On Mon, 25 Feb 2002 12:51:28 -0500 Randy Kramer <[EMAIL PROTECTED]> wrote:
> Pierre, > > Thanks for this (I'm going to put some of it on a WikiLearn page as a > reminder to me), but there were some things I didn't understand in > reading your pages. Questions embedded below and afterwards. > > http://twiki.org/cgi-bin/view/Wikilearn/FightingSpam > > Pierre Fortin wrote: > > If you have your own domain/IP, you can use PostFix' anti-spam features to greatly >refuse spam before it gets delivered... Most spam comes through "open relays" and by >blocking mail from any known open relay, we can virtually shutdown anonymous spam. >This will eventually force the spammers to use their own resources and might make >prosecution more likely; but that's orthoganal and argumentative... :^) > > So, I think you're saying that if I'm running my own email server on the > Internet, I can make sure it's not an open relay, thus minimizing spam > for others (and myself). For others only... Reducing spam for yourself is a separate issue... if mail is for you, your mailer is a "destination", so is not an "open relay" for those messages. Warning: if *your* mailer is an open relay and *I* get spam via it, my very first reaction is to submit your IP to http://ordb.org/submit/ (no kidding :^) This will prevent your mailhost (open relay) from delivering any more mail to me or anyone else who verifies via relays.ordb.org... > However, even if I'm not running my own email server, I can still submit > apparent open relay sites to ordb for testing and possible > blacklisting. (Right?) Yes, absolutely! Those of us who use the ORDB will be protected from every new open relay you report... :^) The important thing to realize here is that the sooner the open relay is reported, the sooner the spam is prevented for loads of other users... > > I've noticed that since I've begun submitting spam relay hosts to >http://ordb.org/submit/, spam attempts have dropped off to a trickle. In fact, the >spam *attempts* (blocked by postfix) have dropped from ~50-70/day to a few every >couple of days... > > Ok, now I understand -- the number of attempts to use your machine as a > relay have dropped to a few every couple of days. Not as a relay (those are stopped by not being an open relay); it's the attempts to *deliver* spam that have gone way down... it seems that as open relays get shutdown, the spammers are less and less able to deliver their trash. This is a much better solution than trying to report spam to [EMAIL PROTECTED] where it may not be addressed at all because the ISPs are likely getting more spam reports than they can handle. > > It's fun to be a spam fighter... :^) For more info, see my postfix page at >http://pfortin.com/Linux/PostFix -- also, easy to miss but potentially useful for the >mail-header-challenged is http://pfortin.com/Linux/PostFix/ORDBing.html > > I've looked at both these pages, and the first one should be useful to > me as I try to configure postfix for my (local) server. The pages are not yet polished; I work on my pages as I find time... I'm open to suggestions... > I've reviewed the second, but I really don't understand what the key > characteristic is that let's you decide which header represents the open > relay. Or, do you more or less "assume" it is one of the first three > and (worst case) submit the IPs from the first three received headers > for testing? This is what needs some polishing; it jumps to the conclusion without benefit of analysis... I usually look at all the "Received" headers and mentally picture the path the spam took... often, the spammer was on a dialup and delivered the mail to an open relay which then delivers it directly to my machine. On average, the machine that delivered to my machine is the open relay; but for good measure, I submit intermediate mail hosts. > If that's the case, I understand. If there is something more to look > for, how about looking at the headers below and tell me which (if any) > of the headers represent an open relay, and how you determined that. > (Aside, I don't know that this came from an open relay, I just wanted an > example we could talk about.) OK... for this exercise, read the rest of the message from the bottom working up... Here is a big picture summary of the path followed by this msg: 1. 209.63.151.3 qvp0002(unconfirmed) (spammer) 2. email.qves.com who did not put its IP in the header 3. newmx2.fast.net who puts 209.63.151.19 in header; but believes the HELO content (email.qves.com) which happens to match #2 -- good; but don't trust names. This host does not provide an envelope-sender to #4. 4. mailstore1.fast.net 5. you pick it up from #4. #1 is the spammer, #3 is your ISP; only leaves #2 as the *possible* open relay... HTH, Pierre > regards, > Randy Kramer ============ go to bottom and read up =========== > Return-Path: <[EMAIL PROTECTED]> ^^^^^^^^^^^^^^^^^^^^ Here the spammer claims to be a user in the (remember) *possible* open relay... [if you are reading in the correct order, this is the LAST part of this response :^)] I say "*possible*" because this message unfortunately (gut feel) is one of those from a stupid spammer who is using his/her real account... in this case, ORDB might report that the relay "is not open" which leaves you to reporting the spammer to [EMAIL PROTECTED] (good luck), or "is open" and you will have blocked 209.63.151.19 from future delivery of messages. If everybody used the open relay check and refused mail from this ISP, that ISP would not be well liked by its regular users who could not email their friends... This is why I like ORDB as a long-term solution to spam... :^) > Delivered-To: [EMAIL PROTECTED] > Received: (qmail 25565 invoked from network); 1 Feb 2002 20:10:18 -0000 > Received: from newmx2.fast.net ([209.92.1.32]) > (envelope-sender <>) ^^ This is also not acceptable in my postfix rules... > by mailstore1.fast.net (qmail-ldap-1.03) with QMQP > for <>; 1 Feb 2002 20:10:18 -0000 > Delivered-To: CLUSTERHOST newmx2.fast.net [EMAIL PROTECTED] > Received: (qmail 18378 invoked from network); 1 Feb 2002 20:10:16 -0000 Not familiar with qmail; but it provides no useful info... > Received: from unknown (HELO email.qves.com) ([209.63.151.19]) ^^^^^^^^^^^^^ report this ^^^^^^^^^^^^^^ possibly bogus ^^^^^^^ Another reason for rejection in my postfix rules. > (envelope-sender <[EMAIL PROTECTED]>) > by newmx2.fast.net (qmail-ldap-1.03) with SMTP ^^^^^^^^^^^^^^^ rec'd your mailhost, so open relay is in this header, look up..^ > for <[EMAIL PROTECTED]>; 1 Feb 2002 20:10:16 -0000 > Received: from qvp0002 ([209.63.151.3]) by email.qves.com with Microsoft ^^^^^^^ Non-fully qualified hostname; refused in my postfix config... my postfix also does a reverse DNS lookup; this is why I posted about Mandrake's DNS problems on a couple of occasions complaining some expert/cooker msgs were being rejected because Mdk did not list all mailhosts in reverse DNS... > SMTPSVC(5.0.2195.2966); > Fri, 1 Feb 2002 13:07:31 -0700 > From: "Become Wealthy!" <[EMAIL PROTECTED]> ^^^^^^^^^^^^^^^^^^^^ Generally bogus, could even be forged as: <[EMAIL PROTECTED]>. [snipped irrelavent headers]
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
