[xmail] Re: Spammers - How to block them.
Henri, that will be exactly your problem. Investigate your DNS setup, even do that Ethereal thing between your DNS forwarder and the RBL. Then you can see if the RBL didn't respond, or your DNS 'lost it'. DNS timeouts are a killer ! Rob :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henri van Riel Sent: Thursday, February 16, 2006 6:03 AM To: Rob Arends Subject: [xmail] Re: Spammers - How to block them. Hello Rob, You're probably right, it might be a DNS problem... I run dnsmasq (http://thekelleys.org.uk/dnsmasq/doc.html) on my server as a forwarding DNS server. It supports caching though that's useless when querying blacklist services. It seems to be quite fast but I did notice something funny with it. Taken from syslog: (1) query[type=1910] 122.132.43.200.dnsbl.sorbs.net from 127.0.0.1 forwarded 122.132.43.200.dnsbl.sorbs.net to 194.109.104.104 (2) query[A] 1.140.26.83.dnsbl.sorbs.net from 127.0.0.1 forwarded 1.140.26.83.dnsbl.sorbs.net to 194.109.104.104 reply 1.140.26.83.dnsbl.sorbs.net is 127.0.0.10 As you can see, there never came a reply to the first query because that ip address is not listed. It should reply 127.0.0.1 though! The second query did receive a reply, stating that the ip is listed. Maybe that's the problem? I have no idea why dnsmasq won't reply 127.0.0.1 though. Any ideas? -- Henri. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Hello Rob, Tuesday, February 14, 2006, 2:19:14 PM, you wrote: > Try > "SMTP-MaxErrors""1" > In server.tab > If there is ONE erroneous RCPT TO, then dump the connection. I've tried it and it works really well! The only problem is... even a legitimate server can cause an smtp error every once in a while... > Once you kill off all the repeat connections, then you might > increase to 2, and combine with your script to cover other issues. I > have mine set to 3. I'll set it to 3 and watch the log for errors. > GLST - I have Windows, so it was all built into glst.exe. I don't > know for Linux. Thanks for the hint anyway! -- Henri. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
To reduce CustMapsList processing time, you can, with most of 'big blacklist' mainteners (spamcop, rbl, ..) do local a mirror for the zones in a local dns server, so you could reduce dns traffic dramaticaly and custmaplist response time by saying xmail to use the local dns server. Note that I never used this setup for local custmaslists, as we have enought bandwidth et power for our current usage. So don't ask me how to do (or at last ressort ;-) ). First check the list maintener web site for instructions ;-) Francis >-Message d'origine- >De : [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] la part de Rob Arends >Envoyé : mercredi 15 février 2006 15:07 >À : xmail@xmailserver.org >Objet : [xmail] Re: Spammers - How to block them. > > > >The email response below reminds me of the real causes of your >slow-to-drop >connections. > >> XMail slows down considerably when I use CustMapsList in server.tab. > >The process as I understand it for an email that is to be dropped. > >1. Remote server starts SMTP connection to xMail. >2. xMail looks up IP in CustMapsList. (if found then goto 5) >3. xMail accepts the [Mail from] and [rcpt to] info. >4. xMail looks up the SMTP-MaxErrors, the local users and aliases, and >rejects as needed. (maybe even a predata filter) >5. xMail drops the connection. > >Ok. >Points 1,3,4,5 are all very easy to understand and configure. >After all, >this is what we have been discussing over the last few days. > >Point 2 >The longer the CustMapsList the longer the delay before xMail >can determine >that the IP was black listed. >xMail will ask each of the RBLs if they have the IP listed, (I >think this >synchronously, but could be in asynchronously). If >synchronously, then the >longer the list of RBLS, the longer before xMail can continue. >Even asynchronously xMail would have to wait for the last one to reply. >Obviously if one of the RBLs returns true, then the process stops >immediately. > >Now even if you don't have a long list of RBLs, the issue >could still be in >this area. >How fast is your DNS server response? >If it times out often or just can't cope, that will lengthen >the time for >the RBL responses to xMail. > >You can see that one SMTP connection starts a dozen other >connections before >the user [rcpt to] is even sent to xMail. Now multiply that by all the >connections you have, and.. You get the picture. > >I can't remember the number of times xMail connection faults have been >reported on this list and they boiled down to DNS issues. > >Please check your DNS response time and potentially reduce the >RBL list, or >put the most likely match as the first RBL listed. > >Get Ethereal and watch your SMTP traffic, you will be amazed >at the amount >of traffic one connection spawns. >It will also give you an idea of your DNS traffic. Remember >to use a hub >(or a switch with a monitor port) to capture the traffic, >unless you run >Ethereal on the xMail server. > >Rob :-) > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On >Behalf Of Henri van Riel >Sent: Wednesday, February 15, 2006 6:19 AM >To: Jeff Buehler >Cc: xmail@xmailserver.org >Subject: [xmail] Re: Spammers - How to block them. > > >Hi Jeff, > >> I suspect this makes little difference, but just in case you aren't >> aware of this, you can run ASSP on a different computer - it doesn't >> have to be the same system, and so Perl also does not need to be on >> your XMail system. I'm not certain why you have feelings about >> running something in front of XMail if it will simply reduce the >> burden on your server (significantly) but we all have our reasons, I >> suppose! > >The main reason for not wanting anything installed before >XMail is mainly >because I've been having bad experiences with AVmailGate but >also because >I'd much rather have XMail solve my problem. There must be a >way without >having to install (and maintain) several tools. > >> If you aren't processing much email, then I can't understand why you >> are getting the "server too busy" errors you mentioned in your first >> email. Something doesn't sound quite right. Frankly, even before I >> was running ASSP, I was processing quite a bit of email (thousands a >> day, sometimes more, and thousands more a day of SPAM) and I never >> received an error like that on send. > >That's odd. How many smtp threads were you running? I've set >the maximum to >16 now where 4 should be enough to handle all incoming mail (ea
[xmail] Re: Spammers - How to block them.
