>>> afo cliff <afocl...@gmail.com> 09/06/2009 17:18 >>> > Ok, then it looks like it's better to stick with access/virtusertable rejection.
No, it is infinitely better to do it in filter_recipient, and terminate the connection after a number of invalid recipients. Consider the case where a spammer connects and tries a list of 2000 common accounts (root, postmaster, admin, daemon, staff, info, etc...). Rejecting via the access DB will reject all of the ones which are invalid, and will do so quickly. However, all of the valid ones will get the spam, and the spammer will also get a 2xx OK code to that recipient, so they can tune their mailing lists to remove known bad addresses, and sell on the ones which they now know to be working. Doing it via filter_recipient, the spammer sends RCPT_TO with the first address, which might be valid. However, long before they have gone through the 2000 in their list, you've seen 3 bad addresses, and have rejected the whole message. If you have coded it, you may also then firewall the sending server, so you never hear from them again, and they've still got no idea which addresses are valid apart from any which were flagged as OK before they got 3 bad recipients. To date, we've never had a valid user who gets 3 addresses wrong in our domain - one is common, two is rare, three has never happened. YMMV. I count recipients in filter_recipient: —-------------------------------------------------------------------- # check if we've seen any previous recipients open(DATA,"./recips"); $scores=<DATA>; @lines=split / /,$scores; if (defined $lines[0] ) { $badrcpt=$lines[0]; } else { $badrcpt=0; $goodrcpt=0; } if (defined $lines[1] ) { $goodrcpt=$lines[1]; } else { $goodrcpt=0; } close(DATA); # How many recipients so far? History plus this current one... $count=$badrcpt+$goodrcpt+1; # if there have been more than 3 bad recipients, drop the connection now if ( $badrcpt > 3) { md_syslog('info', "MDLOG,$MsgID,bad_recipients,0,$ip,$sender,$recipient,?"); # CALLS TO MY ADDITIONAL CODE - firewall_block($ip,$hostname,"Too many bad recipients"); # open(PROG,">>./Progress"); # print PROG " BOUNCE - too many invalid recipients\n"; # close(PROG); # md_dbrcptlog($MsgID,$recipient,DB_MANYBADRECIPS); return("REJECT","Too many bad recipients"); } # now check the recipient address against our database of valid users if ( # recipient is not recognised # ) { $badrcpt++; open(DATA,">recips"); print DATA "$badrcpt $goodrcpt\n"; close(DATA); return("BOUNCE","Invalid user address - not known here."); } else { $goodrcpt++; open(DATA,">recips"); print DATA "$badrcpt $goodrcpt\n"; close(DATA); } —-------------------------------------------------------------------- My code to firewall offending servers makes a socket connection to a Perl-based daemon which accepts the request, adds it to the firewall config (IPTables in my case), and then adds it to a persistent database table which is scanned on restarts to put the history back in place. I also have a cleanup script to limit the firewall table to around 1000 entries - most offenders are transient, and change IP addresses regularly, so there's no point in blocking an IP for weeks/months/years. I also log progress to a file, and I have custom logging to a database, all of which you can ignore. Since my firewall code runs with a delay, the spammer gets the SMTP error, and then we firewall them, despite the code looking like we firewall them and then try to send them a reject message... Best Wishes, Paul. _______________________________________________________________________ Argenta Discovery Ltd, 8-9 Spire Green Centre, Harlow, Essex, CM19 5TR Registered in England No. 3671653 _______________________________________________________________________ _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang