Spammed

[Bill Campbell]

On Wed, Oct 18, 2006, Kurt Wall wrote:
>On Wed, Oct 18, 2006 at 05:48:37PM -0500, David Bandel wrote:
>> 
>> This list is subscriber only.  How non-subscribers are getting
>> through, I have no idea unless someone is OK'ing them.  Note:  the BSD
>> list alone has over 500 messages waiting in the queue for approval.
>> They will all be dumped in a minute.  The other lists have similar.
>> 
>> Will look at implementing more controls, RBLs, etc.  So those who stop
>> getting list mail, send me an e-mail.
>
>Their current questionable situation notwithstanding, when I was running
>my own mail server and started using Spamhaus's combined sbl-xbl RBL, 
>the amount of spam that made it through to filters fell to a fraction of
>the pre-RBL volume. Spamhaus also seemed responsive and quick to address
>false positives, when/where they could.

We use several DNSRBLs including the spamhause sbl-rbl plus some
postfix rules that reject on no rDNS, rDNS hostnames that don't
return the IP address that's connecting.  Here's our
smptd_recipient_restrictions:

smtpd_recipient_restrictions =
	check_recipient_access pcre:/csoft/etc/postfix/recipientchecks
	permit_mynetworks
	check_client_access	hash:/etc/postfix/whitehatlist
	check_client_access	hash:/etc/postfix/dialupchecks
	check_client_access	whoson:whoson.celestial.com:9876
	check_helo_access pcre:/etc/postfix/helochecks
	check_client_access pcre:/etc/postfix/clientchecks
	reject_rbl_client guardian.celestial.net
	reject_rbl_client dul.dnsbl.sorbs.net
	reject_rbl_client sbl-xbl.spamhaus.org
	reject_rbl_client korea.services.net
	reject_rbl_client combined.njabl.org
	reject_rbl_client ubl.unsubscore.com
	reject_unknown_client
	reject_unknown_sender_domain
	reject_unauth_pipelining
	permit_mx_backup
	reject_unauth_destination

The recipient checks is first and accepts all mail to postmaster,
security, and abuse addresses before doing any other checks.

The whitehatlist file contains IP addresses that we accept.
Mostly this consists of IP addresses that fail rDNS checks, but
are sites we need to accept.

The dialupchecks file has patterns of abusive dialup and dynamic
hostnames.

The whoson section is a client/server pop/imap before smtp system
that allows any IP address that has connected to one of our imap
or pop servers within the last ten minutes.

The helochecks file rejects on things like the server's hostname,
our domain name, and a variety of other HELO/EHLO patterns.

The clientchecks file is similar to dialup checks (and is
probably redundant.

The guardian.celestial.net DNSRBL is one we maintain containing
IP addresses of systems that have made cracking attempts on our
or our clients machines, and addresses I manually enter that have
attempted to spam our mailing lists.

The other DNSRBLs are ones I've found useful and well maintained.
Most are fairly well known, but the ubl.unsubsocre.com probably
isn'.  It's maintained carefully and lists bulk mailers who don't
process unsub requests promptly.

The reject_unknown_client takes care of the rDNS checks.

The reject_unknown_sender_domain insures that the domain part of
the MAIL FROM smtp command is deliverable (e.g. has an MX or A
record).

Bill
--
INTERNET:   bill at Celestial.COM  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

``Never blame a legislative body for not doing something.  When they do
nothing, that don't hurt anybody.  When they do something is when they
become dangerous.''
    Will Rogers