The email response below reminds me of the real causes of your slow-to-drop connections. > XMail slows down considerably when I use CustMapsList in server.tab. The process as I understand it for an email that is to be dropped. 1. Remote server starts SMTP connection to xMail. 2. xMail looks up IP in CustMapsList. (if found then goto 5) 3. xMail accepts the [Mail from] and [rcpt to] info. 4. xMail looks up the SMTP-MaxErrors, the local users and aliases, and rejects as needed. (maybe even a predata filter) 5. xMail drops the connection. Ok. Points 1,3,4,5 are all very easy to understand and configure. After all, this is what we have been discussing over the last few days. Point 2 The longer the CustMapsList the longer the delay before xMail can determine that the IP was black listed. xMail will ask each of the RBLs if they have the IP listed, (I think this synchronously, but could be in asynchronously). If synchronously, then the longer the list of RBLS, the longer before xMail can continue. Even asynchronously xMail would have to wait for the last one to reply. Obviously if one of the RBLs returns true, then the process stops immediately. Now even if you don't have a long list of RBLs, the issue could still be in this area. How fast is your DNS server response? If it times out often or just can't cope, that will lengthen the time for the RBL responses to xMail. You can see that one SMTP connection starts a dozen other connections before the user [rcpt to] is even sent to xMail. Now multiply that by all the connections you have, and.. You get the picture. I can't remember the number of times xMail connection faults have been reported on this list and they boiled down to DNS issues. Please check your DNS response time and potentially reduce the RBL list, or put the most likely match as the first RBL listed. Get Ethereal and watch your SMTP traffic, you will be amazed at the amount of traffic one connection spawns. It will also give you an idea of your DNS traffic. Remember to use a hub (or a switch with a monitor port) to capture the traffic, unless you run Ethereal on the xMail server. Rob :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henri van Riel Sent: Wednesday, February 15, 2006 6:19 AM To: Jeff Buehler Cc: xmail@xmailserver.org Subject: [xmail] Re: Spammers - How to block them. Hi Jeff, > I suspect this makes little difference, but just in case you aren't > aware of this, you can run ASSP on a different computer - it doesn't > have to be the same system, and so Perl also does not need to be on > your XMail system. I'm not certain why you have feelings about > running something in front of XMail if it will simply reduce the > burden on your server (significantly) but we all have our reasons, I > suppose! The main reason for not wanting anything installed before XMail is mainly because I've been having bad experiences with AVmailGate but also because I'd much rather have XMail solve my problem. There must be a way without having to install (and maintain) several tools. > If you aren't processing much email, then I can't understand why you > are getting the "server too busy" errors you mentioned in your first > email. Something doesn't sound quite right. Frankly, even before I > was running ASSP, I was processing quite a bit of email (thousands a > day, sometimes more, and thousands more a day of SPAM) and I never > received an error like that on send. That's odd. How many smtp threads were you running? I've set the maximum to 16 now where 4 should be enough to handle all incoming mail (easily!). > I understood you to say that you were getting SMTP connect errors > because XMail was taking too long to refuse invalid users. > Logically, if you are receiving server too busy errors simply from > refusing emails to non-valid users (as I read your first email to be > saying), which would require an incredible volume of invalid email (or > a very, very slow server), then the only way to prevent server > overload would be to put something in front of XMail, since XMail is > already refusing those emails that are causing the problem. But I > must have misunderstood given the direction the rest of this thread > has taken. The server won't break any speed records, that's true. Still, it should be more than good enough for my purposes. XMail slows down considerably when I use CustMapsList in server.tab. My guess is that these services are very slow and XMail has to check 4 or 5 for each and every email it receives. I guess all my smtp threads are busy waiting for a reply from these anti-spam services and are unable to allow other connections. Setting SMTP-RDNSCheck to "1" in my server.tab also slows down mail processing in XMail. >
[xmail] Re: Spammers - How to block them.
