Re: [Mimedefang] (was Re: Blocking Dictionary Attacks)
- wrote:
> --- On Tue, 6/9/09, Matt Garretson wrote:
>> $SendmailMacros{'nbadrcpts'} in every filter function, but it
>> never has a value.
>
> Did you tell Sendmail to provide the value? The default setting is:
Yup, in sendmail.mc :
define(`confMILTER_MACROS_ENVRCPT', confMILTER_MACROS_ENVRCPT``,
{nbadrcpts}'')dnl
define(`confMILTER_MACROS_EOM', confMILTER_MACROS_EOM``, {nbadrcpts}'')dnl
But it never is accessible to MD.
>> I recall from a couple of years ago that this was a known MD
>> limitation, but was wondering if it had been overcome since then.
>
> Not with Sendmail 8.14.3 (the current version).
Okay, thanks, that would explain it.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] (was Re: Blocking Dictionary Attacks)
Matt Garretson wrote: > BTW, this reminds me, is MIMEdefang yet able to access sendmail > macros defined after the MAIL FROM stage? No, this was never implemented. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Your mail to the MIMEDefang list was not delivered
--- On Tue, 6/9/09, MIMEDefang Mail Daemon wrote: > The message you sent about 'Re: [Mimedefang] Blocking Dictionary Attacks' was > not delivered to the MIMEDefang mailing list, because it appeared to contain > too much quoted material. Messages are rejected if they contain more than ... Please have your robot also return the MESSAGE-ID of the rejected message. When the list is busy, a person may reply more than once to the same topic (to different posts under that topic). The message ID is needed to tell these posts apart as the subject does not uniquely identify and separate them. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] (was Re: Blocking Dictionary Attacks)
--- On Tue, 6/9/09, Matt Garretson wrote:
> Les Mikesell wrote:
> > a large number of invalid recipients that makes it obvious spam but it
> > will still be accepted for a small number of valid addresses. You might
> > be able to figure that out with some work in filter_recipient - or just
>
> BTW, this reminds me, is MIMEdefang yet able to access sendmail
> macros defined after the MAIL FROM stage? I've tried to access
> $SendmailMacros{'nbadrcpts'} in every filter function, but it
> never has a value.
Did you tell Sendmail to provide the value? The default setting is:
O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host}, {rcpt_addr}
"nbadrcpts" isn't among the values passed by default. You must add it if you
want to use it.
> I recall from a couple of years ago that this was a known MD
> limitation, but was wondering if it had been overcome since then.
Not with Sendmail 8.14.3 (the current version).
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Multiline Responses revisited
Howdie all,
Attached there is a patch against mimedefang.c to enable multiline
responses. This was mentioned in the mailing list some time back and
was a todo on my private mimedefang list.
Can someone take a look at it, and implement it within mimedefang if you
like it. Now my c is kinda rusty so there might be some errors
somewhere, hey at least it compiles without errors :)
Guess I found Jan's extra second in 2005, better late than never.
