Re: effectiveness of DUL
On Thu, Aug 24, 2000 at 09:33:49PM -0700, Jon Rust wrote: Must be a spam house, or MS software is really just THAT broken. :-) I have sometimes more than 10 tries a day from one host because of temp rejects for stray newlines. I usually place those in my local RBL for a permanent reject. This is a Microsoft confirmed problem and they have a bug description and fix. http://support.microsoft.com/support/kb/articles/Q224/9/83.ASP \Maex P.S. Just found another one ... had 1592 rejects: unknown:202.106.185.36 stray newlines the last few hours. 220-smtp01.sohu.com Microsoft SMTP MAIL Version: 5.5.1877.197.19 P.P.S. Not accepting stray newlines is IMHO good for SPAM protection *smile* Most of the servers that get rejected this way are relay open ;-) The above smtp01.sohu.com:202.106.185.36 is relay open, too. 452 additional rejects within the last 20hs *smile* -- SpaceNet GmbH | http://www.Space.Net/ | Stress is when you wake Research Development| mailto:[EMAIL PROTECTED] | up screaming and you Joseph-Dollinger-Bogen 14 | Tel: +49 (89) 32356-0| realize you haven't D-80807 Muenchen | Fax: +49 (89) 32356-299 | fallen asleep yet.
stray newlines (was Re: effectiveness of DUL)
Quoting Markus Stumpf ([EMAIL PROTECTED]): On Thu, Aug 24, 2000 at 09:33:49PM -0700, Jon Rust wrote: Must be a spam house, or MS software is really just THAT broken. :-) I have sometimes more than 10 tries a day from one host because of temp rejects for stray newlines. I usually place those in my local RBL for a permanent reject. ... P.P.S. Not accepting stray newlines is IMHO good for SPAM protection *smile* Most of the servers that get rejected this way are relay open ;-) The above smtp01.sohu.com:202.106.185.36 is relay open, too. 452 additional rejects within the last 20hs *smile* Interesting, yes. Well, I got tired long ago of that nonsense, so I changed the error code for the stray newline to 551, in qmail-smtpd.c. Suggested by someone else (forgot who, sorry), and wondered why I hadn't thought of it myself sooner! Aaron
effectiveness of DUL
Occasionally someone will ask how well the DUL or RBL works and some people throw out: DUL caught 105 items RBL caught 33 items Just how do you determine how many it caught? Do these denies get logged to tcpserver's log?? (when tcpserver is of course run w/ -v option) Thanks, mike. ___ Why pay for something you could get for free? NetZero provides FREE Internet Access and Email http://www.netzero.net/download/index.html
Re: effectiveness of DUL
Quoting M.B. ([EMAIL PROTECTED]): Occasionally someone will ask how well the DUL or RBL works and some people throw out: DUL caught 105 items RBL caught 33 items Just how do you determine how many it caught? Do these denies get logged to tcpserver's log?? (when tcpserver is of course run w/ -v option) They get logged like so, wherever you put the stdout of the chain that starts qmail-smtpd. Ours is piped to accustamp then cyclog. 965989289.871913 rblsmtpd: 32.101.147.178 pid 12452: 553 See URL:http://mail-abuse.org/dul/ 965999356.889116 rblsmtpd: 158.252.97.199 pid 23932: 553 See URL:http://mail-abuse.org/dul/ 965999365.185936 rblsmtpd: 158.252.97.199 pid 23937: 553 See URL:http://mail-abuse.org/dul/ 966005127.412208 rblsmtpd: 158.252.30.194 pid 3172: 553 See URL:http://mail-abuse.org/dul/ 966005221.904910 rblsmtpd: 158.252.30.194 pid 3367: 553 See URL:http://mail-abuse.org/dul/ 966005661.426485 rblsmtpd: 194.149.167.138 pid 4353: 553 See URL:http://mail-abuse.org/dul/ 966017246.944041 rblsmtpd: 4.4.162.159 pid 7390: 553 See URL:http://mail-abuse.org/dul/
Re: effectiveness of DUL
Oy! This thread made me curious so I was grepping through my smtpd logs. As they were streaming down the screen, it seemed like there were an awful lot of a particular address. 195.25.12.67 and 75 seemed to be showing up every line almost. In fact, in less than 3 days of logs I show those addresses being rejected... take a deep breath... more than 38,000 times. Yikes. Either they are pushing some major amounts of spam, or someone there is a blockhead and doesn't understand error messages. jon
Re: effectiveness of DUL
To add some perspective... the total of all messages blocked by RSS and DUL was ~48,000 over that same period (the last 3 days). Those 2 IPs accounted for close to 39,000 of those. OT for the thread... DUL accounted for 350 of the denials. jon
Re: effectiveness of DUL
On Thu, Aug 24, 2000 at 05:09:50PM -0700, Jon Rust wrote: Oy! This thread made me curious so I was grepping through my smtpd logs. As they were streaming down the screen, it seemed like there were an awful lot of a particular address. 195.25.12.67 and 75 seemed to be showing up every line almost. In fact, in less than 3 days of logs I show those addresses being rejected... take a deep breath... more than 38,000 times. Yikes. Either they are pushing some major amounts of spam, or someone there is a blockhead and doesn't understand error messages. Whenever I see this kind of thing happen, it invariably turns out to be some moronic Microsoft SMTP MTA on the other end. Your example is a case in point: [cjohnson@mail cjohnson]$ telnet 195.25.12.67 25 Trying 195.25.12.67... Connected to s2.gen.oleane.net. Escape character is '^]'. 220-s2.gen.oleane.net Microsoft SMTP MAIL ready at Fri, 25 Aug 2000 02:21:33 +0200 Version: 5.5.1877.197.19 220 ESMTP spoken here I suspect that you're not using the -b option to rblsmtpd, which causes rblsmtpd to send a 553 (permanent) error code to an RBL'ed client rather than the default 451 (temporary). Microsoft MTAs interpret the 451's "Try again later" as "Try again as soon as you can, and keep trying over and over and over as quickly as you possibly can." If you want to shut this guy up, give rblsmtpd the -b option, or stick something like the following in your SMTP rules file (assuming you're using tcpserver): 195.25.12.67:allow,RBLSMTPD="-Buzz off, bonehead. You're bothering me." The leading '-' makes the error permanent for this particular IP address. Or, firewall his ass. Chris
Re: effectiveness of DUL
Thanks for the advince Chris. I appreciate it. However, I do use the -b flag, so mail is being blocked: @400039a208a80b375874.s:@400039a1ba8124896a9c rblsmtpd: 195.25.12.67 pid 30954: 553 Open relay problem - see URL:http://www.mail-abuse.org/cgi-bin/nph-rss?195.25.12.67 Must be a spam house, or MS software is really just THAT broken. :-) jon On Thu, Aug 24, 2000 at 08:32:19PM -0400, Chris Johnson wrote: Whenever I see this kind of thing happen, it invariably turns out to be some moronic Microsoft SMTP MTA on the other end. Your example is a case in point: [cjohnson@mail cjohnson]$ telnet 195.25.12.67 25 Trying 195.25.12.67... Connected to s2.gen.oleane.net. Escape character is '^]'. 220-s2.gen.oleane.net Microsoft SMTP MAIL ready at Fri, 25 Aug 2000 02:21:33 +0200 Version: 5.5.1877.197.19 220 ESMTP spoken here I suspect that you're not using the -b option to rblsmtpd, which causes rblsmtpd to send a 553 (permanent) error code to an RBL'ed client rather than the default 451 (temporary). Microsoft MTAs interpret the 451's "Try again later" as "Try again as soon as you can, and keep trying over and over and over as quickly as you possibly can." If you want to shut this guy up, give rblsmtpd the -b option, or stick something like the following in your SMTP rules file (assuming you're using tcpserver): 195.25.12.67:allow,RBLSMTPD="-Buzz off, bonehead. You're bothering me." The leading '-' makes the error permanent for this particular IP address. Or, firewall his ass. Chris