On 13 Feb 2006, at 13:23, John Kielkopf wrote: > > Doesn't SMTP-MaxErrors in server.tab help with this? > That's what I use here although currently less than 100/day for two nearly 7yr old domains. SMTP-MaxErrors "2" SMTP-RDNSCheck "-2" Also IP blocks that send me lots of spam get put in spammers.tab with "code=-3" which then gets increased if spam continues. I've noticed some legitimate sites I've tested this with have problems with long delays so longest I've used is 7 seconds. David > > Henri van Riel wrote: > > >Hi all, > > > >I've got a peculiar problem. My domain (a sub-domain of my ISP) > >receives a lot of (spam) email. I'm talking more than 15,000 emails > >per day (about 10mb/hour). All these emails are for recipients *not* > >defined on my domain. Someone has simply generated thousands of fake > >email addresses and put them on a cd and sells that (probably). > > > >I've set up XMail so that it only accepts mail for known users, so I > >don't really receive these emails. The problem is that my smtp > >threads are always *busy*. When I try to send email from outside my > >LAN through my mailserver at home I always get the message `server > >too busy, retry later...` because all my SMTP threads are handling > >mail from these spammers... > > > >What I would like is that XMail *immediately* drops the connection > >with the spammer's mailserver but it doesn't seem to do that. > >Connections stay open for a while because this server has dozens of > >emails to deliver to my server (all for users that don't exist!). > > > >Is there a way to immediately drop the connection with the server > >that tries to deliver mail to an unknown user and also ban this > >particular mail server for at least a day? That would decrease the > >number of random emails significantly and save me a lot on bandwidth. > > > >Any help would be appreciated. > > > >Thanks. > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Hello Phillip, > Don't block on catchall. I would guess you have blocked yourself > and/or some of the major email ip addresses that you receive from. What I did that was preventing XMail from receiving any mail what so ever was adding the ip address of the spammer.tab with /0 instead of /32... oops! > Make a list of the dictionary addresses they are sending to and only > block those by adding the sending ip's in the spammers.tab. I use a > 255.255.255.255 mask on them in the spammers.tab, only blocking the > one ip. I do that too now! > Do this by logging any email addresses that receive email, and then > copy the dictionary ones to the address file for the filter to use. > I ended up with a list of around 400 email addresses. (This is for a > personal domain). Hmmm... what's the difference really? I've set up a postmaster account with a couple of aliases (info, sales, root, etc) and a `fake` mailbox called `spamtrap` which has the catch-all alias (*). All mail for known users will go to either their mailbox or to the postmaster's mailbox. The rest will go through my filter which could add the sender's ip-address to spammers.tab or the recipients email address (non-existent) to a dictionary and then return an exitcode 3 to XMail so it will disconnect without receiving the mail data. I've made a script to generate a dictionary and it's been on for 10 minutes now and I already have 349 names in it! > You need to be careful doing this by making sure that there is no > reason for anyone to send to that email address. Don't block things > like info, postmaster, admin, sales, and so on. Those are common > ones that get spammed that you don't want to block at this level. > Remember that you are blocking saying that if a computer (maybe your > isp's email server) sends to this address I never want to receive > email from that ip address again. Very heavy handed. Yeah, you're right about that of course. > Blocking the dictionary names is not the way to stop all spam, but > it will stop that majority of it if you are targeted. It does take a > day or two to get all the email addresses that are to be blocked, > but it is worth it. It will definitely block most spam. The emails that go through because the mailbox exists will be checked by the services listed in CustMapsList, which will reduce spam by another 50-80%. > And then delete the spammers.tab once in a while, I try to do it > once a week or so. I wanted to trim the spammers.tab file so it won't hold more than 200 ip-addresses or so. > The advantage of the spammers.tab (the way I understand it) is that > if the connecting ip is listed then the connection is dropped > without receiving any data. When you have limited bandwidth you > don't want to receive the entire message before deciding to drop it. That's how I understand it too! Connection should be dropped `soon` after a listed ip tries to connect. -- Henri. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Hi Henri - >That's odd. How many smtp threads were you running? I've set the >maximum to 16 now where 4 should be enough to handle all incoming mail >(easily!). > > Whatever the default is (is it MaxMTAOps? - that is set to 16 on my system). Running on FreeBSD on a Athlon XP running at 2 GHz, 1 gig of RAM, fast SCSI hard drive. Nothing too fancy. Right now running ASSP -> clamsmtp -> XMail (in this case on the same system) this handily processes 4500 (or so) valid emails per day and refuses about the same number of additional SPAMs. Without the CLAMsmtp and ASSP this same system processed almost that much email without me ever seeing the problem you describe. >It's not the spam per se, I know how to get rid of that. It's because >99.5% of all incoming mail is for non-existent recipients. I don't >want to check them all to see if it's spam or not cause I already >*know* it's spam. I don't want to waste server resources and internet >bandwidth for something I already know I don't want. I just want to >get rid of those attempts from spammers to deliver spam to my server >as quickly and as easily as possible. > > > Again, if the problem is email to invalid users, I don't see how any of the other options you mentioned in XMail will necessarily help. Perhaps they will by using a different mechanism, like RBL check, that is faster than XMails own determination of an invalid address, but that seems a stretch to me. ASSP is designed to close the SMTP session immediately if it doesn't like an email for any reason specified by the admin, such as an invalid address, so it directly addresses the problem you are having. However, as also mentioned, it seems very strange to me that XMail would be so slow on refusing invalid connections as to cause connection failures from valid senders if you have a low volume of email - I don't know XMail's mechanism behind this (perhaps someone else can clarify) but I have never run into that problem, or heard of anyone else running into that problem, unless they were getting a HUGE volume of SPAM (and not specifically to invalid users). So it might be worth looking into WHY your installation is behaving this way, since it sounds fishy to me. Maybe 4 threads was too low? Jeff - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Hi Jeff, > I suspect this makes little difference, but just in case you aren't > aware of this, you can run ASSP on a different computer - it doesn't > have to be the same system, and so Perl also does not need to be on > your XMail system. I'm not certain why you have feelings about > running something in front of XMail if it will simply reduce the > burden on your server (significantly) but we all have our reasons, I > suppose! The main reason for not wanting anything installed before XMail is mainly because I've been having bad experiences with AVmailGate but also because I'd much rather have XMail solve my problem. There must be a way without having to install (and maintain) several tools. > If you aren't processing much email, then I can't understand why you > are getting the "server too busy" errors you mentioned in your first > email. Something doesn't sound quite right. Frankly, even before I > was running ASSP, I was processing quite a bit of email (thousands a > day, sometimes more, and thousands more a day of SPAM) and I never > received an error like that on send. That's odd. How many smtp threads were you running? I've set the maximum to 16 now where 4 should be enough to handle all incoming mail (easily!). > I understood you to say that you were getting SMTP connect errors > because XMail was taking too long to refuse invalid users. > Logically, if you are receiving server too busy errors simply from > refusing emails to non-valid users (as I read your first email to be > saying), which would require an incredible volume of invalid email > (or a very, very slow server), then the only way to prevent server > overload would be to put something in front of XMail, since XMail is > already refusing those emails that are causing the problem. But I > must have misunderstood given the direction the rest of this thread > has taken. The server won't break any speed records, that's true. Still, it should be more than good enough for my purposes. XMail slows down considerably when I use CustMapsList in server.tab. My guess is that these services are very slow and XMail has to check 4 or 5 for each and every email it receives. I guess all my smtp threads are busy waiting for a reply from these anti-spam services and are unable to allow other connections. Setting SMTP-RDNSCheck to "1" in my server.tab also slows down mail processing in XMail. > If it is simply an issue of SPAM in general, and you need to block > it, and you don't want to use something like ASSP (for reasons of > purity?), then your best bet is greylisting (as Rob Arends covers > well), RBL blocking, and perhaps something like you mention with an > automated addition to the spammers list as a last addition. It's not the spam per se, I know how to get rid of that. It's because 99.5% of all incoming mail is for non-existent recipients. I don't want to check them all to see if it's spam or not cause I already *know* it's spam. I don't want to waste server resources and internet bandwidth for something I already know I don't want. I just want to get rid of those attempts from spammers to deliver spam to my server as quickly and as easily as possible. -- Henri. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Hi Henri - I suspect this makes little difference, but just in case you aren't aware of this, you can run ASSP on a different computer - it doesn't have to be the same system, and so Perl also does not need to be on your XMail system. I'm not certain why you have feelings about running something in front of XMail if it will simply reduce the burden on your server (significantly) but we all have our reasons, I suppose! If you aren't processing much email, then I can't understand why you are getting the "server too busy" errors you mentioned in your first email. Something doesn't sound quite right. Frankly, even before I was running ASSP, I was processing quite a bit of email (thousands a day, sometimes more, and thousands more a day of SPAM) and I never received an error like that on send. I understood you to say that you were getting SMTP connect errors because XMail was taking too long to refuse invalid users. Logically, if you are receiving server too busy errors simply from refusing emails to non-valid users (as I read your first email to be saying), which would require an incredible volume of invalid email (or a very, very slow server), then the only way to prevent server overload would be to put something in front of XMail, since XMail is already refusing those emails that are causing the problem. But I must have misunderstood given the direction the rest of this thread has taken. If it is simply an issue of SPAM in general, and you need to block it, and you don't want to use something like ASSP (for reasons of purity?), then your best bet is greylisting (as Rob Arends covers well), RBL blocking, and perhaps something like you mention with an automated addition to the spammers list as a last addition. Jeff Henri van Riel wrote: >Hi Jeff, > > > >>You can run ASSP on a different server than XMail. Also, you can >>use it simply to verify that the address being sent to is a valid >>one - it does not need to perform Bayesian -filter based SPAM >>blocking unless you want it to (you could open up the ruleset, or >>you can have it simply tag the email that goes through with >>something if it thinks it's SPAM). If what you need is to be able >>to close sessions to invalid addresses quickly, that is the only way >>I know how to do it. >> >> > >I'll certainly look into it but I don't like the idea of having to run >something in front of XMail... Also, I'd need to install Perl on my >mailserver which is *strictly* a mailserver. > > > >>What you suggest might work, but spammers domains and addresses >>change very rapidly, so I'm not certain you would actually cut down >>the volume much, and you would end up having to process all of that >>email. ASSP will simply terminate the session more or less >>immediately if it doesn't like the email, the sender, or the >>address, or any combination of those things. >> >> > >I don't have to process that much email though. First of all, my new >CustMapsList filters out a lot of spam. If the sender seems ok, XMail >first checks if the recipient is known. If not, it redirects it to my >catch-all account. While it is doing that, the filters.pre-data.tab >filter kicks in *before* the data command, only the headers have >arrived so far. Next, my script will get the ip address from those >headers and exits with code 3 which makes XMail to terminate the >connection. Mail with a valid recipient will still go through the >filter but that's not a problem. > >Sounds to me that it could work! ;) > > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Don't block on catchall. I would guess you have blocked yourself and/or some of the major email ip addresses that you receive from. Make a list of the dictionary addresses they are sending to and only block those by adding the sending ip's in the spammers.tab. I use a 255.255.255.255 mask on them in the spammers.tab, only blocking the one ip. Do this by logging any email addresses that receive email, and then copy the dictionary ones to the address file for the filter to use. I ended up with a list of around 400 email addresses. (This is for a personal domain). You need to be careful doing this by making sure that there is no reason for anyone to send to that email address. Don't block things like info, postmaster, admin, sales, and so on. Those are common ones that get spammed that you don't want to block at this level. Remember that you are blocking saying that if a computer (maybe your isp's email server) sends to this address I never want to receive email from that ip address again. Very heavy handed. Blocking the dictionary names is not the way to stop all spam, but it will stop that majority of it if you are targeted. It does take a day or two to get all the email addresses that are to be blocked, but it is worth it. And then delete the spammers.tab once in a while, I try to do it once a week or so. I have a very similar setup. The dictionary attack is probably coming from zombie machines, which come and go very frequently. One of the things I noticed about the attacks is that the mail will start coming in. I would receive several hundred in a matter of a few minutes, but only 3-5 from each ip address. It would be a large number of ip addresses sending the mail. Return addresses and all of that varied throughout the messages. Then it would repeat a short time later, with new ip addresses and email addresses. The problem with dnsbl was that I would get hit with an attack, and then in a day or two the ip's would be listed in the dnsbl. It appeared that someone got together a zombie net, sent the spam, and then gets most of the machines listed. The listings worked great at some point, but if you were in the leading edge of the attack you could get thousands of emails before the ip's are listed. The advantage of the spammers.tab (the way I understand it) is that if the connecting ip is listed then the connection is dropped without receiving any data. When you have limited bandwidth you don't want to receive the entire message before deciding to drop it. Phillip -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henri van Riel Sent: Tuesday, February 14, 2006 6:18 AM To: Rob Arends Cc: xmail@xmailserver.org Subject: [xmail] Re: Spammers - How to block them. Hello Rob, > Henri, that does sound like it would work. Sounds like it but there seems to be a glitch somewhere cause I wasn't receiving *any* mail anymore... Bummer, and that on a day like Valentine's day ;) I need to take a closer look at my script cause outgoing mail goes through that script of mine too... Hadn't thought of that. One of the problems is that CustMapsList checking and my script take a while to complete. Quite a while even which in fact makes the problem worse. At times I have up to 25 servers connected to XMail trying to deliver mail to users who don't even exist! I want to get rid of those connection as quickly as possible to free smtp threads so they can receive valid mails... I was thinking, is setting SMTP-RDNSCheck to "1" in server.tab going to be helpfull? > The only thing to watch with your method, is that you block > legitimate users that happen to key in the wrong address. True. I was thinking of constantly tweaking the list of ip addresses in spammers.tab to a maximum of 100 or so. > I've had great success with greylisting (glst from Davide). > I did have to tweak it a bit to deal with the likes of > hotmail/yahoo/etc because of their many sending MTAs. I'll have a look but it seems I need GDBM and stuff for it... > Rob :-) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Henri van Riel > Sent: Tuesday, February 14, 2006 9:23 AM > To: Jeff Buehler > Cc: xmail@xmailserver.org > Subject: [xmail] Re: Spammers - How to block them. > Hi Jeff, >> You can run ASSP on a different server than XMail. Also, you can use >> it simply to verify that the address being sent to is a valid one - it >> does not need to perform Bayesian -filter based SPAM blocking unless >> you want it to (you could open up the ruleset, or you can have it >> simply tag the email that goes through with something if it thinks >> it's SPAM). If what you need is to be able to close sessions to >> invalid addresses quickly, that is the only way I know how to do it. &g
[xmail] Re: Spammers - How to block them.
Henri, Try "SMTP-MaxErrors""1" In server.tab If there is ONE erroneous RCPT TO, then dump the connection. Once you kill off all the repeat connections, then you might increase to 2, and combine with your script to cover other issues. I have mine set to 3. GLST - I have Windows, so it was all built into glst.exe. I don't know for Linux. Rob :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henri van Riel Sent: Tuesday, February 14, 2006 11:18 PM To: Rob Arends Cc: xmail@xmailserver.org Subject: [xmail] Re: Spammers - How to block them. Hello Rob, > Henri, that does sound like it would work. Sounds like it but there seems to be a glitch somewhere cause I wasn't receiving *any* mail anymore... Bummer, and that on a day like Valentine's day ;) I need to take a closer look at my script cause outgoing mail goes through that script of mine too... Hadn't thought of that. One of the problems is that CustMapsList checking and my script take a while to complete. Quite a while even which in fact makes the problem worse. At times I have up to 25 servers connected to XMail trying to deliver mail to users who don't even exist! I want to get rid of those connection as quickly as possible to free smtp threads so they can receive valid mails... I was thinking, is setting SMTP-RDNSCheck to "1" in server.tab going to be helpfull? > The only thing to watch with your method, is that you block legitimate > users that happen to key in the wrong address. True. I was thinking of constantly tweaking the list of ip addresses in spammers.tab to a maximum of 100 or so. > I've had great success with greylisting (glst from Davide). > I did have to tweak it a bit to deal with the likes of > hotmail/yahoo/etc because of their many sending MTAs. I'll have a look but it seems I need GDBM and stuff for it... > Rob :-) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Henri van Riel > Sent: Tuesday, February 14, 2006 9:23 AM > To: Jeff Buehler > Cc: xmail@xmailserver.org > Subject: [xmail] Re: Spammers - How to block them. > Hi Jeff, >> You can run ASSP on a different server than XMail. Also, you can use >> it simply to verify that the address being sent to is a valid one - >> it does not need to perform Bayesian -filter based SPAM blocking >> unless you want it to (you could open up the ruleset, or you can have >> it simply tag the email that goes through with something if it thinks >> it's SPAM). If what you need is to be able to close sessions to >> invalid addresses quickly, that is the only way I know how to do it. > I'll certainly look into it but I don't like the idea of having to run > something in front of XMail... Also, I'd need to install Perl on my > mailserver which is *strictly* a mailserver. >> What you suggest might work, but spammers domains and addresses >> change very rapidly, so I'm not certain you would actually cut down >> the volume much, and you would end up having to process all of that email. >> ASSP will simply terminate the session more or less immediately if it >> doesn't like the email, the sender, or the address, or any >> combination of those things. > I don't have to process that much email though. First of all, my new > CustMapsList filters out a lot of spam. If the sender seems ok, XMail > first checks if the recipient is known. If not, it redirects it to my > catch-all account. While it is doing that, the filters.pre-data.tab > filter kicks in > *before* the data command, only the headers have arrived so far. Next, > my script will get the ip address from those headers and exits with > code 3 which makes XMail to terminate the connection. Mail with a > valid recipient will still go through the filter but that's not a problem. > Sounds to me that it could work! ;) > -- > Henri. > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] For general help: > send the line "help" in the body of a message to > [EMAIL PROTECTED] > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] For general help: > send the line "help" in the body of a message to > [EMAIL PROTECTED] -- Best regards, Henrimailto:[EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Hello Rob, > Henri, that does sound like it would work. Sounds like it but there seems to be a glitch somewhere cause I wasn't receiving *any* mail anymore... Bummer, and that on a day like Valentine's day ;) I need to take a closer look at my script cause outgoing mail goes through that script of mine too... Hadn't thought of that. One of the problems is that CustMapsList checking and my script take a while to complete. Quite a while even which in fact makes the problem worse. At times I have up to 25 servers connected to XMail trying to deliver mail to users who don't even exist! I want to get rid of those connection as quickly as possible to free smtp threads so they can receive valid mails... I was thinking, is setting SMTP-RDNSCheck to "1" in server.tab going to be helpfull? > The only thing to watch with your method, is that you block > legitimate users that happen to key in the wrong address. True. I was thinking of constantly tweaking the list of ip addresses in spammers.tab to a maximum of 100 or so. > I've had great success with greylisting (glst from Davide). > I did have to tweak it a bit to deal with the likes of > hotmail/yahoo/etc because of their many sending MTAs. I'll have a look but it seems I need GDBM and stuff for it... > Rob :-) > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Henri van Riel > Sent: Tuesday, February 14, 2006 9:23 AM > To: Jeff Buehler > Cc: xmail@xmailserver.org > Subject: [xmail] Re: Spammers - How to block them. > Hi Jeff, >> You can run ASSP on a different server than XMail. Also, you can use >> it simply to verify that the address being sent to is a valid one - it >> does not need to perform Bayesian -filter based SPAM blocking unless >> you want it to (you could open up the ruleset, or you can have it >> simply tag the email that goes through with something if it thinks >> it's SPAM). If what you need is to be able to close sessions to >> invalid addresses quickly, that is the only way I know how to do it. > I'll certainly look into it but I don't like the idea of having to run > something in front of XMail... Also, I'd need to install Perl on my > mailserver which is *strictly* a mailserver. >> What you suggest might work, but spammers domains and addresses change >> very rapidly, so I'm not certain you would actually cut down the >> volume much, and you would end up having to process all of that email. >> ASSP will simply terminate the session more or less immediately if it >> doesn't like the email, the sender, or the address, or any combination >> of those things. > I don't have to process that much email though. First of all, my new > CustMapsList filters out a lot of spam. If the sender seems ok, XMail first > checks if the recipient is known. If not, it redirects it to my catch-all > account. While it is doing that, the filters.pre-data.tab filter kicks in > *before* the data command, only the headers have arrived so far. Next, my > script will get the ip address from those headers and exits with code 3 > which makes XMail to terminate the connection. Mail with a valid recipient > will still go through the filter but that's not a problem. > Sounds to me that it could work! ;) > -- > Henri. > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] -- Best regards, Henrimailto:[EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Henri, that does sound like it would work. The only thing to watch with your method, is that you block legitimate users that happen to key in the wrong address. I've had great success with greylisting (glst from Davide). I did have to tweak it a bit to deal with the likes of hotmail/yahoo/etc because of their many sending MTAs. Rob :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henri van Riel Sent: Tuesday, February 14, 2006 9:23 AM To: Jeff Buehler Cc: xmail@xmailserver.org Subject: [xmail] Re: Spammers - How to block them. Hi Jeff, > You can run ASSP on a different server than XMail. Also, you can use > it simply to verify that the address being sent to is a valid one - it > does not need to perform Bayesian -filter based SPAM blocking unless > you want it to (you could open up the ruleset, or you can have it > simply tag the email that goes through with something if it thinks > it's SPAM). If what you need is to be able to close sessions to > invalid addresses quickly, that is the only way I know how to do it. I'll certainly look into it but I don't like the idea of having to run something in front of XMail... Also, I'd need to install Perl on my mailserver which is *strictly* a mailserver. > What you suggest might work, but spammers domains and addresses change > very rapidly, so I'm not certain you would actually cut down the > volume much, and you would end up having to process all of that email. > ASSP will simply terminate the session more or less immediately if it > doesn't like the email, the sender, or the address, or any combination > of those things. I don't have to process that much email though. First of all, my new CustMapsList filters out a lot of spam. If the sender seems ok, XMail first checks if the recipient is known. If not, it redirects it to my catch-all account. While it is doing that, the filters.pre-data.tab filter kicks in *before* the data command, only the headers have arrived so far. Next, my script will get the ip address from those headers and exits with code 3 which makes XMail to terminate the connection. Mail with a valid recipient will still go through the filter but that's not a problem. Sounds to me that it could work! ;) -- Henri. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Hi Jeff, > You can run ASSP on a different server than XMail. Also, you can > use it simply to verify that the address being sent to is a valid > one - it does not need to perform Bayesian -filter based SPAM > blocking unless you want it to (you could open up the ruleset, or > you can have it simply tag the email that goes through with > something if it thinks it's SPAM). If what you need is to be able > to close sessions to invalid addresses quickly, that is the only way > I know how to do it. I'll certainly look into it but I don't like the idea of having to run something in front of XMail... Also, I'd need to install Perl on my mailserver which is *strictly* a mailserver. > What you suggest might work, but spammers domains and addresses > change very rapidly, so I'm not certain you would actually cut down > the volume much, and you would end up having to process all of that > email. ASSP will simply terminate the session more or less > immediately if it doesn't like the email, the sender, or the > address, or any combination of those things. I don't have to process that much email though. First of all, my new CustMapsList filters out a lot of spam. If the sender seems ok, XMail first checks if the recipient is known. If not, it redirects it to my catch-all account. While it is doing that, the filters.pre-data.tab filter kicks in *before* the data command, only the headers have arrived so far. Next, my script will get the ip address from those headers and exits with code 3 which makes XMail to terminate the connection. Mail with a valid recipient will still go through the filter but that's not a problem. Sounds to me that it could work! ;) -- Henri. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Using those RBLs to block the IP address of mail servers in those lists will do a lot to reduce the amount of spam you see. However, it will also block some legitimate email as well. What I would recommend is using the least aggressive RBLs along with something like SpamAssassin or ASSP. For example, you should definitely use relays.ordb.org because that is merely a list of all known open relays. IMHO, you should always block open relays. But some of the other lists are much more subjective about their grounds for listing an email server's IP address in their RBL. I have personally seen SORBS, SpamCop, and NJABL block legitimate email from a number of large ISPs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henri van Riel Sent: Monday, February 13, 2006 4:00 PM To: Don Drake Cc: xmail@xmailserver.org Subject: [xmail] Re: Spammers - How to block them. Hello Don, Monday, February 13, 2006, 7:59:46 PM, you wrote: > Check into configuring in server.tab [CustMapsList]. > This should help a lot. I've changed the default setting, which is not working very well, to this: dnsbl.sorbs.net.:1,bl.spamcop.net.:1,relays.ordb.org.:1,combined.njabl.org.: 1,psbl.surriel.com,:1,blackholes.mail-abuse.org.:1,dialups.mail-abuse.org..:1 And it *does* help a lot! Maybe this antispam list is helpful to others as well. Thanks! -- Henri. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Hello Don, Monday, February 13, 2006, 7:59:46 PM, you wrote: > Check into configuring in server.tab [CustMapsList]. > This should help a lot. I've changed the default setting, which is not working very well, to this: dnsbl.sorbs.net.:1,bl.spamcop.net.:1,relays.ordb.org.:1,combined.njabl.org.:1,psbl.surriel.com,:1,blackholes.mail-abuse.org.:1,dialups.mail-abuse.org.:1 And it *does* help a lot! Maybe this antispam list is helpful to others as well. Thanks! -- Henri. