Re: Exim and HELO
On Wed, Sep 10, 2003 at 07:00:49PM +0100, Nicholas Clark wrote: On Wed, Sep 10, 2003 at 06:44:09PM +0100, Jason Clifford wrote: eg 195.92.249.255 (zeniiib.linux.theplanet.co.uk) Ok, how many people are sitting on a subnet with a /22 prefix or shorter (the smallest that that can be in order not to be a broadcast address by my back-of-the-envelope calculation)? I'm genuinely curious here, because I thought it was where I work that had insanely short prefixes for ethernets. -- Lusercop.net - LARTing Lusers everywhere since 2002
Re: Exim and HELO
Je 2003-09-08 10:18:58 +0100, Peter Sergeant skribis:
http://blackhairy.demon.co.uk/notes/exim-helo-block.html
Thanks for this! I implemented the rejecting plain IP and non-FQDN
suggestions rejecting rfc-breaching [EH]LO strings, and now it's cheaply
550'ing hundreds every day here.
I wonder what the long-term falsepos rate is... I've had one definite
falsepos from a server announcing itself with an IP address so you
really need a whitelist to go with it and occasional scans of logs and/or
some reporting mechanism.
accept condition= ${lookup {$sender_helo_name}
lsearch{/etc/mail/whitelist_helo}{yes}{no}}
before the deny's.
Paul
--
Paul Makepeace ... http://paulm.com/
If nobody cared, then jennifer Aniston.
-- http://paulm.com/toys/surrealism/
Re: Exim and HELO
On Wed, 10 Sep 2003, Paul Makepeace wrote: Thanks for this! I implemented the rejecting plain IP and non-FQDN suggestions rejecting rfc-breaching [EH]LO strings, and now it's cheaply 550'ing hundreds every day here. I wonder what the long-term falsepos rate is... I've had one definite falsepos from a server announcing itself with an IP address so you really need a whitelist to go with it and occasional scans of logs and/or some reporting mechanism. I'd strongly recommend against blocking sites because they announce with an IP unless they are offering an IP other than the one they connect from. Lots of servers are poorly configured and a facist configuration will prevent genuine email as well as spam. A whitelist is only going to help you after you've already permanently rejected a message. Maybe you can modify the rule so that you check $sender_helo_name against the client IP. Jason Clifford -- UKFSN.ORG Finance Free Software while you surf the 'net http://www.ukfsn.org/ ADSL Broadband available now
Re: Exim and HELO
On Wed, Sep 10, 2003 at 06:44:09PM +0100, Jason Clifford wrote: Lots of servers are poorly configured and a facist configuration will prevent genuine email as well as spam. On the other hand, if you really want to prevent lots of poorly written OSes contacting you, find an IP address that corresponds to a network broadcast address prior to classless addressing :-) eg 195.92.249.255 (zeniiib.linux.theplanet.co.uk) I believe that no-one on windows will be able to reach that host. Even on versions of windows written after classless addressing came in. Nicholas Clark
Re: Exim and HELO
Rafael Garcia-Suarez [EMAIL PROTECTED] writes: Nicholas Clark wrote: On Mon, Sep 08, 2003 at 11:58:57AM +, Dominic Mitchell wrote: Jonathan Stowe [EMAIL PROTECTED] wrote: MTA Advocacy Zzzz What, you'd rather we talked about *cars* or something like that? I thought traditional london.pm advocacy was whether Willow or Buffy was on top. It's Willow. And she writes sendmail.cf files by hand. (due to her high level of wizardry ;-) I once wrote a sendmail.cf file from scratch (with the serious aid of the Humungous Bat Book). What a pointless exercise that was. I think I reached the point where I knew *how* to implement a Turing Machine in sendmail.cf and I was planning to do it 'one day', but somebody else did it instead.
