RE: [Mimedefang] Anyone noticing...
I don't know if it's the same place, but I've got a bunch of these going back to Dec 20 (as far back as my logs go). [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] I'm guessing the ret@ e-mail is a particular spam bot signature. Probably. However, blocking all mail from any ret@ is doomed to generate false positives. All of mine have been coming from the same netblock (morphed a couple of times). It's currently 216.22.47.0/24. Back in the middle of 2004, I ended up using a script to block packets in IPTables from selected networks which were persistently sending SPAM which SA scored 15+, but who didn't get the hint when everything got a 5.7.1 error. I was seeing 500+ per day on a site where the daily mail volume was 4000. Worse still, they retried after greylisting. While the sites they came from were visibly related, it was hard to provide any sort of program logic to match on the host name. Some examples below: 12.129.167.64 mx83b.e-shapeconnection.com. 12.129.167.66 mx83b.i-bewellconnection.com. 12.129.167.67 mx83b.i-playingallnite.com. 12.129.167.68 mx83b.mybewellnetwork.com. 12.129.167.69 mx83b.myshapenet.net. 12.129.167.70 mx83b.myshapestructure.com. 12.129.167.71 mx83b.ourbewellconnection.com. 12.129.167.74 mx83b.ourshapenexus.com. 12.129.167.76 mx83b.playingallnite.com. 12.129.167.80 mx84b.i-bewellhookup.com. 12.129.167.81 mx84b.bewellnet.net. 12.129.167.82 mx84b.yourbewellnet.net. 12.129.167.83 mx84b.ourbewellnet.net. 12.129.167.84 mx84b.i-bewellnet.net. 12.129.167.85 mx84b.bewellnexus.com. 12.129.167.86 mx84b.bewellstructure.com. 64.156.172.10 mx95.mytanningdays.com. 64.156.172.11 mx95.yourtanningdays.com. 64.156.172.12 mx95.myshoptobreathe.com. 64.156.172.13 mx95.yourshoptobreathe.com. 64.156.172.14 mx95.mybeingenergetic.com. 64.156.172.15 mx95.yourbeingenergetic.com. 64.156.172.16 mx96.weekendlifers.com. 64.156.172.17 mx96.myweekendlifers.com. 64.156.172.18 mx96.TanningTime.com. 64.156.172.19 mx96.tanninghour.com. 64.156.172.21 mx96.myshoptobe.com. 64.156.172.22 mx96.beinganimated.com. 64.156.172.23 mx96.mybeinganimated.com. 64.156.172.8 mx95.myweekendtolive.com. 64.156.172.9 mx95.yourweekendtolive.com. 65.216.114.10 mx91.yourfunkingdom.net. 65.216.114.100 out6.mydigitalknowshow.com. 65.216.114.101 out6.ipinpoint.info. 65.216.114.102 out6.myfultondirect.com. 65.216.114.105 out6.myjackpotgamingoffers.com. 65.216.114.107 out6.eusahealthyweb.com. 65.216.114.11 mx91.jackpotgamingoffers.com. 65.216.114.110 out6.myinternetgamingoffers.com. 65.216.114.113 out6.ibargaintimes.com. 65.216.114.114 out6.ivendarefinancial.com. 65.216.114.115 out6.yourclubofferstoday.com. 65.216.114.116 out6.yourusa-wellbeing.com. 65.216.114.117 out6.edealfinders.net. 65.216.114.118 out6.yourdigitalknowshow.com. 65.216.114.119 out6.yourpinpoint.info. 65.216.114.12 mx91.jackpotgamingdeals.com. 65.216.114.120 out6.yourfultondirect.com. 65.216.114.121 out6.yourmemberselect.com. 65.216.114.122 out6.yourblinkpayday.com. 65.216.114.123 out6.ejackpotgamingoffers.com. 65.216.114.124 out6.evacationsforus.com. 65.216.114.13 mx91.jackpotgamingbargains.com. 65.216.114.130 out7.mybargaintimes.com. 65.216.114.131 out7.ecasinoreport.net. 65.216.114.132 out7.mysport-times.com. 65.216.114.133 out7.mydeal-finders.net. 65.216.114.134 out7.mydigitalknowshow.com. 65.216.114.135 out7.ipinpoint.info. 65.216.114.138 out7.myblinkpayday.com. 65.216.114.14 mx91.jackpotcasinodeals.com. 65.216.114.142 out7.my-vacay.com. 65.216.114.143 out7.myclubofferstoday.com. 65.216.114.144 out7.myinternetgamingoffers.com. 65.216.114.146 out7.yourset-for-life.net. 65.216.114.147 out7.ibargaintimes.com. 65.216.114.148 out7.ivendarefinancial.com. 65.216.114.149 out7.yourclubofferstoday.com. 65.216.114.15 mx91.jackpotcasinobargains.com. 65.216.114.151 out7.edealfinders.net. 65.216.114.152 out7.yourdigitalknowshow.com. 65.216.114.153 out7.yourpinpoint.info. 65.216.114.154 out7.yourfultondirect.com. 65.216.114.155 out7.yourmemberselect.com. 65.216.114.156 out7.yourblinkpayday.com. 65.216.114.157 out7.ejackpotgamingoffers.com. 65.216.114.159 out7.yourusawellbeing.com. 65.216.114.16 mx92.jackpotcasinotoday.com. 65.216.114.17 mx92.jackpotcasinonow.com. 65.216.114.19 mx92.myjackpotgamingbargains.com. 65.216.114.20 mx92.yourjackpotgamingbargains.com. 65.216.114.21 mx92.ijackpotgamingbargains.com. 65.216.114.24 mx02.leedirect.net. 65.216.114.25 mx02.greaterfun.com. 65.216.114.26 mx02.gamingplayer.com. 65.216.114.27 mx02.ibargainday.net. 65.216.114.28 mx02.idealpursuit.net. 65.216.114.29 mx02.ijackpotjoy.net. 65.216.114.32 mx8.ivendarefinancial.com. 65.216.114.33 mx8.yourclubofferstoday.com. 65.216.114.34 mx8.yourusa-wellbeing.com. 65.216.114.35 mx8.edealfinders.net. 65.216.114.36 mx8.yourdigitalknowshow.com. 65.216.114.37 mx8.yourpinpoint.info. 65.216.114.42 mx03.mybigaward.com. 65.216.114.43 mx03.mybiggestprizes.com. 65.216.114.44 mx03.memberselects.com. 65.216.114.45 mx03.iwilliamsdirect.info. 65.216.114.46
RE: [Mimedefang] Anyone noticing...
