also
>>> 
>>> @400000004b25fa572bd181a4 CHKUSER accepted rcpt: from <fx...@bmelaw.
>>> com::> remote <microsof-7b1919:unknown:94.179.29.242> rcpt
>>> <validdomainu...@mydomain.com> : found existing recipient
>>> @400000004b25fa572bd2316c spamdyke[27021]: ALLOWED from:
>>> fx...@bmelaw.com to: validdomainu...@mydomain.com origin_ip: 94.179.
>>> 29.242 origin_rdns: 242-29-179-94.pool.ukrtel.net auth: (unknown)
>>> 
>>> the above ip is listed in rbl ,
>>> 
>>> IP Address Lookup
>> 
>>> 
>>> [image removed]
>>> 
>>> 94.179.29.242 is not listed in the SBL
>>> 94.179.29.242 is listed in the PBL, in the following records:
>>> PBL239543
>>> 94.179.29.242 is not listed in the XBL
>>> 
>>> 
>>> 
>> 
>>> 
>>> this doesnt look like false positive
>>> 
>>> From: Eduard Svarc <esv...@intertech.cz>
>>> To: spamdyke users <spamdyke-users@spamdyke.org>
>>> Sent: Mon, December 14, 2009 12:48:07 PM
>>> Subject: Re: [spamdyke-users] spamdyke configuration finetuneing
>>> 
>>> 
>>> Hello,
>>> 
>>> I see you have two things out. 1st you using RBLS, that could give
>>> you a lot positive false spam. 2nd you completely have commented out
>>> best thing in SPAMDYKE. Is sniffing IPs in reverse DNS. Most of bots
>>> and spams comming from Internet zombies. Here are my advices:
>>> 
>>> 1 - comment out dns-blacklist-entry=zen.spamhaus.org
>>> 2 - uncoment reject-empty-rdns, reject-ip-in-cc-rdns, reject-
>>> missing-sender-mx and reject-unresolvable-rdns
>>> 3- into /etc/spamdyke/blacklist_recipients add your domain in format
>>> @your-domain (it will block all mails like to: n...@your-domain from:
>>> n...@your-domain)
>>> 4- into /etc/spamdyke/ip-in-rdns-keyword-blacklist-file put these
>> words :
>>> 
>>> dsl
>>> .com
>>> .net
>>> broadband
>>> dynamic
>>> 
>>> I could guarantee you will fall bellow 1% of SPAM with nearly zero
>>> false positives. Of course someone who can't follow certain
>>> guidelines for theirs servers will not be able to send you e-mails
>>> at all. But you can easily handle it by adding IP's in
>>> /etc/spamdyke/whitelist_ip or adding senders into
>>> /etc/spamdyke/whitelist_senders
>>> 
>>> I stop using any RBLS services ages ago, they are way unreliable.
>>> 
>>> Good luck,
>>> Eduard Švarc
>>> 
>>> DATA Intertech s.r.o.
>>> Kladenská 46
>>> 160 00 Praha 6
>>> Czech Republic
>>> tel. +420-235365267, fax +420-235361446
>>> 
>>> spamdyke-users-boun...@spamdyke.org wrote on 14.12.2009 07:24:03:
>>> 
>>> New Windows 7: Find the right PC for you. Learn more.
>>> _______________________________________________
>>> spamdyke-users mailing list
>>> spamdyke-users@spamdyke.org
>>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>> ------------------------------------------------------------------------
>> 
>> _______________________________________________
>> spamdyke-users mailing list
>> spamdyke-users@spamdyke.org
>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>> 
> 
> _______________________________________________
> spamdyke-users mailing list
> spamdyke-users@spamdyke.org
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users