Keep up the good work all,
--
Michiel
--- mimedefang.c.original 2009-06-09 00:20:53.0 +0200
+++ mimedefang.c2009-06-09 21:57:06.0 +0200
@@ -216,6 +216,13 @@ static int set_reply(SMFICTX *ctx, char
/* Number of file descriptors to close when forking */
#define CLOSEFDS 256
+/* Amount of new lines in a response we want to handle (milters max is 32 do
not raise above that)
+ As it HAS to be NULL terminated the list is realy one smaller
+*/
+#define REPLY_MAX_BUFF_SIZE 32-1
+/* max string length of a reply to milter (max is 970 chars including \0 ) */
+#define REPLY_MAX_STR_LENGTH 970
+
/* Mutex to protect mkdir() calls */
static pthread_mutex_t MkdirMutex = PTHREAD_MUTEX_INITIALIZER;
@@ -336,6 +343,8 @@ set_reply(SMFICTX *ctx,
char const *reply)
{
char *safe_reply;
+int retcode;
+
if (!reply || !*reply) {
if (*first == '4') {
reply = "Please try again later";
@@ -351,10 +360,8 @@ set_reply(SMFICTX *ctx,
if (*first == '4') dsn = "4.3.0";
else dsn = "5.7.1";
}
-
/* We need to double any "%" chars in reply */
if (strchr(reply, '%')) {
- int retcode;
char const *s;
char *t;
/* Worst-case, we'll double our length */
@@ -371,13 +378,73 @@ set_reply(SMFICTX *ctx,
*t++ = *s++;
}
*t = 0;
- retcode = smfi_setreply(ctx, (char *) code, (char *) dsn, safe_reply);
- free(safe_reply);
- return retcode;
}
-
+else {
+ /* copy over the rely to safe_reply */
+ safe_reply = malloc(strlen(reply) + 1);
+ strncpy(safe_reply, reply, strlen(reply));
+ safe_reply[strlen(reply)]='\0';
+}
+#ifdef MILTER_BUILDLIB_HAS_SETMLREPLY
+// if we encounter a \n enter nasty milter phase
+ char *token = strtok(safe_reply, "\n");
+if ( token != NULL ) {
+ int size = 0;
+ char *replyBuff[REPLY_MAX_BUFF_SIZE];
+ int i = -1;
+ while( token != NULL && ++i < REPLY_MAX_BUFF_SIZE ) {
+ // each reply cannot be large than MAX_REPLY_SIZE
+ size = (strlen(token) > REPLY_MAX_STR_LENGTH - 1 ?
REPLY_MAX_STR_LENGTH - 1 : strlen(token) );
+if ( strlen(token) > size ) {
+ syslog(LOG_ERR, "Trunkating reply element [%d] too long", i);
+}
+
+if ( !(replyBuff[i] = malloc(size + 1)) ) {
+ syslog(LOG_ERR, "Out of memory splitting reply [%s]",token);
+ return smfi_setreply(ctx, (char *) code, (char *) dsn,
+"Out of memory");
+}
+strncpy(replyBuff[i], token, size+1);
+ replyBuff[i][size+1]='\0';
+ token = strtok(NULL, "\n");
+ }
+ // notify someone if there are more enters in the safe_reply
+ // as we will not send them (specs u know).
+ if ( strtok(NULL, "\n") != NULL ) {
+syslog(LOG_ERR, "Dropping extra reply elements");
+ }
+ // initialize all left over buffers
+ while( ++i < REPLY_MAX_BUFF_SIZE ) {
+replyBuff[i] = NULL;
+ }
+ // send off the reply code (yes I know nasty, tell the milter ppl)
+ retcode = smfi_setmlreply(ctx, (char *) code, (char *) dsn,
+ replyBuff[0], replyBuff[1], replyBuff[2], replyBuff[3],
replyBuff[4],
+ replyBuff[5], replyBuff[6], replyBuff[7], replyBuff[8],
replyBuff[9],
+
replyBuff[10],replyBuff[11],replyBuff[12],replyBuff[13],replyBuff[14],
+
replyBuff[15],replyBuff[16],replyBuff[17],replyBuff[18],replyBuff[19],
+
replyBuff[20],replyBuff[21],replyBuff[22],replyBuff[23],replyBuff[24],
+
replyBuff[25],replyBuff[26],replyBuff[27],replyBuff[28],replyBuff[29],
+ replyBuff[30], NULL);
+ // prevent leaks and free
+ i = -1;
+ while( i++ > REPLY_MAX_BUFF_SIZE && replyBuff[i] != NULL ) {
+free(replyBuff[i]);
+ }
+ free(safe_reply);
+ return retcode;
+}
+#else
+ // no smfi_setmlreply support replace all \n with space
+ char *token = NULL;
+while( (token = strchr(safe_reply, '\n')) != NULL) {
+ *token = ' ';
+ }
+#endif
/* smfi_setreply is not const-correct, hence the (char *) casts */
-return smfi_setreply(ctx, (char *) code, (char *) dsn, (char *) reply);
+retcode = smfi_setreply(ctx, (char *) code, (char *) dsn, safe_reply);
+free(safe_reply);
+return retcode;
}
/*
[Mimedefang] (was Re: Blocking Dictionary Attacks)
Les Mikesell wrote:
> a large number of invalid recipients that makes it obvious spam but it
> will still be accepted for a small number of valid addresses. You might
> be able to figure that out with some work in filter_recipient - or just
BTW, this reminds me, is MIMEdefang yet able to access sendmail
macros defined after the MAIL FROM stage? I've tried to access
$SendmailMacros{'nbadrcpts'} in every filter function, but it
never has a value.
