Re: Spam protection for larger networks (Was Re: Spammer Bust)

[Peter Marelas <maral () phase-one com au>]

You should also take a look at smtpd from Obtuse (ftp://ftp.obtuse.com/pub/smtpd/beta)
It allows you to block relaying in many different ways some of which you dont
see in sendmail filters. For instance, you can refuse relaying for
IP X because ip X's authorative name servers dont include Y.

Its also flexible in deploying a single file across all your mail servers
which takes care of relaying and spam.

On Fri, 5 Sep 1997, Rod Nayfield wrote:

> At 04:35 PM 9/5/97 -0400, Jeremy Elson wrote:
> > The answer, of course, is that the mail really originated from a PSInet
> > dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
> > utter forgery, presuambly added by the spam-mailing software.  In fact,
> > it's not even a very good forgery, because the supposed IP address of
> > alt2.bethere.net is invalid (the 2nd octet is 756).
>
>
> Yes, it seems that once a spammer finds your site (fs.iconnet.net, mine)
> they share it with others.  What was a trickle (in April, when you got
> spammed) became a flood as the "disposable dial-ppp / third-party relay"
> technique became widespread.  At the time we had approximately 15 "open"
> mail servers - but only one was ever abused - they either share with each
> other or have common sources/techniques of scanning for "open" servers.
>
> X-Disclaimer: if you're not interested in sendmail techniques to keep spam
> off your network, delete now.
>
> Anyway, we were able to dig up with a nice simple solution that solves some
> problems that ISPs have.  The reason I'm posting is because it took a long
> time to find the solution and most sources of information (spam.abuse.net,
> etc) are aimed at small sites, not ISPs who provide mail-relay and MX
> backup for their customers.  The solution is located at
>
> http://www.informatik.uni-kiel.de/%7Eca/email/check.html
> http://www.informatik.uni-kiel.de/%7Eca/email/rules/check.tar
>
> what we do now, with most help from Claus Aßmann's site:
>
> =
> We now have four files that control our anti-abuse sendmail (in order):
>
> 1. Spammer            These user addresses can't send mail
> 2. SpamDomains        These domains can't send mail
> 3. LocalIP            These IP addresses can relay mail
> 4. RelayTo            Mail destined to these domain names can go through
>
> Thus, our customers can use our mail servers to relay (#3), and anyone else
> must be sending to our customers (#4) or they get rejected.  Plus we can
> block any spammer, customer or non-customer (#1,2).  Now we only have to
> worry about our downstreams spamming, where we actually have leverage.
>
> Things that need work:
>  script to dynamically create localip file
>   (point a program at your cisco and let it "sh ip bgp filter x" to get
>    your list, which you can then edit)
> . merge spammer and spamdomains into one file with wildcards
>   (*@*.b.com , user@*.c.com , *@port15.dial.d.net)
> . cidr and substring matching are not the same
>   (you can take 10.1.0.0/17 and make 128 /24 entries, or one /16 entry and
> allow
>    the other /17 through)
>
>
> I'm thinking of building on this and sharing my results with Claus and any
> other interested parties.  Suggestions / Comments / Ideas please e-mail me.
>  Thanks for your time.
>
> -Rod

Regards
Peter Marelas
--
Phase One Interactive - Sun Solaris/Unix/Networking Consultant
P.O Box 549, Templestowe 3106 Melbourne, Australia
URL: http://www.phase-one.com.au/