Mailinglist Archive: opensuse (3337 mails)

< Previous Next >
Re: [SLE] Stopping spam to postmaster@ account?
  • From: Sandy Drobic <suse-linux-e@xxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 04 Apr 2006 17:34:15 +0200
  • Message-id: <443291F7.9070803@xxxxxxxxxxxxxxxxxxxxxxx>
david rankin wrote:

Stopping Spam for valid and needed accounts is one of the more difficult challenges of spam fighting.

First you have to analyse what kind of Spam you are inflicted with.

Is is spam from Zombies with dynamic addresses?
-> Use according blacklists and greylisting
Is it Spam send from free accounts on Webmailers yahoo, msn etc.?
much more difficult, that would have to be handled with care.
Is it spam send in great numbers from a few clients?
-> Use Anvil, policy-restrictions on mail flow.


Uhh. Ok, Sandy, how do I do that? Do you have any good links that I can look out to try and classify where the spam is coming from? Here are the headers of 2 received over night:


Received: from PC01 (unknown [219.142.253.248])
by bonza.rbpllc.com (Postfix) with ESMTP id 08D6C6BF90
for <postmaster@xxxxxxxxxxxxxxxxx>; Tue, 4 Apr 2006 03:13:52 -0500 (CDT)

That is the only header line you can trust: it has been added by your postfix server. And that is telling you that your server has accepted the mail from a client that announced itself in HELO as "PC01" with the IP 219.142.253.248. Furthermore that IP has no Reverse DNS so Postfix regards the hostname as "unknown".

dig -x 219.142.253.248 +short

gives an empty result, which means it has no reverse DNS entry.

Received: from unknown (HELO alt1.gmail-smtp-in.l.google.com) (64.233.167.27)
by PC01 with SMTP; Tue, 4 Apr 2006 16:13:59 -0800

Here PC01 claims, that he received the mail from google. The IP and HELO are indeed from google and it is true that that ip has no reverse dns, shame on google!
Though I do not believe that he received the mail from google. That is a line the spammer falsified. There is no reason why google would router their mail via that server with the ip 219.142.253.248.


Return-Path: <sims.gilboyt19h@xxxxxxxxx>
X-Original-To: postmaster@xxxxxxxxxxxxxxxxx
Delivered-To: david@xxxxxxxxxx
Received: from CHINESE-3483D2B.yiya4.com (unknown [220.180.234.95])
by bonza.rbpllc.com (Postfix) with ESMTP id A603F6BF90;
Tue, 4 Apr 2006 03:14:00 -0500 (CDT)

The same for this client: no reverse dns -> unknown
IP address of client: 220.180.234.95
HELO of client: CHINESE-3483D2B.yiya4.com

dig CHINESE-3483D2B.yiya4.com +short
Empty result -> invalid domain.


Received: from unknown (HELO gsmtp163.google.com) (64.233.163.27)
by CHINESE-3483D2B.yiya4.com with SMTP; Tue, 4 Apr 2006 16:14:00 -0800

Again, a falsified header line. No reason why google would router their mail via that client.

From: "Rob Hollis" <sims.gilboyt19h@xxxxxxxxx>
To: <info@xxxxxxxxxxxxxxxxx>
Subject: Have you ever tried pheromones?
Date: Tue, 4 Apr 2006 16:14:00 -0800
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Thread-Index: T2EkBj7smbvzsTxIZz8XCB1K7yo5nJwgbsFv
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Message-Id: <20060404081400.A603F6BF90@xxxxxxxxxxxxxxxx>

Looks like the from line is spoofed and that the mail originated from the Chinese site yiya4.com (I'm not an expert at deciphering headers). So how do I approach stopping this stuff? As always, thank you in advance for your insight.

You are lucky, that kind of spam is typical for zombies with dynamic addresses. There are several ways how you can get rid of that pest.

1. greylisting Most spam clients do not queue their spam and thus you will never see most of the spam. Regular servers will retry and have no problem with greylisting. You should still be prepared to whitelist some morons with broken servers.

This requires third party software, a policy server or a greylisting daemon.

2. reject clients with invalid HELO and unknown HELO domains.
This is also very effective. Also be prepared to whitelist some morons.

3. Reject based on ip address with a RBL that blocks those IPs. Be prepared to whitelist some clients that are wrongly listed in these RBLs. That is the reason why such RBLs are chancy.

Use something like pflogsumm for a daily report what kind of mail was delivered or rejected and the reason it was rejected.

Sandy
--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

< Previous Next >
Follow Ups