I recall from a couple of years ago that this was a known MD
limitation, but was wondering if it had been overcome since then.
Thanks,
-Matt
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
>>> Les Mikesell 09/06/2009 18:59 >>> > Spammers are a lot smarter than that these days. If you watch your logs > during a dictionary attack you are likely to see the messages come in > from dozens of different IP addresses that are obviously coordinating > the address space and timing so you don't see a big number of addresses > come in from any single source, or on any single message, or fast enough > to overwhelm a reasonable server. Agreed, some are smarter - but there's enough of the old sort to make it worthwhile. Recipient throttling, limits on the max number of recipients, etc are all worth doing - but for the specific case of a single server which tries a dictionary attack, MD is the place to trap for it. Best Wishes, Paul. ___ Argenta Discovery Ltd, 8-9 Spire Green Centre, Harlow, Essex, CM19 5TR Registered in England No. 3671653 ___ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
That reminds me, I lost my sendmail blackhole script when my server crashed last year... I think some people asked me for it -- if you still have a copy you could email me, I'd really appreciate it. Thanks, -Ben ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
Les Mikesell wrote: > Spammers are a lot smarter than that these days. If you watch your logs > during a dictionary attack you are likely to see the messages come in > from dozens of different IP addresses that are obviously coordinating > the address space and timing so you don't see a big number of addresses > come in from any single source, or on any single message, or fast enough > to overwhelm a reasonable server. This is true. Nevertheless, we implement this policy: If a single relay sends to 4 or more invalid recipients in a 15-minute time window, we firewall it off for an hour. Our ban list at any given time contains between 3 and 50 IP addresses. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
Paul Murphy wrote: afo cliff 09/06/2009 17:18 >>> Ok, then it looks like it's better to stick with access/virtusertable rejection. No, it is infinitely better to do it in filter_recipient, and terminate the connection after a number of invalid recipients. Consider the case where a spammer connects and tries a list of 2000 common accounts (root, postmaster, admin, daemon, staff, info, etc...). Rejecting via the access DB will reject all of the ones which are invalid, and will do so quickly. However, all of the valid ones will get the spam, and the spammer will also get a 2xx OK code to that recipient, so they can tune their mailing lists to remove known bad addresses, and sell on the ones which they now know to be working. Spammers are a lot smarter than that these days. If you watch your logs during a dictionary attack you are likely to see the messages come in from dozens of different IP addresses that are obviously coordinating the address space and timing so you don't see a big number of addresses come in from any single source, or on any single message, or fast enough to overwhelm a reasonable server. Doing it via filter_recipient, the spammer sends RCPT_TO with the first address, which might be valid. However, long before they have gone through the 2000 in their list, you've seen 3 bad addresses, and have rejected the whole message. Sendmail can do this directly as well: define(`confBAD_RCPT_THROTTLE',`3')dnl And unless you expect messages with a large number of recipients you can refuse to accept them without running any perl code: define(`confMAX_RCPTS_PER_MESSAGE',`5')dnl 'Real' senders are supposed to figure this out and resend but I don't know how it works out in practice. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
>>> afo cliff 09/06/2009 17:18 >>>
> Ok, then it looks like it's better to stick with access/virtusertable
rejection.