On Tue, 2006-01-17 at 17:30 +, Paul Murphy wrote: For more background, search the mailing list archives for Blocking spam senders using IPTables?. Before I spend a lot of time searching... Did you post the script, or just notes on the idea? Thanks, Richard ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Anyone noticing...
Richard Laager wrote: On Tue, 2006-01-17 at 17:30 +, Paul Murphy wrote: For more background, search the mailing list archives for Blocking spam senders using IPTables?. Before I spend a lot of time searching... Did you post the script, or just notes on the idea? Thanks, Richard I did something similar to this to reduce the spam (and load). Whenever I get a message I put the remote smtp server IP address in a sql table along with a timestamp, SA score, and counter. This lets me know what the SA average is for any host connecting. Now that I know what the averages are, I query this information during the filter_recipient function and bounce messages where we have at least 5 messages to average on, and where that average is higher than the spam threshold that is read out of our ldap directory for that user. So lets say that a user has the spam sensitivity set to high (5) and we have a zombie connect and pass 5 messages that average 7 points. On the 6th message the zombie will pass the mail from and rcpt to, then mimedefang finds that the average is higher than the users threshold and bounces the message. To keep the database cleaned up I delete all records that have not been updated for 24 hours every hour. This change basically limits zombies to 5 messages before they are rejected, which saves the system from running SA on messages that are almost certainly spam. I don't have exact numbers but the mail load on the system dropped significantly. I need to update my graphdefang config so that I know the exact statistics, but haven't got to it yet. The only drawback that I have found to this solution is users that forward all of their mail to our mail system. After the change several called and complained that the forwarding broke because the forwarded mail was mostly spam which caused the remote mta to get rejected. I told the users that the forwarded mail is mostly spam and that the provider forwarding the mail was indeed relaying spam. Every user had their issues resolved by either asking us to remove spam filtering from their account or asking the forwarding provider to filter messages for spam before they forward. The reason why I did it this way instead of iptables was because we need to be able to adjust the spam filtering on a per user bases. This is why we don't make any decisions on the message until after the rcpt to and ldap lookup. I also wanted to make sure that the support address always works because all of our bounce messages say to email support for help. This has worked very well for us since someone will run into a problem, then email support, which has spam filtering disabled (100 point threshold). When the helpdesk gets the message they simply look at the header which tells them exactly why the message was rejected and allows them to walk the user though how to fix it. If we had gone with iptables we wouldn't be able to leave our abuse, postmaster, and support addresses open, and users would be rejected without an error message explaining exactly what happened. Since rejected email only costs us one ldap and one sql lookup we will live with that since those things are really cheap compared to mimedefang and SA. Hope this helps someone. schu ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Anyone noticing...
Richard, Before I spend a lot of time searching... Did you post the script, or just notes on the idea? Notes on the idea - I have a working Perl script to do the iptables changes, and a couple of useful shell scripts to lookup addresses and match names, but having seen the post by Matthew, I'd be tempted to give this a try instead... Paul. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.371 / Virus Database: 267.14.17/229 - Release Date: 13/01/2006 ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Anyone noticing...
Matthew Schumacher wrote: If we had gone with iptables we wouldn't be able to leave our abuse, postmaster, and support addresses open, and users would be rejected without an error message explaining exactly what happened. Since rejected email only costs us one ldap and one sql lookup we will live with that since those things are really cheap compared to mimedefang and SA. iptables blocks in this context (or whatever kernel-level firewall system is available) are for the peristent host that simply WILL NOT STOP whatever rude activity it's doing. I've only ever had to use this once, against a freenet server that was opening SMTP connections ~5 times a second, starting the SMTP conversation (up to the sender IIRC)... and then stalling. Repeated, increasingly unhappy emails to the system's postmaster were accepted with no apparent effect. My final mail noted that I was dropping their server in my firewall due to persistent abuse (and included a short log extract - if I'd really been feeling annoyed that day I might have mailed the whole monster log), and that if and when they fixed their problem and contacted me (through an address handled by a different server) I would remove the entry. I removed it during a cleanup at one point about six months later and it hasn't happened again. -kgd ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Anyone noticing...
...spam e-mails coming from an e-mail [EMAIL PROTECTED] where the domain name is generally has the word 'deluxe', 'luxury', or some form thereof in it? Over the past few days I've gotten hundreds upon hundreds of hits from: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED][EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED][EMAIL PROTECTED] [EMAIL PROTECTED] And there are other domains this is coming from as well. Now granted, Mimedefang does a wonderful job of blocking them all, still... It's a pain to see the resources of your MX get taking up by this crap. -- W | It's not a bug - it's an undocumented feature. + Ashley M. Kirchner mailto:[EMAIL PROTECTED] . 303.442.6410 x130 IT Director / SysAdmin / Websmith . 800.441.3873 x130 Photo Craft Laboratories, Inc.. 3550 Arapahoe Ave. #6 http://www.pcraft.com . . .. Boulder, CO 80303, U.S.A. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang