I've cleaned up and zipped the filter I made. You can grab it at http://brynmosher.com/bouncer.zip The instructions are commented within the PHP file itself. Good luck!
Bryn ----- Original Message ----- From: "Rob Arends" <[EMAIL PROTECTED]> To: "'postmaster - networkoftheapes.net'" <[EMAIL PROTECTED]> Date: Sun, 23 Apr 2006 21:05:48 +1000 Subject: RE: [xmail] Re: "friend" client domain > Yes please Bryn, > > Can you send me directly the PHP filter. > > Thanks, Rob > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of postmaster - networkoftheapes.net > Sent: Sunday, 23 April 2006 8:59 PM > To: [email protected] > Subject: [xmail] Re: "friend" client domain > > > Thanks. I think I've igured it out, but here's an explanation: > > While I was writing a pre-data filter to ban the folks who were populating > client domain with "friend", I noticed the ones claiming to be from > mail.networkoftheapes.net, my own server. This led me to wonder whether the > client domain was generated by XMail or the sender. After more Googling, > testing and looking at logs, I realized the sender was giving client domain > it's value. > > I now have a little code that will look for my server as the client domain > and check it against valid domains that could be sending from my server. > Here's a filtered event from my SMTP log: > > "networkoftheapes.net" "networkoftheapes.net" "210.213.227.124" > "2006-04-23 00:06:18" "mail.networkoftheapes.net" > "networkoftheapes.net" "[EMAIL PROTECTED]" > "[EMAIL PROTECTED]" "S1A663" "DATA=EFILTER" "" "0" > "" > > Some user ([EMAIL PROTECTED]) is trying to claim > mail.networkoftheapes.net as it's client domain. Since I know they can't be, > I exit with a 19 failing the message and stopping filter processing. I also > give them a "550" invalid user formatted message with the .rej file. > So far, it's blocked a bunch of these and all seem to be from junk hotmail > addresses. One of my spam honeypot accounts dropped it's mail load per hour > by about half with this and 'friend' filtered out. > > I suspect that some widely used spam software out there just mimics the mail > server's domain and supplies an randomly generated hotmail address for the > from field. I sent some mail from a valid hotmail account and it reported > "hotmail.com" as the client domain, so I think the false-positive count will > be nil. > > The filter code blocks this and the previously mentioned 'friend' entries > and writes a log file of it's actions. I wrote it in PHP of all things. If > anyone is interested, I can post the code and a quick readme. > > Bryn > > ----- Original Message ----- > From: Sönke_Ruempler <[EMAIL PROTECTED]> > To: [email protected] > Date: Sun, 23 Apr 2006 11:56:08 +0200 > Subject: [xmail] Re: "friend" client domain > > > > > On 23.04.2006 03:31, postmaster - networkoftheapes.net wrote: > > > > > Now that I've made my filter, I have a question: How is the client > > > domain generated? Is it something reported by the sending client > > > software? For example, most entries in my SMTP logs from > > > "@hotmail.com" report my > > server > > > (mail.networkoftheapes.net) in the client domain field. Should it be > > doing > > > this? > > > > All SMTP envelope headers are fakable - and so the only information > > you can trust is the sender IP address. > > > > Maybe you want to send us sample headers and messages so we can > > discuss specific questions. :) > > - > > To unsubscribe from this list: send the line "unsubscribe xmail" in > > the body of a message to [EMAIL PROTECTED] For general help: > > send the line "help" in the body of a message to > > [EMAIL PROTECTED] > > > > > - > To unsubscribe from this list: send the line "unsubscribe xmail" in the body > of a message to [EMAIL PROTECTED] For general help: send the line > "help" in the body of a message to [EMAIL PROTECTED] > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