No, it is infinitely better to do it in filter_recipient, and terminate
the connection after a number of invalid recipients.
Consider the case where a spammer connects and tries a list of 2000
common accounts (root, postmaster, admin, daemon, staff, info, etc...).
Rejecting via the access DB will reject all of the ones which are
invalid, and will do so quickly. However, all of the valid ones will
get the spam, and the spammer will also get a 2xx OK code to that
recipient, so they can tune their mailing lists to remove known bad
addresses, and sell on the ones which they now know to be working.
Doing it via filter_recipient, the spammer sends RCPT_TO with the first
address, which might be valid. However, long before they have gone
through the 2000 in their list, you've seen 3 bad addresses, and have
rejected the whole message. If you have coded it, you may also then
firewall the sending server, so you never hear from them again, and
they've still got no idea which addresses are valid apart from any which
were flagged as OK before they got 3 bad recipients. To date, we've
never had a valid user who gets 3 addresses wrong in our domain - one is
common, two is rare, three has never happened. YMMV.
I count recipients in filter_recipient:
—
# check if we've seen any previous recipients
open(DATA,"./recips");
$scores=;
@lines=split / /,$scores;
if (defined $lines[0] )
{
$badrcpt=$lines[0];
}
else
{
$badrcpt=0;
$goodrcpt=0;
}
if (defined $lines[1] )
{
$goodrcpt=$lines[1];
}
else
{
$goodrcpt=0;
}
close(DATA);
# How many recipients so far? History plus this current one...
$count=$badrcpt+$goodrcpt+1;
# if there have been more than 3 bad recipients, drop the connection
now
if ( $badrcpt > 3)
{
md_syslog('info',
"MDLOG,$MsgID,bad_recipients,0,$ip,$sender,$recipient,?");
# CALLS TO MY ADDITIONAL CODE - firewall_block($ip,$hostname,"Too
many bad recipients");
# open(PROG,">>./Progress");
# print PROG " BOUNCE - too many invalid recipients\n";
# close(PROG);
# md_dbrcptlog($MsgID,$recipient,DB_MANYBADRECIPS);
return("REJECT","Too many bad recipients");
}
# now check the recipient address against our database of valid users
if ( # recipient is not recognised # )
{
$badrcpt++;
open(DATA,">recips");
print DATA "$badrcpt $goodrcpt\n";
close(DATA);
return("BOUNCE","Invalid user address - not known here.");
}
else
{
$goodrcpt++;
open(DATA,">recips");
print DATA "$badrcpt $goodrcpt\n";
close(DATA);
}
—
My code to firewall offending servers makes a socket connection to a
Perl-based daemon which accepts the request, adds it to the firewall
config (IPTables in my case), and then adds it to a persistent database
table which is scanned on restarts to put the history back in place. I
also have a cleanup script to limit the firewall table to around 1000
entries - most offenders are transient, and change IP addresses
regularly, so there's no point in blocking an IP for weeks/months/years.
I also log progress to a file, and I have custom logging to a database,
all of which you can ignore.
Since my firewall code runs with a delay, the spammer gets the SMTP
error, and then we firewall them, despite the code looking like we
firewall them and then try to send them a reject message...
Best Wishes,
Paul.