Re: Exim and HELO
Since mail15 alway use exactly the same subject line, I use spamassassin to make sure that it's a real mail15 line, and then procmail to ditch any mails tagged as spam having that subject line. To be honest, you could probably just ditch by subject line alone. S. On Mon, 8 Sep 2003, Peter Sergeant wrote: I've recently been getting hammered by mail15.com performing a dictionary attack on my mail server - my server accepts email to anyone @clueball.com, and so I've been recieving several thousand piece of spam a day advertising mail15.com. This is obviously somewhat upsetting - it may get marked as spam, but I'm still taking a fairly major bandwidth hit, and it's clogging up my spam folder, making it very very difficult to spot if I get any false positives. The emails come from a variety of different broadband and dialup machines - I'm not especially keen to start dropping emails from large chunks of the internet at the SMTP level. However, the spamming software they're using always identifies the IP as being from compuserve.com, which I believe is done at the HELO time. Were I using exim4, Google would have returned a great snippet I could add to my config file that would allow me to easily refuse all mail where the connection started off with a 'HELO compuserve.com'. I'm not, I'm using Exim 3.6(?) that came with Debian, and I'm unable to work out a nice solution. Can anyone suggest how one might convince Exim 3 to do this? Thanks! +Pete -- Shevekhttp://www.anarres.org/ I am the Borg. http://www.gothnicity.org/
Re: Exim and HELO
On Mon, Sep 08, 2003 at 10:05:39AM +0100, Shevek wrote: Since mail15 alway use exactly the same subject line, I use spamassassin to make sure that it's a real mail15 line, and then procmail to ditch any mails tagged as spam having that subject line. To be honest, you could probably just ditch by subject line alone. I think that this doesn't answer one of the important parts of his question: This is obviously somewhat upsetting - it may get marked as spam, but I'm still taking a fairly major bandwidth hit, and it's clogging up my ^^ spam folder, making it very very difficult to spot if I get any false positives. Can anyone suggest how one might convince Exim 3 to do this? How would one do the ditching at SMTP time? Nicholas Clark
Re: Exim and HELO
How would one do the ditching at SMTP time? It would appear that any email from this company starts its transaction with my mail-server with 'HELO compuserve.com'. I've seen an exim4 config-file snippet to block at this point[1] - I'm looking to do the same with exim3... +Pete [1] http://blackhairy.demon.co.uk/notes/exim-helo-block.html -- If you have built castles in the air, your work need not be lost; that is where they should be. Now put the foundations under them. -- Henry David Thoreau
Re: Exim and HELO
On Mon, Sep 08, 2003 at 10:18:58AM +0100, Peter Sergeant wrote: How would one do the ditching at SMTP time? It would appear that any email from this company starts its transaction with my mail-server with 'HELO compuserve.com'. I've seen an exim4 config-file snippet to block at this point[1] - I'm looking to do the same with exim3... Ha ha ha ha ha. Watch the whining debian exim users go I want to do this with Exim3? and watch while Phil Hazel replies with well, I really can't remember much about exim3 as it's been about a year since I stopped supporting it, at which point the debian user will say but it's in Debian, how can it now be unsupported?. Just upgrade. It will make your life *so* much easier. (there are actually .debs of exim4 around if you want it to sit nicely with your package management). -- Lusercop.net - LARTing Lusers everywhere since 2002
Re: Exim and HELO
On Mon, 08 Sep 2003 10:58, Lusercop wrote; how can it now be unsupported?. Just upgrade. It will make your life *so* much easier. (there are actually .debs of exim4 around if you want it to sit nicely with your package management). Yes. Upgrade. To postfix. -- Sam Vilain, [EMAIL PROTECTED] Real software engineers eat quiche.
