Loading ...
Sorry, an error occurred while loading the content.
 

Re: being mailbombed..or something

Expand Messages
  • Matthias Schmidt
    ... with these rules you might also reject legal eMails from servers running via dyndns, or? Thanks and all the best Matthias
    Message 1 of 20 , Jan 1, 2008
      Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:

      >
      >>>> 1 merloptlq@... (<>)
      >>>> 1 Mikhail-Rowen@... (<>)
      >>>> 1 Miu_Connolly@... (<>)
      >>>> 1 Natorywa@... (<>)
      >>>> (tons and tons of these)
      >>>>
      >>> Backscatter. Joe-job.
      >>>
      >>
      >> I don't think so.
      >> imho it is a bot-net spam-attack.
      >>
      >Bots are pretty easy to kill. You can refuse to talk to them by matching
      >their reverse DNS against a regular expression.
      >
      >This has also been a huge help.
      >
      >There's just no reason to accept mail from a Dynamic IP or an IP with no
      >reverse DNS, so blocking them cuts WAY down on bots. I can't take credit
      >for the list. Most of it was written by someone else (sorry, don't
      >remember who). I added the last handful of entries.
      >
      >Save the text below as spam_ip_regex, and add:
      >
      >check_client_access regexp:/etc/postfix/spam_ip_regex
      >
      >and
      >
      >reject_unknown_reverse_client_hostname
      >
      >to your smtpd_client_restrictions section.
      >
      >Postfix can handle a ton of traffic when all it has to do is reject. 8-)
      >
      >Terry
      >
      >
      >
      >####################################################33
      >/^dsl.*\..*\..*/i 553 AUTO_DSL Email Rejected.
      >/[ax]dsl.*\..*\..*/i 553 AUTO_XDSL Email Rejected.
      >/client.*\..*\..*/i 553 AUTO_CLIENT Email Rejected.
      >/cable.*\..*\..*/i 553 AUTO_CABLE Email Rejected.
      >/dial.*\..*\..*/i 553 AUTO_DIAL Email Rejected.
      >/.*dial[\-]*in.*/i 553 AUTO_DIAL2 Email Rejected.
      >/ppp.*\..*\..*/i 553 AUTO_PPP Email Rejected.
      >/dslam.*\..*\..*/i 553 AUTO_DSLAM Email Rejected.
      >/node.*\..*\..*/i 553 AUTO_NODE Email Rejected.
      >/.*dial-up.*/i 553 AUTO_DIAL_UP_ID_PATTERN
      >Email Rejected.
      >/.*\.dhcp.*/i 553 AUTO_DHCP_ID_PATTERN Email
      >Rejected.
      >/.*[0-9]+[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
      >AUTO_DYNAMIC_ID_PATTERN_DOT_DASH Email Rejected.
      >/.*[0-9]+[\.-]net[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
      >AUTO_DYNAMIC_ID_PATTERN_DOT_DASH_NET Email Rejected.
      >/.*[0-9]+-[0-9]+-[0-9]+-[0-9]+\..*/i 553
      >AUTO_DYNAMIC_ID_PATTERN_DASHES Email Rejected.
      >/.*internetdsl.tpnet.pl/i 553 AUTO_PL_DSL_PATTERN
      >Email Rejected.
      >/.*\.cable.net.co\..*/i 553 AUTO_CABLE_DOT_NET
      >Email Rejected.
      >/.*dynamic.*/i 553 AUTO_DYNAMIC_PATTERN
      >Email Rejected.
      >/.*ppp.*/i 553 AUTO_PPP_PATTERN Email Rejected.
      >/.*user.*/i 553 AUTO_USER_PATTERN Email
      >Rejected.
      >


      with these rules you might also reject legal eMails from servers running
      via dyndns, or?