___
Argenta Discovery Ltd, 8-9 Spire Green Centre, Harlow, Essex, CM19 5TR
Registered in England No. 3671653
___
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
Ok, then it looks like it's better to stick with access/virtusertable rejection. > But, if you have defined everyone in virtusertable with default rejects, > sendmail will process invalid recipients faster than mimedefang can. You > might still get a few instances where where a message comes in with a large > number of invalid recipients that makes it obvious spam but it will still be > accepted for a small number of valid addresses. You might be able to figure > that out with some work in filter_recipient - or just hope that your other > checks catch it. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
Matt Garretson wrote: afo cliff wrote: Thanks for the info. It mentions using the -t flag ... however, I start mimedefang with "service mimedefang start" so I don't have any control over the flags that are being used. It sounds like you have Fedora or a Redhat variant? There should be /etc/sysconfig/mimedefang which you can edit as you like. But, if you have defined everyone in virtusertable with default rejects, sendmail will process invalid recipients faster than mimedefang can. You might still get a few instances where where a message comes in with a large number of invalid recipients that makes it obvious spam but it will still be accepted for a small number of valid addresses. You might be able to figure that out with some work in filter_recipient - or just hope that your other checks catch it. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
afo cliff wrote: > Thanks for the info. It mentions using the -t flag ... however, I > start mimedefang with "service mimedefang start" so I don't have any > control over the flags that are being used. It sounds like you have Fedora or a Redhat variant? There should be /etc/sysconfig/mimedefang which you can edit as you like. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
Ok, I'm convinced. I'll send the failure responses. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
Renaud, >FILTERING BY RECIPIENT > You can define a function called filter_recipient in your filter. This > lets you reject messages to certain recipients, rather than waiting > until the whole message has been sent. Note that for this check to > take place, you must use the -t flag with mimedefang. Thanks for the info. It mentions using the -t flag ... however, I start mimedefang with "service mimedefang start" so I don't have any control over the flags that are being used. How would I do that? A "ps ax" shows it's being started like this, so no "t" option :( 2294 ?Sl 0:00 /usr/bin/mimedefang -P /var/spool/MIMEDefang/mimedefang.pid -m /var/spool/MIMEDefang/mimedefang-multiplexor.sock -R -1 -U defang -q -p /var/spool/MIMEDefang/mimedefang.sock ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
afo cliff wrote: Matt Garretson wrote: afo cliff wrote: @mydomain.com bitbucket You can also do something like this in your virtusertable: @mydomain.com error:5.1.1:550 User unknown Then, you won't need the bitbucket alias. See http://www.sendmail.org/m4/features.html Yes thanks, I tried that, the down side for me is that it sends a "User Unknown" reject notification, which I'm trying to avoid. I don't want my server to waste time sending 10,000 rejects to a zombie somewhere. You have that backwards - it's much, much faster to send a '5xx' failure response in the SMTP conversation before accepting any data. Also, by accepting, you'll convince the sender that the addresses are legitimate and they'll end up on lists that are re-used for years - but it is probably already too late for that. -- Les Mikesell lesmikes...@gmail.com ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SELinux labeling
On Tue, 2009-06-09 at 00:35 -0500, Kenneth Porter wrote: > Has anyone come up with a good scheme/policy for labeling files in the MD > directory so that both MD and ClamAV (and perhaps spamd and other AVs) have > access to them? If I understand you question, you can run the clamd process as the 'defang' user. It's easy enough for me because I maintain my own customized (for my site) ClamAV rpm package. Another option is to add the users the processes (clamd, spamd, etc) run under to the 'defang' group and change permissions on the MD directory to allow the proper access. -- Stephen L Johnson Unix Systems Administrator / DNS Hostmaster Department of Information Systems State of Arkansas 501-682-4339 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
>>> Matt Garretson wrote: afo cliff wrote: > > @mydomain.com bitbucket You can also do something like this in your virtusertable: @mydomain.com error:5.1.1:550 User unknown Then, you won't need the bitbucket alias. See http://www.sendmail.org/m4/features.html >>> Yes thanks, I tried that, the down side for me is that it sends a "User Unknown" reject notification, which I'm trying to avoid. I don't want my server to waste time sending 10,000 rejects to a zombie somewhere. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Blocking Dictionary Attacks
afo cliff wrote: Yes thanks, I tried that, the down side for me is that it sends a "User Unknown" reject notification, which I'm trying to avoid. I don't want my server to waste time sending 10,000 rejects to a zombie somewhere. ??? It doesn't send a notification. All it does is reply with a 5xx SMTP reply code. It's very rude to bit-bucket mail to nonexistent recipients; valid senders might never know that their mail has bounced. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