Re: Exim and HELO
On Mon, 8 Sep 2003, Sam Vilain wrote: On Mon, 08 Sep 2003 10:58, Lusercop wrote; how can it now be unsupported?. Just upgrade. It will make your life *so* much easier. (there are actually .debs of exim4 around if you want it to sit nicely with your package management). Yes. Upgrade. To postfix. MTA Advocacy Zzzz /J\
Re: Exim and HELO
Jonathan Stowe [EMAIL PROTECTED] wrote: On Mon, 8 Sep 2003, Sam Vilain wrote: On Mon, 08 Sep 2003 10:58, Lusercop wrote; how can it now be unsupported?. Just upgrade. It will make your life *so* much easier. (there are actually .debs of exim4 around if you want it to sit nicely with your package management). Yes. Upgrade. To postfix. MTA Advocacy Zzzz What, you'd rather we talked about *cars* or something like that? -Dom -- | Semantico: creators of major online resources | | URL: http://www.semantico.com/ | | Tel: +44 (1273) 72 | | Address: 33 Bond St., Brighton, Sussex, BN1 1RD, UK. |
Re: Exim and HELO
On Mon, Sep 08, 2003 at 11:58:57AM +, Dominic Mitchell wrote: Jonathan Stowe [EMAIL PROTECTED] wrote: MTA Advocacy Zzzz What, you'd rather we talked about *cars* or something like that? I thought traditional london.pm advocacy was whether Willow or Buffy was on top. All other potential advocacy issues seem to have been covered (TT2 or not, emacs or vi or something else, OSes, databases, [OT] versus other languages, to beer or not to beer etc) and often descend into flame wars. Nicholas Clark
Re: Exim and HELO
Rafael Garcia-Suarez wrote: Nicholas Clark wrote: I thought traditional london.pm advocacy was whether Willow or Buffy was on top. It's Willow. My oh my. To say I had been putting such an absurd notion on the back of the fact that they were rosbifs. You're making me doubt if building that tunnel was a good idea, maybe it was better off as an island. Faith Faith Faith Faith Faith. -- Robin Berjon [EMAIL PROTECTED] Research Scientist, Expway http://expway.com/ 7FC0 6F5F D864 EFB8 08CE 8E74 58E6 D5DB 4889 2488
Re: Exim and HELO
On Mon, 8 Sep 2003, Robin Berjon wrote: It's Willow. My oh my. To say I had been putting such an absurd notion on the back of the fact that they were rosbifs. You're making me doubt if building that tunnel was a good idea, maybe it was better off as an island. Faith Faith Faith Faith Faith. No, it's definitely Willow - particularly in leather. Jason Clifford -- UKFSN.ORG Finance Free Software while you surf the 'net http://www.ukfsn.org/ ADSL Broadband available now
Re: Exim and HELO
On Mon, 8 Sep 2003 13:14:40 +0100 Nicholas Clark [EMAIL PROTECTED] wrote: On Mon, Sep 08, 2003 at 11:58:57AM +, Dominic Mitchell wrote: Jonathan Stowe [EMAIL PROTECTED] wrote: MTA Advocacy Zzzz What, you'd rather we talked about *cars* or something like that? I thought traditional london.pm advocacy was whether Willow or Buffy was on top. Willow and Faith custard wrestling. On the note of advocacy, it is part of life, the problem with the mail wasn't that it was the one liner nature of it :-) Anyway I'm going to go back to baiting the office mac user and thinking about the first line of my mail, MMmm. -- Tony Kennick TechnoPhobia Limited. Phone: +44 (0)114 2212123 Fax: +44 (0)114 2212124 Email: [EMAIL PROTECTED] WWW: http://www.technophobia.com Registered in England and Wales Company No. 3063669 VAT registration No. 598 7858 42 The contents of this e-mail are confidential to the addressee and are intended solely for the recipients use. If you are not the addressee, you have received this e-mail in error. Any disclosure, copying, distribution or action taken in reliance on it is prohibited and may be unlawful. Any opinions expressed in this e-mail are those of the author personally and not TechnoPhobia Limited who do not accept responsibility for the contents of the message. All e-mail communications, in and out of TechnoPhobia, are recorded for monitoring purposes.
