I had too many issues with +'s not working with websites and some of my
email addresses being handled by a mixture of Linux and Exchange that I gave
up and abandoned it.
> Is that looking for custom recipient names that you've registered with? If
> so, have you tried plussed addresses? A lot of we
On Fri, Dec 16, 2005 at 04:11:52PM -0500, David F. Skoll wrote:
> > Can the "socket map" feature be put to work here?
>
> Unfortunately, a filter_map call is called "outside" the context
> of a message -- in other words, there's no way to associate a filter_map
> call with a milter session.
Well,
Gary Funck wrote:
> Can the "socket map" feature be put to work here?
Unfortunately, a filter_map call is called "outside" the context
of a message -- in other words, there's no way to associate a filter_map
call with a milter session.
The SOCKETMAP support was added so our commercial CanIt prod
> From: David F. Skoll
> Sent: Thursday, December 15, 2005 1:53 PM
>
> Unfortunately, MIMEDefang only sees exactly what was in the
> RCPT TO: command. It doesn't know the results of virtusertable
> changes.
>
> (Though it occurs to me that it can see the mailer, so if you
> map invalid addresse
--On Friday, December 16, 2005 10:55 AM -0500 "Kevin A. McGrail"
<[EMAIL PROTECTED]> wrote:
Also, for my own personal setup since I use virtusertables as well, I
have set a very hard-coded check in filter_recipient like this:
Is that looking for custom recipient names that you've registered w
Steffen Kaiser wrote:
Actually, there was a patch for sendmail posted to comp.mail.sendmail
for a feature "drop connection if number of bad recipients exceeds n".
http://groups.google.com/group/comp.mail.sendmail/browse_thread/thread/5203bd02a5d9f8f3
Problem is, I've seen a lot of attacks th
The script runs from a cron job and checks the mail logs for excessive
"User unknown" hits from an IP address. The original version uses IP
routing commands to ignore all incoming connections, but it's easy enough
to adapt it to other actions (we have it add the IP to our local
blacklist, for
Steffen Kaiser wrote:
> After reading these two paragraphes some worrying struck me:
> In opposite to SSH connections you cannot assume that the attacker sits
> on "the other side" of a SMTP communication. Maybe the server just
> relays the mail or is an huge mail hoster (say, hotmail, gmail, aol
On Fri, 16 Dec 2005 09:33:13 +0100 (CET)
Steffen Kaiser <[EMAIL PROTECTED]> wrote:
> Actually, there was a patch for sendmail posted to comp.mail.sendmail
> for a feature "drop connection if number of bad recipients exceeds
> n".
> http://groups.google.com/group/comp.mail.sendmail/browse_thread/th
On Thu, 15 Dec 2005, David F. Skoll wrote:
Jan Pieter Cornet wrote:
An easier solution might be to have a process tail(1) your logfile and
take action on the information there. I think I've even seen something
like that: more than x invalid recipients, and you're firewalled away.
That's much
Paul Whittney wrote:
> I've been thinking about that, but it was more for a realtime iptables,
> or realtime email monitoring for stats that doesn't involve "tail the
> whole log", or "open log every 5 minutes".
"tail -F" works well, and is close enough to real-time that the delay
is irrelevant.
Little off the topic here..
On Thu, Dec 15, 2005 at 10:49:20PM +0100, Jan Pieter Cornet wrote:
> An easier solution might be to have a process tail(1) your logfile and
> take action on the information there. I think I've even seen something
> like that: more than x invalid recipients, and you're f
Ian Mitchell wrote:
> 1. Tail maillog
> 2. grep "user unknown"
> 3. sed relay server
> 4. insert into database "relay server" (which just happens to be spoofed
> to include a "; drop database mysql" encoded in some obscure form)
Any time you use outside data, you have to sanitize it. You'd use
n
On Thu, Dec 15, 2005 at 10:49:20PM +0100, Jan Pieter Cornet wrote:
> An easier solution might be to have a process tail(1) your logfile and
> take action on the information there. I think I've even seen something
> like that: more than x invalid recipients, and you're firewalled away.
This works q
On Thu, Dec 15, 2005 at 04:53:13PM -0500, David F. Skoll wrote:
> > It's tricky. I haven't done this yet but I'm sortof planning to. One
> > possibility is to make sure all valid adresses are in virtusertable,
> > and all invalid adresses map to some magic token that sendmail believes
> > is valid,
> From: Jan Pieter Cornet <[EMAIL PROTECTED]>
> Subject: Re: [Mimedefang] dictionary attacks looking for a valid user
>
> An easier solution might be to have a process tail(1) your logfile and
> take action on the information there. I think I've even seen something
> l
Jan Pieter Cornet wrote:
On Thu, Dec 15, 2005 at 03:05:45PM -0600, Alex Moore wrote:
A spammer tries many times to find a user with something like a
dictionary attack or a list of commonly used user names.
How can I setup a rule in MIMEDefang to define those transactions? Say
when a smtp serv
On Thu, 15 Dec 2005 22:49:20 +0100
Jan Pieter Cornet <[EMAIL PROTECTED]> wrote:
> It's tricky. I haven't done this yet but I'm sortof planning to. One
> possibility is to make sure all valid adresses are in virtusertable,
> and all invalid adresses map to some magic token that sendmail
> believes
without giving too much away about how i've implemented this.
Basically -- Greylisting (triplet based)
Throttleing -- User Based agaist triplet scoring
Remote IP --Against tries/retries
Eg the last virus to do the rounds, that .Y or .Z depending on your AV,
basically tried to send x million v
Alex Moore wrote:
How can I setup a rule in MIMEDefang to define those transactions? Say
when a smtp server tries 10 times within a short time period and is sent
a 550 code each time. I think that it would appropriate to have MD just
blacklist that address. Is that possible? I want to ignore th
Jan Pieter Cornet wrote:
> It's tricky. I haven't done this yet but I'm sortof planning to. One
> possibility is to make sure all valid adresses are in virtusertable,
> and all invalid adresses map to some magic token that sendmail believes
> is valid, but really isn't. You could catch the magic t
On Thu, Dec 15, 2005 at 03:05:45PM -0600, Alex Moore wrote:
> A spammer tries many times to find a user with something like a
> dictionary attack or a list of commonly used user names.
>
> How can I setup a rule in MIMEDefang to define those transactions? Say
> when a smtp server tries 10 times w
22 matches
Mail list logo
