Daniel Lorch wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > hi, > > | If you don't have enough capacity to do the 5xx errors on the main > | mail servers then setup another (small) machine and redirect (instead > | of blocking) all connections to that box and let it emit 5xx errors. > | That can be a very small and fast deamon. It can reject maaaany > | connections per second. Even if it is too slow it doesn't matter > | much. Important is that sometime soon there will be a 5xx error > | and the sending mail server stops trying. We could write such a > | small 5xx error deamon if you need one. It's not a big thing. > > Too much effort. And writing a proxy always gets you into the > same trouble again: From the smtpd's point of view the connections > come from localhost (or from wherever you installed that proxy).
I wasn't talking about a proxy. > Do it like this instead: > > 1. Add this line to /etc/inetd.conf > > 1025 stream tcp nowait nobody /bin/cat cat > /etc/smtp-block-message > > ~ (spammers will be redirected to this service) This won't work as inetd normally has rate limiting features build in. Better use something like tcpserver or so. > 2. Put your message into this file: > > ~ echo '451 No Access Today' > /etc/smtp-block-message This will not bounce but just defer the message. No information will be provided to the sender. However there is some information if someone connects via telnet to smtp and wants to know what is going on. > 3. Instead of just dropping connections, we will divert traffic > ~ from sources, that are believed to be spammers, to the service > ~ above. This is done using DNAT from iptables/netfilter. > > ~ iptables -A PREROUTING --table nat --protocol tcp \ > ~ --source 1.2.3.4/32 --dport 25 -j DNAT --to 127.0.0.1:1025 You don't have to use NAT for that. There are for more clever ways of redirecting. -- Andre ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