Re: Exim and HELO
Tony Kennick wrote: On Mon, 8 Sep 2003 13:14:40 +0100 Nicholas Clark [EMAIL PROTECTED] wrote: I thought traditional london.pm advocacy was whether Willow or Buffy was on top. Willow and Faith custard wrestling. On the note of advocacy, it is part of life, the problem with the mail wasn't that it was the one liner nature of it :-) Anyway I'm going to go back to baiting the office mac user and thinking about the first line of my mail, MMmm. On Mon, 8 Sep 2003 13:14:40 +0100 you mean? You sick puppy :-) w.
Re: Exim and HELO
On Mon, Sep 08, 2003 at 03:12:18PM +0200, Rafael Garcia-Suarez wrote: Jason Clifford wrote: On Mon, 8 Sep 2003, Robin Berjon wrote: It's Willow. My oh my. To say I had been putting such an absurd notion on the back of the fact that they were rosbifs. You're making me doubt if building that tunnel was a good idea, maybe it was better off as an island. Next you'll be reminding us that the whole tunnel scheme's original inventor was Corsican, not French, no no no. Faith Faith Faith Faith Faith. No, it's definitely Willow - particularly in leather. What do you guys have about this leather thing ? I think it's something to do with the slap, er, sorry smack of leather on willow being the traditional sound of English summer. Anyway, something's just gone horribly wrong because we[1]'ve just won a cricket match. That's not supposed to happen. Nicholas Clark 1: For some value of we that feels some sort of support for the England team, not that they really earn it that often. (Strict pedants will note that it's technically the England Wales team. I'm still surprised that the Dutch don't even notice when their cricket team is in the world cup)
Re: Exim and HELO
On Mon, 8 Sep 2003, Rafael Garcia-Suarez wrote: No, it's definitely Willow - particularly in leather. What do you guys have about this leather thing ? It's the great British passion - leather on willow. Jason Clifford -- UKFSN.ORG Finance Free Software while you surf the 'net http://www.ukfsn.org/ ADSL Broadband available now
Re: Exim and HELO
On Mon, 8 Sep 2003, David Landgren wrote: I hope you succeed in doing in your MTA of choice. If you can drop the connection before DATA, you can save a lot of bandwidth. You may safely reject any SMTP connection that announces itself this way (HELO compuserve.com) Just be sure you only match on compuserve.com as if you match subdomains you'll be blocking email from a lot of people. yahoo.com is another one to look for. Their servers announce themselves using FQDNs. Hotmail doesn't, may they roast in hell. It's that a given? If you get this to work there are two other easy ones to block: HELO 1.2.3.4 (where 1.2.3.4 is the public IP address of your MTA) and HELO example.com (where example.com is your domain name). And HELO localhost as well as HELO [ any unqualified hostname ] Jason Clifford -- UKFSN.ORG Finance Free Software while you surf the 'net http://www.ukfsn.org/ ADSL Broadband available now
Re: Exim and HELO
Jason Clifford wrote: [...] You may safely reject any SMTP connection that announces itself this way (HELO compuserve.com) Just be sure you only match on compuserve.com as if you match subdomains you'll be blocking email from a lot of people. Yes, exactly that. In postfix, one would create a regexp (or pcre) access map and do something like (note the anchors) /^compuserve\.com$/ REJECT haw haw haw, you're not fooling me As for a blocking a lot of people, I guess it depends on who you talk to. In the past three months only one message (in ~300k) has come in from a compuserve machine. Funny how things change. yahoo.com is another one to look for. Their servers announce themselves using FQDNs. Hotmail doesn't, may they roast in hell. It's that a given? I can't quite parse that. What I mean is that legitimate Yahoo! servers announce themselves with, e.g., HELO web20701.mail.yahoo.com or HELO n31.grp.scd.yahoo.com (and is the same as the reverse lookup on the IP address). Any legitimate hotmail server, however, will announce itself as HELO hotmail.com, just like a spammer would. So you can't distinguish them at this level. You can usually distinguish legitimate hotmail servers with a reverse lookup, but I have rejected mail in the past from them because their DNS wasn't set up correctly and it came back nxdomain. Maybe a new machine being brought online. I dunno, it's hotmail, I wasn't particularly fussed. If you get this to work there are two other easy ones to block: HELO 1.2.3.4 (where 1.2.3.4 is the public IP address of your MTA) and HELO example.com (where example.com is your domain name). And HELO localhost as well as HELO [ any unqualified hostname ] And anying ending in .local .localdomain .internal .isp .test ... That will block some legitimate mail, because of retards running mailservers in dire need of a clue (next, next, next, ok, finish). Antivirus MTA front-ends are a good source of garbage HELO strings. David
Re: Exim and HELO
Nicholas Clark schreef: Anyway, something's just gone horribly wrong because we[1]'ve just won a cricket match. That's not supposed to happen. 1: For some value of we that feels some sort of support for the England team, not that they really earn it that often. (Strict pedants will note that it's technically the England Wales team. I'm still surprised that the Dutch don't even notice when their cricket team is in the world cup) No, no, no. That's the Canadians. Cricket was probably the most popular sport in the Netherlands ... ok, so that was in the 1870s. I have ferreted through my old email archives from the last Cricket World Cup; the quotes from the Dutchman are marked D: and from the Canuck C: Wearing fluro Leon-Orange uniforms ripped straight from the set of Charlie's Angels, the Dutch performed admirably against Australia this morning, losing by only 75 runs: http://www.smh.com.au/articles/2003/02/20/1045638426218.html http://www.cricketworldcup.com/wallpapers/icc/img70.htm D: I have to say I like their uniforms! Exactly the right colour. D: Too bad I didn't understand a word of that article... C: Isn't using uniform colors to incinerate the retinas of the opposing C: team against the rules? D: According to the Volkskrant (a national newspaper) the match against D: Australia was almost a draw! Unfortunately, the rain stopped a bit D: too early and the match could still be played... D: Volkskrant: Australia needs only one more victory to qualify for the D: champion's round of the WC. For the Netherlands the next defeat is on D: February the 25th against Pakistan. Led by a brilliant bowling performance from a 28-year-old dread-locked plumber, Canada won its first match ever in the Cricket's World Cup. C: Aye. One of my co-worker, a charming Indian fellow going by the name C: of Ram, informed me of the accomplishment. My spontaneous reaction was, C: and I quote verbatim: We have a cricket team?. Cricket, alas, is not C: really popular in Canada. We are more obsessed over hockey and curling C: and moose-wrestling... C: In related news, after the Canada first victory ever (was it against C: Zimbabwe?), not only we got creamed by Sri Lanka, but we actually C: acheived the lowest score possible in such a match. D: I've read that! But I don't think it's the lowest _possible_ score, D: just the lowest actually achieved. It wouldn't surprise me if the D: Dutch eleven(?) can beat your score. Another record for Canada! The fastest century in World Cup history! http://www.cricketworldcup.com/lion/lion2302200302.htm C: Ooh! C: Er. It is something good, or bad? As noted in a prominent article (Lawyer sets precedent as dashing Dutch end campaign in style) in this morning's SMH newspaper, Holland finished on a high note, with their first ever World Cup century. Actually two Dutch batsmen scored centuries against Namibia; the first by lawyer Jan Feiko Kloppenburg (who works in The Hague), the second by Financier Klaas-Jan van Noortwijk (who was so stiff after his heroic 134 not out he was unable to field). D: Oranje boven! There were pictures of the last match against Namibia D: in the paper, so our first victory ever in the world cup didn't pass D: unnoticed. Of course, it helped that it there was no other sports D: news today (or was it yesterday). D: And there was much rejoicing, I presume, about the results of the D: English team... /-\ http://search.yahoo.com.au - Yahoo! Search - Looking for more? Try the new Yahoo! Search
