Death to all spammers and open relays

[DocVijay]

Your list is aggressive alright. I noticed some of the servers are from Road Runnner cable in various cities. See, some idiot user leaves his or her PC wide open, and then is surprised when they get al kinds of bouncebacks and other crap. One ruins it for all.

 

[Hank]

Yep, that is correct.. However if a user on rr.com uses the ISP provided mail servers their mail will get through. For example all attbi.com users come from xxxxx.clientx.attbi.com however the ISP provided SMTP server is smtp.attbi.com

What the stuff on my list blocks is some spammer opening up a free/dialup dynamic account and spewing all sorts of spam off, using one of the many spam blasters, thus bypassing the ISP mail server.

Bottom line, if you are legit, you get through.

 

[taxx]

Question for youz guyz. I know of some sites for testing open ports, but are there any sites that test your mail relay?

 

[Hank]

You can test it yourself if you have access to another IP outside your address/network.

For example.

telnet mailserver_name.domain.com 25
helo me
mail from: foo@bar.com
rcpt to: spam@icanspamoffyou.com


If you get an ok here, you are an open relay.

E-mail me the req'd ip and I can test for you.

You don't want to end up on the ordb....

 

[taxx]

Originally posted by Hank
You can test it yourself if you have access to another IP outside your address/network.

For example.

telnet mailserver_name.domain.com 25
helo me
mail from: foo@bar.com
rcpt to: spam@icanspamoffyou.com


If you get an ok here, you are an open relay.

E-mail me the req'd ip and I can test for you.

You don't want to end up on the ordb....

Oh Ya. See how lazy I am, don't even open my books. Just tested it from my work server....

and all is good. glad to know.

 

[Hank]

Good deal, here is a more technically correct example. Names changed to protect the innocent.

220 host.sys.com; ESMTP Wed, 16 Apr 2003 19:42:41 -0400
helo me
250 host.sys.com Hello srv.mmq.com [165.240.126.33], pleased to meet you

mail from:foo@bar.com

250 2.1.0 foo@bar.com... Sender ok

rcpt to:spam@spam.com
551 5.7.1 we do not relay

 

[Hank]

Hello,

I created a crontab entry to copy over my /etc/mail/deny file to a public directory. As I am always adding to the file I have set this job to execute every three hours.

This file is formated for folks who use sendmail. However if you drop the list into excel you can dink/play with it to make it work for your application.

In the next few days I'm going to modify my program that creates the list to include the offending network address/range in the list that triggered a match. This should make log analysis a bit easier.

Have fun and enjoy. Remember use at your own risk...

Click here for deny list

 

[Hank]

Update

Effective today the download file from the website includes the address of the offender back in the reply. This makes it useful if you accidently cut someone off that you did not mean to. Like I did yesterday....

example

207.222 We do not accept mail from 207.222, remove this domain from your list.


199.230.23.1 We do not accept mail from 199.230.23.1, remove this domain from your list.


Enjoy


Deny List

 

[Howard]

Good work Hank keep it up and we'll end up blocking them all. I'm now using a content scanner to block anything that I don't want.

 

[Hank]

Thanks Howard,

I'm looking at a couple of open source content scanners and hope to get something installed this summer. Been short on free time lately...

Best regards.
Hank

 

[Howard]

It sure does save all that typing. I scan for things like "sell" and "buy" as well as all the usual things.

All the best

Howard

 

[taxx]

It gets bad. Everyday I find more words and phrases to block. One of these days there wont be much left that users can put in the subject field to get through.

 

[Raceit]

Am I correct to assume everyone here uses a Linux/Unix based mail server?

I using a 2K box and am having a helk of a time securing it. (Big surprise I know) Anyways I have a mail program called Raiden MailD. It's a small program that's written overseas and seems to be pretty stable and works great for my low volume needs for my own server. I never had a problem with being a relay until I installed the Interscan line of products. They gave me virus protection and content management of all the emails going in and out of the system, but now that program has opened me up since Interscan and my mail server software have to talk to each other.

I have rules and filters set up, so no email goes outside of my mail server if I don't want it too. But it doesn't leave me with a good feeling since I'm just doing it with filters and the sort.

You guys have any thoughts on those Windows based products?


TIA

 

[ShadowA2J]

This thread would be cool.....................if I understood WHAT in the world you guys were talking about. Oh well.

 

[matey]

do you have zone alert its quite effective inblocking people who are hacking your connection and for those of you with a permanent connection it will stop you getting constantly bombarded with advertising popups

 

[Raceit]

Originally posted by matey
do you have zone alert its quite effective inblocking people who are hacking your connection and for those of you with a permanent connection it will stop you getting constantly bombarded with advertising popups

Actually I use BlackICE Server Edition. It does a good job too of catching the suspicious stuff.

 

[matey]

here the link its quite effective
http://www.zonelabs.com/store/content/home.jsp

 

[Howard]

Am I correct to assume everyone here uses a Linux/Unix based mail server?

No

Using Novell Groupwise running on Netware 6 works great and is not effected by any of the scam viruses. Getting the mail server to talk to the scanning software should not open up anything. Run them your side of the firewall and scan incoming separately from outgoing mail (two boxes).

 

[Alpha_Geek]

Also a "no" here to the Unix question. We're running MS exchange here.

Just implemented Xwall last week and simply adding the common rbl's has cut our spam to a mere trickle. I may not even need to use the other bells and whistles the product offers, but it's nice to know I can clamp down more if needed.

A_G

 

[taxx]

Originally posted by Raceit
Am I correct to assume everyone here uses a Linux/Unix based mail server?

I using a 2K box and am having a helk of a time securing it. (Big surprise I know) Anyways I have a mail program called Raiden MailD. It's a small program that's written overseas and seems to be pretty stable and works great for my low volume needs for my own server. I never had a problem with being a relay until I installed the Interscan line of products. They gave me virus protection and content management of all the emails going in and out of the system, but now that program has opened me up since Interscan and my mail server software have to talk to each other.

I have rules and filters set up, so no email goes outside of my mail server if I don't want it too. But it doesn't leave me with a good feeling since I'm just doing it with filters and the sort.

You guys have any thoughts on those Windows based products?


TIA

Again no. I run a Domino Server on a 2k server. Most of your attacks out there are aimed at MS Exchange. Domino runs pretty well. Only problem we run into is spam. i run CMS Praetor before the mail server to filter it, but loads still get through. I tend to believe there it no way to block it all. Blocking domains is only so good. A lot of the spam I am getting now is from msn.com hotmail.com yahoo.com.... the list goes on. I can't block all of those domains. Just can scan for words and phrases. SOme of these are HTML and have image attachments that you can't scan the text in anyways..... Its a never ending battle. I just wish they could come up with something like the no call list we have in Indiana, I get no telemarketing calls at home. But this is email and is worldwide so how would it be inforced?