      Thanks and all the best

      Matthias
    • terry.gilsenan@interoil.com
      ... Surely that would depend entirely on the recipients interpretation of legal eMails , eg: my server, my rules. I am of the opinion that people on
      Message 2 of 20 , Jan 1, 2008
        Matthias Schmidt wrote:
        > Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
        >
        >
        >>>>> 1 merloptlq@... (<>)
        >>>>> 1 Mikhail-Rowen@... (<>)
        >>>>> 1 Miu_Connolly@... (<>)
        >>>>> 1 Natorywa@... (<>)
        >>>>> (tons and tons of these)
        >>>>>
        >>>>>
        >>>> Backscatter. Joe-job.
        >>>>
        >>>>
        >>> I don't think so.
        >>> imho it is a bot-net spam-attack.
        >>>
        >>>
        >> Bots are pretty easy to kill. You can refuse to talk to them by matching
        >> their reverse DNS against a regular expression.
        >>
        >> This has also been a huge help.
        >>
        >> There's just no reason to accept mail from a Dynamic IP or an IP with no
        >> reverse DNS, so blocking them cuts WAY down on bots. I can't take credit
        >> for the list. Most of it was written by someone else (sorry, don't
        >> remember who). I added the last handful of entries.
        >>
        >> Save the text below as spam_ip_regex, and add:
        >>
        >> check_client_access regexp:/etc/postfix/spam_ip_regex
        >>
        >> and
        >>
        >> reject_unknown_reverse_client_hostname
        >>
        >> to your smtpd_client_restrictions section.
        >>
        >> Postfix can handle a ton of traffic when all it has to do is reject. 8-)
        >>
        >> Terry
        >>
        >>
        >>
        >> ####################################################33
        >> /^dsl.*\..*\..*/i 553 AUTO_DSL Email Rejected.
        >> /[ax]dsl.*\..*\..*/i 553 AUTO_XDSL Email Rejected.
        >> /client.*\..*\..*/i 553 AUTO_CLIENT Email Rejected.
        >> /cable.*\..*\..*/i 553 AUTO_CABLE Email Rejected.
        >> /dial.*\..*\..*/i 553 AUTO_DIAL Email Rejected.
        >> /.*dial[\-]*in.*/i 553 AUTO_DIAL2 Email Rejected.
        >> /ppp.*\..*\..*/i 553 AUTO_PPP Email Rejected.
        >> /dslam.*\..*\..*/i 553 AUTO_DSLAM Email Rejected.
        >> /node.*\..*\..*/i 553 AUTO_NODE Email Rejected.
        >> /.*dial-up.*/i 553 AUTO_DIAL_UP_ID_PATTERN
        >> Email Rejected.
        >> /.*\.dhcp.*/i 553 AUTO_DHCP_ID_PATTERN Email
        >> Rejected.
        >> /.*[0-9]+[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
        >> AUTO_DYNAMIC_ID_PATTERN_DOT_DASH Email Rejected.
        >> /.*[0-9]+[\.-]net[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
        >> AUTO_DYNAMIC_ID_PATTERN_DOT_DASH_NET Email Rejected.
        >> /.*[0-9]+-[0-9]+-[0-9]+-[0-9]+\..*/i 553
        >> AUTO_DYNAMIC_ID_PATTERN_DASHES Email Rejected.
        >> /.*internetdsl.tpnet.pl/i 553 AUTO_PL_DSL_PATTERN
        >> Email Rejected.
        >> /.*\.cable.net.co\..*/i 553 AUTO_CABLE_DOT_NET
        >> Email Rejected.
        >> /.*dynamic.*/i 553 AUTO_DYNAMIC_PATTERN
        >> Email Rejected.
        >> /.*ppp.*/i 553 AUTO_PPP_PATTERN Email Rejected.
        >> /.*user.*/i 553 AUTO_USER_PATTERN Email
        >> Rejected.
        >>
        >>
        >
        >
        > with these rules you might also reject legal eMails from servers running
        > via dyndns, or?
        >
        <snip>

        Surely that would depend entirely on the recipients interpretation of
        "legal eMails", eg: my server, my rules.

        I am of the opinion that people on dynamic connections should ether be
        relaying emails via their ISP's SmartHost, or connecting to the
        submission port and authenticating (method not discussed here). Its one
        or the other.

