RE: [Mimedefang] Anyone noticing...

[Paul Murphy]

 I don't know if it's the same place, but I've got a bunch of these
 going back to Dec 20 (as far back as my logs go).
 
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 
 I'm guessing the ret@ e-mail is a particular spam bot signature.

Probably.  However, blocking all mail from any ret@ is doomed to generate
false positives.

 All of mine have been coming from the same netblock (morphed a 
 couple of times).  It's currently 216.22.47.0/24.

Back in the middle of 2004, I ended up using a script to block packets in
IPTables from selected networks which were persistently sending SPAM which SA
scored 15+, but who didn't get the hint when everything got a 5.7.1 error.  I
was seeing 500+ per day on a site where the daily mail volume was 4000.
Worse still, they retried after greylisting.  While the sites they came from
were visibly related, it was hard to provide any sort of program logic to
match on the host name.  Some examples below:

12.129.167.64 mx83b.e-shapeconnection.com.
12.129.167.66 mx83b.i-bewellconnection.com.
12.129.167.67 mx83b.i-playingallnite.com.
12.129.167.68 mx83b.mybewellnetwork.com.
12.129.167.69 mx83b.myshapenet.net.
12.129.167.70 mx83b.myshapestructure.com.
12.129.167.71 mx83b.ourbewellconnection.com.
12.129.167.74 mx83b.ourshapenexus.com.
12.129.167.76 mx83b.playingallnite.com.
12.129.167.80 mx84b.i-bewellhookup.com.
12.129.167.81 mx84b.bewellnet.net.
12.129.167.82 mx84b.yourbewellnet.net.
12.129.167.83 mx84b.ourbewellnet.net.
12.129.167.84 mx84b.i-bewellnet.net.
12.129.167.85 mx84b.bewellnexus.com.
12.129.167.86 mx84b.bewellstructure.com.
64.156.172.10 mx95.mytanningdays.com.
64.156.172.11 mx95.yourtanningdays.com.
64.156.172.12 mx95.myshoptobreathe.com.
64.156.172.13 mx95.yourshoptobreathe.com.
64.156.172.14 mx95.mybeingenergetic.com.
64.156.172.15 mx95.yourbeingenergetic.com.
64.156.172.16 mx96.weekendlifers.com.
64.156.172.17 mx96.myweekendlifers.com.
64.156.172.18 mx96.TanningTime.com.
64.156.172.19 mx96.tanninghour.com.
64.156.172.21 mx96.myshoptobe.com.
64.156.172.22 mx96.beinganimated.com.
64.156.172.23 mx96.mybeinganimated.com.
64.156.172.8 mx95.myweekendtolive.com.
64.156.172.9 mx95.yourweekendtolive.com.
65.216.114.10 mx91.yourfunkingdom.net.
65.216.114.100 out6.mydigitalknowshow.com.
65.216.114.101 out6.ipinpoint.info.
65.216.114.102 out6.myfultondirect.com.
65.216.114.105 out6.myjackpotgamingoffers.com.
65.216.114.107 out6.eusahealthyweb.com.
65.216.114.11 mx91.jackpotgamingoffers.com.
65.216.114.110 out6.myinternetgamingoffers.com.
65.216.114.113 out6.ibargaintimes.com.
65.216.114.114 out6.ivendarefinancial.com.
65.216.114.115 out6.yourclubofferstoday.com.
65.216.114.116 out6.yourusa-wellbeing.com.
65.216.114.117 out6.edealfinders.net.
65.216.114.118 out6.yourdigitalknowshow.com.
65.216.114.119 out6.yourpinpoint.info.
65.216.114.12 mx91.jackpotgamingdeals.com.
65.216.114.120 out6.yourfultondirect.com.
65.216.114.121 out6.yourmemberselect.com.
65.216.114.122 out6.yourblinkpayday.com.
65.216.114.123 out6.ejackpotgamingoffers.com.
65.216.114.124 out6.evacationsforus.com.
65.216.114.13 mx91.jackpotgamingbargains.com.
65.216.114.130 out7.mybargaintimes.com.
65.216.114.131 out7.ecasinoreport.net.
65.216.114.132 out7.mysport-times.com.
65.216.114.133 out7.mydeal-finders.net.
65.216.114.134 out7.mydigitalknowshow.com.
65.216.114.135 out7.ipinpoint.info.
65.216.114.138 out7.myblinkpayday.com.
65.216.114.14 mx91.jackpotcasinodeals.com.
65.216.114.142 out7.my-vacay.com.
65.216.114.143 out7.myclubofferstoday.com.
65.216.114.144 out7.myinternetgamingoffers.com.
65.216.114.146 out7.yourset-for-life.net.
65.216.114.147 out7.ibargaintimes.com.
65.216.114.148 out7.ivendarefinancial.com.
65.216.114.149 out7.yourclubofferstoday.com.
65.216.114.15 mx91.jackpotcasinobargains.com.
65.216.114.151 out7.edealfinders.net.
65.216.114.152 out7.yourdigitalknowshow.com.
65.216.114.153 out7.yourpinpoint.info.
65.216.114.154 out7.yourfultondirect.com.
65.216.114.155 out7.yourmemberselect.com.
65.216.114.156 out7.yourblinkpayday.com.
65.216.114.157 out7.ejackpotgamingoffers.com.
65.216.114.159 out7.yourusawellbeing.com.
65.216.114.16 mx92.jackpotcasinotoday.com.
65.216.114.17 mx92.jackpotcasinonow.com.
65.216.114.19 mx92.myjackpotgamingbargains.com.
65.216.114.20 mx92.yourjackpotgamingbargains.com.
65.216.114.21 mx92.ijackpotgamingbargains.com.
65.216.114.24 mx02.leedirect.net.
65.216.114.25 mx02.greaterfun.com.
65.216.114.26 mx02.gamingplayer.com.
65.216.114.27 mx02.ibargainday.net.
65.216.114.28 mx02.idealpursuit.net.
65.216.114.29 mx02.ijackpotjoy.net.
65.216.114.32 mx8.ivendarefinancial.com.
65.216.114.33 mx8.yourclubofferstoday.com.
65.216.114.34 mx8.yourusa-wellbeing.com.
65.216.114.35 mx8.edealfinders.net.
65.216.114.36 mx8.yourdigitalknowshow.com.
65.216.114.37 mx8.yourpinpoint.info.
65.216.114.42 mx03.mybigaward.com.
65.216.114.43 mx03.mybiggestprizes.com.
65.216.114.44 mx03.memberselects.com.
65.216.114.45 mx03.iwilliamsdirect.info.
65.216.114.46 

