Re: [Mimedefang] Repeated attempts with different sender and IP whengreylisting
John Nemeth wrote: What anti-spam laws? The CAN-SPAM act is just that. It actually legalises spam. As long as you follow the rules (including opt-out provisions) you're free to spam to your heart's content. Fortunately, we're free to block them to our hearts' content, too. -- Kelson Vibber SpeedGate Communications ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Repeated attempts with different sender and IP whengreylisting
On Jul 10, 4:36am, Ben Kamen wrote: } } As I read these emails and look at the measures which we must take to } prevent/ward-off the chaos inflicted on our systems I think to myself, } } "Oh yea.. those anti-spam laws in the US are working just fabulous!" What anti-spam laws? The CAN-SPAM act is just that. It actually legalises spam. As long as you follow the rules (including opt-out provisions) you're free to spam to your heart's content. }-- End of excerpt from Ben Kamen ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Repeated attempts with different sender and IP whengreylisting
As I read these emails and look at the measures which we must take to prevent/ward-off the chaos inflicted on our systems I think to myself, "Oh yea.. those anti-spam laws in the US are working just fabulous!" (sigh) My sympathies to all of us out there having to cope with this. -Ben -- Ben Kamen - O.D.T, S.P. -- Email: [EMAIL PROTECTED] http://www.benjammin.net ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Repeated attempts with different sender and IP whengreylisting
Mike, > I recently started using greylisting within Mimedefang on our relays. > When TEMPFAIL'ed a spammer resends the same piece of mail every few > seconds using a different IP and sender address. This continues until a > permanent error is sent (User unknown). How do others deal with this > tactic? I have multiple approaches: 1. Ignore it - greylisting is doing what I intended, and when they do finally come back, I reject at the RCPT TO: stage via filter_recipient which works out that they're trying to send to a non-existent user. 2. Firewall persistent greylist attempts which never retry the message but reconnect using a different sender/recipient pair, or systems which claim to be localhost, or which send to more than one non-existent user in a single message, or which hard fail SPF checks. I scan my logs for new greylist entries, and then also for successful connections from that sender/mailhost pair. If there are no successes within 2 days, I firewall the mailhost. I've seen a rash of systems which try 48-50 sender/recipient pairs (all different), and never come back, plus some incidents where I see 50 different hosts connect and all failing greylisting around the same time. These are fairly clearly spambot networks. 3. I refuse connections from any host which has its IP address in its reverse IP name (e.g. i219-164-64-114.s02.a018.ap.plala.or.jp = 219.164.64.114), or where the name contains a good indication of an end-user host (e.g. it contains one or more of the terms "cable", "dsl", "hsd", "dynamic", "static", "pool", etc). Basically, this is either a badly managed mail host which has a useless reverse IP entry, or a broadband host which probably shouldn't have a mail daemon running on it. This is of course fraught with issues, but since I'm doing it on a home network with 2 users, I'm fairly happy to deal with issues as they arise. Also, note that if a system is going to retry, it will probably retry immediately and then every 5 minutes for a while. Setting your greylist timeout to 30 minutes is probably too extreme, and will penalise legitimate mail so badly that you're bound to get complaints. I have mine set for 30 seconds, which does the job on mass mailers which never retry, and allows 99.9% of mail through within a minute. I've been tempted to take it down to 2 seconds to see what happens, since legitimate mailers do sometimes retry every second for 10 seconds before they back off. Best Wishes, Paul. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.10/263 - Release Date: 16/02/2006 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Repeated attempts with different sender and IP when greylisting
Hello. I recently started using greylisting within Mimedefang on our relays. When TEMPFAIL'ed a spammer resends the same piece of mail every few seconds using a different IP and sender address. This continues until a permanent error is sent (User unknown). How do others deal with this tactic? See example below. Feb 16 15:41:15 a043194 mimedefang.pl[23365]: TEMPFAIL 125.245.81.146 <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Feb 16 15:41:15 a043194 sendmail[24281]: k1GLf1ei024281: Milter: to=<[EMAIL PROTECTED]>, reject=451 4.3.0 Greylisted for 30 minutes and 0 seconds. Feb 16 15:41:48 a043147 mimedefang.pl[19961]: TEMPFAIL 201.6.165.230 <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Feb 16 15:41:48 a043147 sendmail[20302]: k1GLfeQ0020302: Milter: to=<[EMAIL PROTECTED]>, reject=451 4.3.0 Greylisted for 30 minutes and 0 seconds. Feb 16 15:41:51 a043194 mimedefang.pl[23365]: TEMPFAIL 125.242.199.18 <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Feb 16 15:41:51 a043194 sendmail[24310]: k1GLfiPb024310: Milter: to=<[EMAIL PROTECTED]>, reject=451 4.3.0 Greylisted for 30 minutes and 0 seconds. Feb 16 15:42:11 a043194 mimedefang.pl[23383]: TEMPFAIL 200.216.24.6 <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Feb 16 15:42:11 a043194 sendmail[24323]: k1GLg14t024323: Milter: to=<[EMAIL PROTECTED]>, reject=451 4.3.0 Greylisted for 30 minutes and 0 seconds. Feb 16 15:42:53 a043194 mimedefang.pl[23383]: TEMPFAIL 125.250.29.242 <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Feb 16 15:42:53 a043194 sendmail[24354]: k1GLgkCb024354: Milter: to=<[EMAIL PROTECTED]>, reject=451 4.3.0 Greylisted for 30 minutes and 0 seconds. . many many more ... . Feb 16 16:35:06 a043194 mimedefang.pl[24387]: TEMPFAIL 69.88.142.140 <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Feb 16 16:35:06 a043194 sendmail[25719]: k1GMZ0i3025719: Milter: to=<[EMAIL PROTECTED]>, reject=451 4.3.0 Greylisted for 30 minutes and 0 seconds. Feb 16 16:36:13 a043194 mimedefang.pl[24387]: TEMPFAIL 82.129.131.3 <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Feb 16 16:36:13 a043194 sendmail[25754]: k1GMZwq4025754: Milter: to=<[EMAIL PROTECTED]>, reject=451 4.3.0 Greylisted for 30 minutes and 0 seconds. Feb 16 16:38:05 a043194 sendmail[25824]: k1GMbwih025824: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=[125.241.33.67], reject=550 5.1.1 <[EMAIL PROTECTED]>... User unknown ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang