Don't block on catchall. I would guess you have blocked yourself and/or some of the major email ip addresses that you receive from.
Make a list of the dictionary addresses they are sending to and only block those by adding the sending ip's in the spammers.tab. I use a 255.255.255.255 mask on them in the spammers.tab, only blocking the one ip. Do this by logging any email addresses that receive email, and then copy the dictionary ones to the address file for the filter to use. I ended up with a list of around 400 email addresses. (This is for a personal domain). You need to be careful doing this by making sure that there is no reason for anyone to send to that email address. Don't block things like info, postmaster, admin, sales, and so on. Those are common ones that get spammed that you don't want to block at this level. Remember that you are blocking saying that if a computer (maybe your isp's email server) sends to this address I never want to receive email from that ip address again. Very heavy handed. Blocking the dictionary names is not the way to stop all spam, but it will stop that majority of it if you are targeted. It does take a day or two to get all the email addresses that are to be blocked, but it is worth it. And then delete the spammers.tab once in a while, I try to do it once a week or so. I have a very similar setup. The dictionary attack is probably coming from zombie machines, which come and go very frequently. One of the things I noticed about the attacks is that the mail will start coming in. I would receive several hundred in a matter of a few minutes, but only 3-5 from each ip address. It would be a large number of ip addresses sending the mail. Return addresses and all of that varied throughout the messages. Then it would repeat a short time later, with new ip addresses and email addresses. The problem with dnsbl was that I would get hit with an attack, and then in a day or two the ip's would be listed in the dnsbl. It appeared that someone got together a zombie net, sent the spam, and then gets most of the machines listed. The listings worked great at some point, but if you were in the leading edge of the attack you could get thousands of emails before the ip's are listed. The advantage of the spammers.tab (the way I understand it) is that if the connecting ip is listed then the connection is dropped without receiving any data. When you have limited bandwidth you don't want to receive the entire message before deciding to drop it. Phillip -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henri van Riel Sent: Tuesday, February 14, 2006 6:18 AM To: Rob Arends Cc: xmail@xmailserver.org Subject: [xmail] Re: Spammers - How to block them. Hello Rob, > Henri, that does sound like it would work. Sounds like it but there seems to be a glitch somewhere cause I wasn't receiving *any* mail anymore... Bummer, and that on a day like Valentine's day ;) I need to take a closer look at my script cause outgoing mail goes through that script of mine too... Hadn't thought of that. One of the problems is that CustMapsList checking and my script take a while to complete. Quite a while even which in fact makes the problem worse. At times I have up to 25 servers connected to XMail trying to deliver mail to users who don't even exist! I want to get rid of those connection as quickly as possible to free smtp threads so they can receive valid mails... I was thinking, is setting SMTP-RDNSCheck to "1" in server.tab going to be helpfull? > The only thing to watch with your method, is that you block > legitimate users that happen to key in the wrong address. True. I was thinking of constantly tweaking the list of ip addresses in spammers.tab to a maximum of 100 or so. > I've had great success with greylisting (glst from Davide). > I did have to tweak it a bit to deal with the likes of > hotmail/yahoo/etc because of their many sending MTAs. I'll have a look but it seems I need GDBM and stuff for it... > Rob :-) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Henri van Riel > Sent: Tuesday, February 14, 2006 9:23 AM > To: Jeff Buehler > Cc: xmail@xmailserver.org > Subject: [xmail] Re: Spammers - How to block them. > Hi Jeff, >> You can run ASSP on a different server than XMail. Also, you can use >> it simply to verify that the address being sent to is a valid one - it >> does not need to perform Bayesian -filter based SPAM blocking unless >> you want it to (you could open up the ruleset, or you can have it >> simply tag the email that goes through with something if it thinks >> it's SPAM). If what you need is to be able to close sessions to >> invalid addresses quickly, that is the only way I know how to do it. > I'll certainly look into it but I don't like the idea of having to run > something in front of XMail... Also, I'd need to install Perl on my > mailserver which is *strictly* a mailserver. >> What you suggest might work, but spammers domains and addresses change >> very rapidly, so I'm not certain you would actually cut down the >> volume much, and you would end up having to process all of that email. >> ASSP will simply terminate the session more or less immediately if it >> doesn't like the email, the sender, or the address, or any combination >> of those things. > I don't have to process that much email though. First of all, my new > CustMapsList filters out a lot of spam. If the sender seems ok, XMail first > checks if the recipient is known. If not, it redirects it to my catch-all > account. While it is doing that, the filters.pre-data.tab filter kicks in > *before* the data command, only the headers have arrived so far. Next, my > script will get the ip address from those headers and exits with code 3 > which makes XMail to terminate the connection. Mail with a valid recipient > will still go through the filter but that's not a problem. > Sounds to me that it could work! ;) > -- > Henri. > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] -- Best regards, Henri mailto:[EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