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Hi Henri - You can run ASSP on a different server than XMail. Also, you can use it simply to verify that the address being sent to is a valid one - it does not need to perform Bayesian -filter based SPAM blocking unless you want it to (you could open up the ruleset, or you can have it simply tag the email that goes through with something if it thinks it's SPAM). If what you need is to be able to close sessions to invalid addresses quickly, that is the only way I know how to do it. What you suggest might work, but spammers domains and addresses change very rapidly, so I'm not certain you would actually cut down the volume much, and you would end up having to process all of that email. ASSP will simply terminate the session more or less immediately if it doesn't like the email, the sender, or the address, or any combination of those things. Jeff - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Hello Jeff, > ASSP with XMail is an excellent solution for this - it is robust and > reasonably lightweight. ASSP checks the first number of K that you > specify to determine if an email is SPAM, then closes the session if > it is. You can specify valid user accounts in a text file or using > LDAP. If the email is invalid, it simply closes the session. Then > you can forward the email to XMail for final processing. Thanks Jeff and also Don for your suggestions but I can't run anti-spam software on my server... :( Sorry, forgot to mention that. I want to refuse know spammers from even connecting to my mail server. I'm trying something like this now: setup a user account with a `catch-all` alias (*) named `spamtrap`. Run all incoming mail through a filter using the filters.pre-data.tab and parse the mail file to see if it's been redirected to [EMAIL PROTECTED] If so, get the remote address (from @@REMOTEADDR) and add that address to spammers.tab automatically. Would that work? -- Henri. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Doesn't SMTP-MaxErrors in server.tab help with this? Henri van Riel wrote: >Hi all, > >I've got a peculiar problem. My domain (a sub-domain of my ISP) >receives a lot of (spam) email. I'm talking more than 15,000 emails >per day (about 10mb/hour). All these emails are for recipients *not* >defined on my domain. Someone has simply generated thousands of fake >email addresses and put them on a cd and sells that (probably). > >I've set up XMail so that it only accepts mail for known users, so I >don't really receive these emails. The problem is that my smtp threads >are always *busy*. When I try to send email from outside my LAN >through my mailserver at home I always get the message `server too >busy, retry later...` because all my SMTP threads are handling >mail from these spammers... > >What I would like is that XMail *immediately* drops the connection >with the spammer's mailserver but it doesn't seem to do that. >Connections stay open for a while because this server has dozens of >emails to deliver to my server (all for users that don't exist!). > >Is there a way to immediately drop the connection with the server that >tries to deliver mail to an unknown user and also ban this particular >mail server for at least a day? That would decrease the number of >random emails significantly and save me a lot on bandwidth. > >Any help would be appreciated. > >Thanks. > > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
ASSP with XMail is an excellent solution for this - it is robust and reasonably lightweight. ASSP checks the first number of K that you specify to determine if an email is SPAM, then closes the session if it is. You can specify valid user accounts in a text file or using LDAP. If the email is invalid, it simply closes the session. Then you can forward the email to XMail for final processing. Jeff Henri van Riel wrote: >Hi all, > >I've got a peculiar problem. My domain (a sub-domain of my ISP) >receives a lot of (spam) email. I'm talking more than 15,000 emails >per day (about 10mb/hour). All these emails are for recipients *not* >defined on my domain. Someone has simply generated thousands of fake >email addresses and put them on a cd and sells that (probably). > >I've set up XMail so that it only accepts mail for known users, so I >don't really receive these emails. The problem is that my smtp threads >are always *busy*. When I try to send email from outside my LAN >through my mailserver at home I always get the message `server too >busy, retry later...` because all my SMTP threads are handling >mail from these spammers... > >What I would like is that XMail *immediately* drops the connection >with the spammer's mailserver but it doesn't seem to do that. >Connections stay open for a while because this server has dozens of >emails to deliver to my server (all for users that don't exist!). > >Is there a way to immediately drop the connection with the server that >tries to deliver mail to an unknown user and also ban this particular >mail server for at least a day? That would decrease the number of >random emails significantly and save me a lot on bandwidth. > >Any help would be appreciated. > >Thanks. > > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
[xmail] Re: Spammers - How to block them.
Check into configuring in server.tab [CustMapsList]. This should help a lot. -Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henri van Riel Sent: Monday, February 13, 2006 12:26 PM To: xmail@xmailserver.org Subject: [xmail] Spammers - How to block them. Hi all, I've got a peculiar problem. My domain (a sub-domain of my ISP) receives a lot of (spam) email. I'm talking more than 15,000 emails per day (about 10mb/hour). All these emails are for recipients *not* defined on my domain. Someone has simply generated thousands of fake email addresses and put them on a cd and sells that (probably). I've set up XMail so that it only accepts mail for known users, so I don't really receive these emails. The problem is that my smtp threads are always *busy*. When I try to send email from outside my LAN through my mailserver at home I always get the message `server too busy, retry later...` because all my SMTP threads are handling mail from these spammers... What I would like is that XMail *immediately* drops the connection with the spammer's mailserver but it doesn't seem to do that. Connections stay open for a while because this server has dozens of emails to deliver to my server (all for users that don't exist!). Is there a way to immediately drop the connection with the server that tries to deliver mail to an unknown user and also ban this particular mail server for at least a day? That would decrease the number of random emails significantly and save me a lot on bandwidth. Any help would be appreciated. Thanks. -- Henri. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