RE: [Mimedefang] Anyone noticing...

[Richard Laager]

On Tue, 2006-01-17 at 17:30 +, Paul Murphy wrote:
 For more background, search the mailing list archives for Blocking spam
 senders using IPTables?.

Before I spend a lot of time searching... Did you post the script, or
just notes on the idea?

Thanks,
Richard


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Anyone noticing...

[Matthew Schumacher]

Richard Laager wrote:
 On Tue, 2006-01-17 at 17:30 +, Paul Murphy wrote:
 
For more background, search the mailing list archives for Blocking spam
senders using IPTables?.
 
 
 Before I spend a lot of time searching... Did you post the script, or
 just notes on the idea?
 
 Thanks,
 Richard
 

I did something similar to this to reduce the spam (and load).  Whenever
I get a message I put the remote smtp server IP address in a sql table
along with a timestamp, SA score, and counter.  This lets me know what
the SA average is for any host connecting.

Now that I know what the averages are, I query this information during
the filter_recipient function and bounce messages where we have at least
5 messages to average on, and where that average is higher than the spam
threshold that is read out of our ldap directory for that user.

So lets say that a user has the spam sensitivity set to high (5) and we
have a zombie connect and pass 5 messages that average 7 points.  On the
6th message the zombie will pass the mail from and rcpt to, then
mimedefang finds that the average is higher than the users threshold and
bounces the message.

To keep the database cleaned up I delete all records that have not been
updated for 24 hours every hour.

This change basically limits zombies to 5 messages before they are
rejected, which saves the system from running SA on messages that are
almost certainly spam. I don't have exact numbers but the mail load on
the system dropped significantly.  I need to update my graphdefang
config so that I know the exact statistics, but haven't got to it yet.

