Gary Stainburn wrote:> Bad news Guys, they've just moved the emails to somewhere else and have > started again:<snip> A suggestion: there should be a way to filter using *domain* AND mailhost; that is, if emails come from a domain, and through one mailhost, then block the domain. If many domains, and the same mailhost, only then block the mailhost. I've been thinking about this since yesterday, when I got back from vacation, to hear from my manager that he had to screw with mailman, because we were getting a lot of emails from elsewhere, subscribing to one or more of our lists... and having the target be one of three gmail accounts - a DDoS against them (and we assume that they're doing it to a lot of other places). Anyway, given the number of times I've been blocked by nixspam (which I found is run by IX, a German IT mag, and that they don't answer emails to *them*, either), I've been trying to think of a *reasonable* way to block that doesn't do collective punishment to the many domains of a huge hosting provider, and that's my best thought so far. mark
Now see, I run a spam filter (run on CentOS, by the way *smiles*) and I have several friends' domain emails running through it. It has a pretty good filter rate, too for being all open source. -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of m.roth at 5-cent.us Sent: Thursday, August 27, 2015 9:30 AM To: CentOS mailing list <centos at centos.org> Subject: Re: [CentOS] please block user Gary Stainburn wrote:> Bad news Guys, they've just moved the emails to somewhere else and > have started again:<snip> A suggestion: there should be a way to filter using *domain* AND mailhost; that is, if emails come from a domain, and through one mailhost, then block the domain. If many domains, and the same mailhost, only then block the mailhost. I've been thinking about this since yesterday, when I got back from vacation, to hear from my manager that he had to screw with mailman, because we were getting a lot of emails from elsewhere, subscribing to one or more of our lists... and having the target be one of three gmail accounts - a DDoS against them (and we assume that they're doing it to a lot of other places). Anyway, given the number of times I've been blocked by nixspam (which I found is run by IX, a German IT mag, and that they don't answer emails to *them*, either), I've been trying to think of a *reasonable* way to block that doesn't do collective punishment to the many domains of a huge hosting provider, and that's my best thought so far. mark _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos
On Thu, August 27, 2015 9:29 am, m.roth at 5-cent.us wrote:> Gary Stainburn wrote: >> Bad news Guys, they've just moved the emails to somewhere else and havestarted again:> <snip> > > A suggestion: there should be a way to filter using *domain* ANDmailhost;> that is, if emails come from a domain, and through one mailhost, thenblock the domain. If many domains, and the same mailhost, only then block> the mailhost.Me too: I started receiving them from different IP (with much longer delay, so they do add "improvements" to their setup). This IP, has neither DNS A record nor DNS PTR record, but has DNS MX record. One can use these (have your MX stop talking to anything having broken DNS records). I however am tempted to block digitalocean's whole blocks of IP addresses again (after all, I bet I've seen the whole collection of these images already ;-). This is not trouble with their customer IMHO. This is trouble with themselves: how come the IP that is not registered in DNS can have DNS MX record, and can be accessed by somebody?!> > I've been thinking about this since yesterday, when I got back fromvacation, to hear from my manager that he had to screw with mailman, because we were getting a lot of emails from elsewhere, subscribing to one> or more of our lists... and having the target be one of three gmailaccounts - a DDoS against them (and we assume that they're doing it to a lot of other places). That is another side of you being famous ;-) We are not, so no one is trying to abuse somebody else by means of subscribing them to our mail lists (that said, it would be our list admins who would be abused as all lists - based on mailman - require approval and confirmation, the last comes after approval if I remember correctly). Thanks. Valeri> > Anyway, given the number of times I've been blocked by nixspam (which Ifound is run by IX, a German IT mag, and that they don't answer emails to> *them*, either), I've been trying to think of a *reasonable* way toblock> that doesn't do collective punishment to the many domains of a hugehosting provider, and that's my best thought so far.> > mark > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Thu, 2015-08-27 at 10:35 -0500, Valeri Galtsev wrote:> Me too: I started receiving them from different IP (with much longer > delay, so they do add "improvements" to their setup). This IP, has neither > DNS A record nor DNS PTR record, but has DNS MX record. One can use these > (have your MX stop talking to anything having broken DNS records).Exim is available from EPEL. In Exim: (1) I set one indicator if the host name does not fully resolve (IP to name to IP) (2) I set another indicator if there is something wrong with the HELO/EHLO name or the name does not resolve to the sender's IP address (3) I set a third indicator if the SMTP sender = SMTP recipient; or the SMTP recipient is an email address disused because of spam; or the SMTP recipient's host is *not* one of ours (4) If all 3 indicators set, then:- * then the email attempt is rejected before the email body (DATA) is received * a PHP sub-routine is called which creates a fully descriptive internal email and SUDO is invoked to add the IP address to the firewall's monthly blocking list. Otherwise if the sender = recipient or the recipient is 'wrong' the connection is rejected *before* the message body is accepted from the sender. ------------- Meanwhile, every incoming email's sender's host is checked against a file containing banned senders' host names and the occasional IP address. Fight spam by *not* being a passive victim. Regards, Paul.
On 08/27/2015 07:29 AM, m.roth at 5-cent.us wrote:> Gary Stainburn wrote: >> Bad news Guys, they've just moved the emails to somewhere else and have >> started again: > <snip> > > A suggestion: there should be a way to filter using *domain* AND mailhost; > that is, if emails come from a domain, and through one mailhost, then > block the domain. If many domains, and the same mailhost, only then blockHere's a sure way to block this kind of spam, though there is a price for doing so. For each mailing list that I subscribe to (or for all of the mailing lists on a particular mailman server) I create a unique email address that I use to subscribe to that list. That userid forwards to my real email address. I then run some software capable of whitelisting/blacklisting at the smtp level. The one I run can whitelist or blacklist based on the following (regular expressions are supported): * envelope sender * envelope recipient * helo name * remote ip address * remote hostname So I create the following two rules (which must be processed in the specified order): Whitelist remotehostname: *mail.centos.org* Blacklist envelope recipient: <unique email address> This method works 100% of the time. The price of doing this is: 1) You can't receive private emails from list members with out having some type of on list exchange or adding their email to your whitelist. 2) You must post to the list using the address that you used to subscribe. This has stopped all of the spam that I was getting from spammers that harvest email addresses on mailing lists. My whitelisting and blacklisting is done using vpostmaster (which is no longer maintained), but I believe there are other packages which can be used with postfix or exim to do this type of thing. Nataraj