Re: against this spam mail...
What I did against this , is first, have a virtusertable that lists all your users, and at the end has something like @mydomain.edu.trerror: sorry no one by that name (syntax may be off I am writing this from the top of my head) so it rejects it outright before the mail has to go thru spamassassin, etc. second thing I did: hack the sendmail source so that when BadRcptThrottle is reached, it closes the connection instead. Life has been peaceful since :) -t David B Funk wrote: On Wed, 18 May 2005, Jeff Chan wrote: On Wednesday, May 18, 2005, 12:05:13 AM, Monty Ree wrote: Hello, all. When I see maillog, I can see lots of logs like below.. Some spammer send spam mails from [EMAIL PROTECTED] to [EMAIL PROTECTED], I guess. So mail server load is high to accept this spam and reply with"User unknown". Is there any good way or solution against thess series spam? Thanks in advance. May 18 15:11:04 mail02 sendmail[22487]: j4I6B4i22487: <[EMAIL PROTECTED]>... User unknown May 18 15:11:04 mail02 sendmail[22490]: j4I6B4i22490: <[EMAIL PROTECTED]>... User unknown May 18 15:11:04 mail02 sendmail[22493]: j4I6B4i22493: <[EMAIL PROTECTED]>... User unknown This is called a "dictionary attack". If you search for that and sendmail, you may find some answers. It's not specifically a SpamAssassin question. For sendmail, enable the "BadRcptThrottle" threshold. This feature will cause sendmail to rate limit transactions once a specified number of bad recipients have been seen. sendmail will still have to tell the spammers "No No No" but at a slower rate so they don't drive up your server load average. (the default is 20, I've got mine set to 3 ;) Combine this with ConnectionRateThrottle & MaxDaemonChildren to limit the total simultaneous sessions to prevent your SpamAssassin from being driven into meltdown by these kinds of attacks. You can also add in dnsbl lists such as xbl.spamhaus.org to block connections by infected PCs at the SMTP level. Lots of this kind of trash is coming from 'bot nets' and can be blocked by good dnsbl lists.
Re: against this spam mail...
On Wed, 18 May 2005, Jeff Chan wrote:
> On Wednesday, May 18, 2005, 12:05:13 AM, Monty Ree wrote:
> > Hello, all.
>
> > When I see maillog, I can see lots of logs like below..
> > Some spammer send spam mails from [EMAIL PROTECTED] to [EMAIL PROTECTED], I
> > guess.
> > So mail server load is high to accept this spam and reply with"User
> > unknown".
>
> > Is there any good way or solution against thess series spam?
>
> > Thanks in advance.
>
> > May 18 15:11:04 mail02 sendmail[22487]: j4I6B4i22487: <[EMAIL PROTECTED]>...
> > User unknown
> > May 18 15:11:04 mail02 sendmail[22490]: j4I6B4i22490: <[EMAIL PROTECTED]>...
> > User unknown
> > May 18 15:11:04 mail02 sendmail[22493]: j4I6B4i22493: <[EMAIL PROTECTED]>...
> > User unknown
>
> This is called a "dictionary attack". If you search for that and
> sendmail, you may find some answers. It's not specifically a
> SpamAssassin question.
>
For sendmail, enable the "BadRcptThrottle" threshold. This feature
will cause sendmail to rate limit transactions once a specified number
of bad recipients have been seen.
sendmail will still have to tell the spammers "No No No" but at a slower
rate so they don't drive up your server load average.
(the default is 20, I've got mine set to 3 ;)
Combine this with ConnectionRateThrottle & MaxDaemonChildren to limit
the total simultaneous sessions to prevent your SpamAssassin from
being driven into meltdown by these kinds of attacks.
You can also add in dnsbl lists such as xbl.spamhaus.org to block
connections by infected PCs at the SMTP level.
Lots of this kind of trash is coming from 'bot nets' and can be
blocked by good dnsbl lists.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: against this spam mail...
>> Jeff Chan wrote: >> > On Wednesday, May 18, 2005, 12:05:13 AM, Monty Ree wrote: >> > >> >>Hello, all. >> > >> > >> >>When I see maillog, I can see lots of logs like below.. >> >>Some spammer send spam mails from [EMAIL PROTECTED] to [EMAIL PROTECTED], >> >>I guess. >> >>So mail server load is high to accept this spam and reply with"User >> >>unknown". >> > >> > >> >>Is there any good way or solution against thess series spam? >> > >> > >> >>Thanks in advance. >> > >> > >> >>May 18 15:11:04 mail02 sendmail[22487]: j4I6B4i22487: <[EMAIL >> >>PROTECTED]>... >> >>User unknown >> >>May 18 15:11:04 mail02 sendmail[22490]: j4I6B4i22490: <[EMAIL >> >>PROTECTED]>... >> >>User unknown >> >>May 18 15:11:04 mail02 sendmail[22493]: j4I6B4i22493: <[EMAIL >> >>PROTECTED]>... >> >>User unknown >> >>May 18 15:11:04 mail02 sendmail[22494]: j4I6B4i22494: <[EMAIL >> >>PROTECTED]>... >> >>User unknown >> >>May 18 15:11:05 mail02 sendmail[22498]: j4I6B5i22498: <[EMAIL >> >>PROTECTED]>... >> >>User unknown >> >>May 18 15:11:05 mail02 sendmail[22515]: j4I6B5i22515: <[EMAIL >> >>PROTECTED]>... >> >>User unknown >> >>May 18 15:11:05 mail02 sendmail[22516]: j4I6B5i22516: <[EMAIL >> >>PROTECTED]>... >> >>User unknown >> >>May 18 15:11:06 mail02 sendmail[22525]: j4I6B6i22525: <[EMAIL >> >>PROTECTED]>... >> >>User unknown >> > >> > >> > This is called a "dictionary attack". If you search for that and >> > sendmail, you may find some answers. It's not specifically a >> > SpamAssassin question. >> > >> > Jeff C. >> >> What I do for these kinds of e-mails is just block them at the sendmail >> level. If you're using FC2 (paths on other OS's may vary), just add a >> line like this in /etc/mail/access: >> >> x.comREJECT >> >> This file is to allow relay access to domains. If you block out >> x.com, these messages will be rejected at the sendmail level. >> >> Saurabh. >> Hi, I am dreaming of (or actually working on) something so that excessive undeliverables from the same sender will automatically route further wrong addresses to the bit bucket Wolfgang Hamann
Re: against this spam mail...
Jeff Chan wrote: On Wednesday, May 18, 2005, 12:05:13 AM, Monty Ree wrote: Hello, all. When I see maillog, I can see lots of logs like below.. Some spammer send spam mails from [EMAIL PROTECTED] to [EMAIL PROTECTED], I guess. So mail server load is high to accept this spam and reply with"User unknown". Is there any good way or solution against thess series spam? Thanks in advance. May 18 15:11:04 mail02 sendmail[22487]: j4I6B4i22487: <[EMAIL PROTECTED]>... User unknown May 18 15:11:04 mail02 sendmail[22490]: j4I6B4i22490: <[EMAIL PROTECTED]>... User unknown May 18 15:11:04 mail02 sendmail[22493]: j4I6B4i22493: <[EMAIL PROTECTED]>... User unknown May 18 15:11:04 mail02 sendmail[22494]: j4I6B4i22494: <[EMAIL PROTECTED]>... User unknown May 18 15:11:05 mail02 sendmail[22498]: j4I6B5i22498: <[EMAIL PROTECTED]>... User unknown May 18 15:11:05 mail02 sendmail[22515]: j4I6B5i22515: <[EMAIL PROTECTED]>... User unknown May 18 15:11:05 mail02 sendmail[22516]: j4I6B5i22516: <[EMAIL PROTECTED]>... User unknown May 18 15:11:06 mail02 sendmail[22525]: j4I6B6i22525: <[EMAIL PROTECTED]>... User unknown This is called a "dictionary attack". If you search for that and sendmail, you may find some answers. It's not specifically a SpamAssassin question. Jeff C. What I do for these kinds of e-mails is just block them at the sendmail level. If you're using FC2 (paths on other OS's may vary), just add a line like this in /etc/mail/access: x.com REJECT This file is to allow relay access to domains. If you block out x.com, these messages will be rejected at the sendmail level. Saurabh. -- -- "Yours is to work. The results will take care of themselves" -- Swami Vivekanad -- Saurabh Barve [EMAIL PROTECTED] (970)491-7714
Re: against this spam mail...
On Wednesday, May 18, 2005, 12:05:13 AM, Monty Ree wrote: > Hello, all. > When I see maillog, I can see lots of logs like below.. > Some spammer send spam mails from [EMAIL PROTECTED] to [EMAIL PROTECTED], I > guess. > So mail server load is high to accept this spam and reply with"User > unknown". > Is there any good way or solution against thess series spam? > Thanks in advance. > May 18 15:11:04 mail02 sendmail[22487]: j4I6B4i22487: <[EMAIL PROTECTED]>... > User unknown > May 18 15:11:04 mail02 sendmail[22490]: j4I6B4i22490: <[EMAIL PROTECTED]>... > User unknown > May 18 15:11:04 mail02 sendmail[22493]: j4I6B4i22493: <[EMAIL PROTECTED]>... > User unknown > May 18 15:11:04 mail02 sendmail[22494]: j4I6B4i22494: <[EMAIL PROTECTED]>... > User unknown > May 18 15:11:05 mail02 sendmail[22498]: j4I6B5i22498: <[EMAIL PROTECTED]>... > User unknown > May 18 15:11:05 mail02 sendmail[22515]: j4I6B5i22515: <[EMAIL PROTECTED]>... > User unknown > May 18 15:11:05 mail02 sendmail[22516]: j4I6B5i22516: <[EMAIL PROTECTED]>... > User unknown > May 18 15:11:06 mail02 sendmail[22525]: j4I6B6i22525: <[EMAIL PROTECTED]>... > User unknown This is called a "dictionary attack". If you search for that and sendmail, you may find some answers. It's not specifically a SpamAssassin question. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