The only drawback that I have found to this solution is users that
forward all of their mail to our mail system.  After the change several
called and complained that the forwarding broke because the forwarded
mail was mostly spam which caused the remote mta to get rejected.  I
told the users that the forwarded mail is mostly spam and that the
provider forwarding the mail was indeed relaying spam.  Every user had
their issues resolved by either asking us to remove spam filtering from
their account or asking the forwarding provider to filter messages for
spam before they forward.

The reason why I did it this way instead of iptables was because we need
to be able to adjust the spam filtering on a per user bases.  This is
why we don't make any decisions on the message until after the rcpt to
and ldap lookup.  I also wanted to make sure that the support address
always works because all of our bounce messages say to email support for
help.  This has worked very well for us since someone will run into a
problem, then email support, which has spam filtering disabled (100
point threshold).  When the helpdesk gets the message they simply look
at the header which tells them exactly why the message was rejected and
allows them to walk the user though how to fix it.

If we had gone with iptables we wouldn't be able to leave our abuse,
postmaster, and support addresses open, and users would be rejected
without an error message explaining exactly what happened.  Since
rejected email only costs us one ldap and one sql lookup we will live
with that since those things are really cheap compared to mimedefang and SA.

Hope this helps someone.
schu
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

RE: [Mimedefang] Anyone noticing...

[Paul Murphy]

Richard,
 
 Before I spend a lot of time searching... Did you post the script, or
 just notes on the idea?

Notes on the idea - I have a working Perl script to do the iptables changes,
and a couple of useful shell scripts to lookup addresses and match names, but
having seen the post by Matthew, I'd be tempted to give this a try instead...

Paul.

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.371 / Virus Database: 267.14.17/229 - Release Date: 13/01/2006
 

___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] Anyone noticing...

[Kris Deugau]

Matthew Schumacher wrote:

If we had gone with iptables we wouldn't be able to leave our abuse,
postmaster, and support addresses open, and users would be rejected
without an error message explaining exactly what happened.  Since
rejected email only costs us one ldap and one sql lookup we will live
with that since those things are really cheap compared to mimedefang and SA.


iptables blocks in this context (or whatever kernel-level firewall 
system is available) are for the peristent host that simply WILL NOT 
STOP whatever rude activity it's doing.  I've only ever had to use this 
once, against a freenet server that was opening SMTP connections ~5 
times a second, starting the SMTP conversation (up to the sender 
IIRC)... and then stalling.  Repeated, increasingly unhappy emails to 
the system's postmaster were accepted with no apparent effect.


My final mail noted that I was dropping their server in my firewall due 
to persistent abuse (and included a short log extract - if I'd really 
been feeling annoyed that day I might have mailed the whole monster 
log), and that if and when they fixed their problem and contacted me 
(through an address handled by a different server) I would remove the 
entry.  I removed it during a cleanup at one point about six months 
later and it hasn't happened again.


-kgd
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] Anyone noticing...

[Ashley M. Kirchner]

   ...spam e-mails coming from an e-mail [EMAIL PROTECTED] where the domain 
name is generally has the word 'deluxe', 'luxury', or some form thereof 
in it?  Over the past few days I've gotten hundreds upon hundreds of 
hits from:


   [EMAIL PROTECTED] [EMAIL PROTECTED]
   [EMAIL PROTECTED] [EMAIL PROTECTED]
   [EMAIL PROTECTED]   [EMAIL PROTECTED]
   [EMAIL PROTECTED]  [EMAIL PROTECTED]
   [EMAIL PROTECTED][EMAIL PROTECTED]
   [EMAIL PROTECTED] [EMAIL PROTECTED]
   [EMAIL PROTECTED][EMAIL PROTECTED]
   [EMAIL PROTECTED]

   And there are other domains this is coming from as well.  Now 
granted, Mimedefang does a wonderful job of blocking them all, still...  
It's a pain to see the resources of your MX get taking up by this crap.



--
W | It's not a bug - it's an undocumented feature.
 +
 Ashley M. Kirchner mailto:[EMAIL PROTECTED]   .   303.442.6410 x130
 IT Director / SysAdmin / Websmith . 800.441.3873 x130
 Photo Craft Laboratories, Inc.. 3550 Arapahoe Ave. #6
 http://www.pcraft.com . .  ..   Boulder, CO 80303, U.S.A.


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang