Hi All... Managed to get back on the list. Please excuse the from address, one of my more cynical moments... :)
Davide: Seems like your server somehow didn't close the FIN_WAIT_2 state on my server, due to IPFW firewalling. (Known FreeBSD problem...) I have subsequently set the firewalling to limitless connections from "troublesome" servers like this (Currently 2...), then it manages to close them, as this seems to happen in the IPFW throttling stage on simultaneous connections. To the subject: I had a similar issue with various mail packages and funny helo submissions... I then ended up writing a SPF filter, based on some of the samples found from the xmailserver and related web-sites. I then used this same script (Perl), to check on certain HELO bits and pieces. (Convenient hook, should be separate filter, but as I change some softfail SPF to hardfail...) Before the filter exits, it checks: HELO = 127.0.0.1 HELO = MY IP HELO = ANY IP HELO = Negative Number HELO != *.* (Check for any dot... Simple and moronic host checking.) HELO = [mail.]destination.domain (Here you have to ensure that SPF Softfail and domain = hotmail.com -> Hard Fail. SPF Softfail and domain = msn.com -> Hard Fail. SPF Softfail and domain = *.ru -> Hard Fail. SPF Softfail and Various domains -> Hard Fail. Easily extended to whatever and so forth... This gets rid of an average of about 1-5% of email, including some viruses. (Haven't seen a virus for more than a month yet...) As this happens on the pre-data filters, it never gets to the data transfer stage. This script also logs, so I can see what it's doing, and each segment of HELO checking has it's own denial section (Not very clean coding) enabling you to use a 451 initially, until you're happy with it and can change to 551... Logging as follows: Deny on own IP. DENIAL-OIP R: none D: mon, 24 apr 2006 06:55:21 +0200 F: [EMAIL PROTECTED] T: [EMAIL PROTECTED] I: 124.60.92.60 H: x.x.x.x M: S1F940 S: Deny on SPF: DENIAL-SPF R: fail D: sat, 22 apr 2006 20:35:51 +0200 F: [EMAIL PROTECTED] T: [EMAIL PROTECTED] I: 209.31.8.50 H: mta3.goodhollywoodstuff.com M: S1F424 S: v=spf1 mx ptr -all Deny on Unqualified host (used "abc" as helo): DENIAL-UQH R: neutral D: sat, 22 apr 2006 09:13:02 +0200 F: [EMAIL PROTECTED] T: [EMAIL PROTECTED] I: 221.197.209.54 H: abc M: S1F186 S: v=spf1 ip4:216.239.56.0/23 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ?all Softfail SPF to hardfail on *.ru: DENIAL-DMN R: softfail D: mon, 17 apr 2006 08:52:36 +0200 F: [EMAIL PROTECTED] T: [EMAIL PROTECTED] I: 193.140.211.248 H: std14.1uawibqw.org M: S1D5E4 S: v=spf1 ip4:194.67.57.0/24 ip4:194.67.23.0/24 ip4:194.67.45.0/24 ~all Currently I do not use "friend" as failure, but that would be caught as unqualified host... Which just made me realize that my "localhost" check is in the wrong place, after the unqualified host, so it will never be triggered... :) If anyone wants to have a look at it, to test drive, I can see if I can clean up the code slightly, and get it workable for someone else to test drive it... No warranties... :) Seeing as this is a sideline for me, I have not spent much time cleaning up/streamlining. (Fast server, lowish volume, no issue... :) Requirements: SPF Daemon, and Perl Mail::SPF::Query (See Perl Module documentation for info... I think this installs the spf daemon too.) I also have a Perl-ified Spamassassin script, that can copy spam into a SpamFolder before rejecting, allowing you to actually review caught spam to identify false positives. As we are running at a low (6.99) spam setting, this was needed, as some people feared false positives... (Only 1 in about 3 months, which was a mailing list with spam-like characteristics... The spam still gets rejected with 550, but jut before passing control back to XMail, a copy is made... It also logs nicely: (Anonymized...) SPAM: "2006-04-24 06:05:54" "SPAM" 47.8 "S: [EMAIL PROTECTED]" "R: [EMAIL PROTECTED]" NON-SPAM "2006-04-24 09:58:52" "HAM" 1.1 "S: [EMAIL PROTECTED]" "R: [EMAIL PROTECTED]" This will not scan messages bigger than 2M (|configurable), so that's a potential problem... Let me know if you want to test drive this as well... All in all, I would advise to run Greylisting, as that stops about 85% of all accesses to the server, as opposed to SPF/Helo 1-5%, Spam Assassin 1-5% and ClamAV < 1%... -- Best regards, Jorn mailto:[EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
