![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: New mail blocks result of Ralsky's latest attacks?
From: Steven Champeon <schampeo () hesketh com>
Date: Fri, 10 Oct 2003 11:42:56 -0400
on Fri, Oct 10, 2003 at 08:47:51PM +0530, Suresh Ramasubramanian wrote:
Set up header checks in sendmail / postfix to block all mail with Received: headers showing Ralsky IPs. PCRE header checks in postfix would be like -
<snip> Sendmail rulesets to block Ralsky: KRalsky1 regex -a@SPAM ^.*(\[|\(|\s)211\.158\.[3456789] KRalsky2 regex -a@SPAM ^.*(\[|\(|\s)218\.70\.1[345] KRalsky3 regex -a@SPAM ^.*(\[|\(|\s)219\.153\.1[45] KRalsky4 regex -a@SPAM ^.*(\[|\(|\s)218\.10\.57 KRalsky5 regex -a@SPAM ^.*(\[|\(|\s)218\.70\.1[01] KRalsky6 regex -a@SPAM ^.*(\[|\(|\s)218\.70\.[89] KReceivedChecks sequence Ralsky1 Ralsky2 Ralsky3 Ralsky4 Ralsky5 Ralsky6 HReceived: $>check_header_Received Scheck_header_Received R$* $: $1 $| $(ReceivedChecks $&{currHeader} $) R$* $| @SPAM $#error $@ 5.7.1 $: "550 Message rejected; suspected spam signature." R$* $| $* $: $1 This will not help to block direct SMTP AUTH attacks; but they should block mail from other compromised servers, provided they don't munge the headers. I've been running these rules for several weeks without incident. HTH, Steve -- hesketh.com/inc. v: (919) 834-2552 f: (919) 834-2554 w: http://hesketh.com Book publishing is second only to furniture delivery in slowness. -b. schneier
Current thread:
- New mail blocks result of Ralsky's latest attacks? Bob German (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Brian Bruns (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Suresh Ramasubramanian (Oct 10)
- RE: New mail blocks result of Ralsky's latest attacks? Bob German (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Brian Bruns (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Suresh Ramasubramanian (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Andrew D Kirch (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Mike Tancsa (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Suresh Ramasubramanian (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Steven Champeon (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Steven M. Bellovin (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Suresh Ramasubramanian (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Fred Baker (Oct 11)
- <Possible follow-ups>
- Fw: New mail blocks result of Ralsky's latest attacks? Brian Bruns (Oct 10)
- Re: New mail blocks result of Ralsky's latest attacks? Brian Bruns (Oct 10)