        Regards,
        T
      • vg_us@hotmail.com
        ... From: Cc: Sent: Tuesday, January 01, 2008 9:08 PM Subject: Re: being mailbombed..or something ...
        Message 3 of 20 , Jan 1, 2008
          ----- Original Message -----
          From: <terry.gilsenan@...>
          Cc: <postfix-users@...>
          Sent: Tuesday, January 01, 2008 9:08 PM
          Subject: Re: being mailbombed..or something


          > Matthias Schmidt wrote:
          >> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
          >>
          >>
          >>>>>> 1 merloptlq@... (<>)
          >>>>>> 1 Mikhail-Rowen@... (<>)
          >>>>>> 1 Miu_Connolly@... (<>)
          >>>>>> 1 Natorywa@... (<>)
          >>>>>> (tons and tons of these)
          >>>>>>
          >>>>> Backscatter. Joe-job.
          >>>>>
          >>>> I don't think so.
          >>>> imho it is a bot-net spam-attack.
          >>>>
          >>> Bots are pretty easy to kill. You can refuse to talk to them by matching
          >>> their reverse DNS against a regular expression.
          >>>
          >>> This has also been a huge help.
          >>>
          >>> There's just no reason to accept mail from a Dynamic IP or an IP with no
          >>> reverse DNS, so blocking them cuts WAY down on bots. I can't take credit
          >>> for the list. Most of it was written by someone else (sorry, don't
          >>> remember who). I added the last handful of entries.
          >>>
          >>> Save the text below as spam_ip_regex, and add:
          >>>
          >>> check_client_access regexp:/etc/postfix/spam_ip_regex
          >>>
          >>> and
          >>>
          >>> reject_unknown_reverse_client_hostname
          >>>
          >>> to your smtpd_client_restrictions section.
          >>>
          >>> Postfix can handle a ton of traffic when all it has to do is reject. 8-)
          >>>
          >>> Terry
          >>>
          >>>
          >>>
          >>> ####################################################33
          >>> /^dsl.*\..*\..*/i 553 AUTO_DSL Email Rejected.
          >>> /[ax]dsl.*\..*\..*/i 553 AUTO_XDSL Email
          >>> Rejected.
          >>> /client.*\..*\..*/i 553 AUTO_CLIENT Email
          >>> Rejected.
          >>> /cable.*\..*\..*/i 553 AUTO_CABLE Email
          >>> Rejected.
          >>> /dial.*\..*\..*/i 553 AUTO_DIAL Email
          >>> Rejected.
          >>> /.*dial[\-]*in.*/i 553 AUTO_DIAL2 Email
          >>> Rejected.
          >>> /ppp.*\..*\..*/i 553 AUTO_PPP Email Rejected.
          >>> /dslam.*\..*\..*/i 553 AUTO_DSLAM Email
          >>> Rejected.
          >>> /node.*\..*\..*/i 553 AUTO_NODE Email
          >>> Rejected.
          >>> /.*dial-up.*/i 553 AUTO_DIAL_UP_ID_PATTERN
          >>> Email Rejected.
          >>> /.*\.dhcp.*/i 553 AUTO_DHCP_ID_PATTERN Email
          >>> Rejected.
          >>> /.*[0-9]+[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
          >>> AUTO_DYNAMIC_ID_PATTERN_DOT_DASH Email Rejected.
          >>> /.*[0-9]+[\.-]net[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
          >>> AUTO_DYNAMIC_ID_PATTERN_DOT_DASH_NET Email Rejected.
          >>> /.*[0-9]+-[0-9]+-[0-9]+-[0-9]+\..*/i 553
          >>> AUTO_DYNAMIC_ID_PATTERN_DASHES Email Rejected.
          >>> /.*internetdsl.tpnet.pl/i 553 AUTO_PL_DSL_PATTERN
          >>> Email Rejected.
          >>> /.*\.cable.net.co\..*/i 553 AUTO_CABLE_DOT_NET
          >>> Email Rejected.
          >>> /.*dynamic.*/i 553 AUTO_DYNAMIC_PATTERN
          >>> Email Rejected.
          >>> /.*ppp.*/i 553 AUTO_PPP_PATTERN Email
          >>> Rejected.
          >>> /.*user.*/i 553 AUTO_USER_PATTERN Email
          >>> Rejected.
          >>>
          >>>
          >>
          >>
          >> with these rules you might also reject legal eMails from servers running
          >> via dyndns, or?
          >>
          > <snip>
          >
          > Surely that would depend entirely on the recipients interpretation of
          > "legal eMails", eg: my server, my rules.
          >
          > I am of the opinion that people on dynamic connections should ether be
          > relaying emails via their ISP's SmartHost, or connecting to the submission
          > port and authenticating (method not discussed here). Its one or the other.
          >
          > Regards,
          > T
          >

          your server, your rules? say "hi" to aol and hotmail, my friend.

          vadim
        • terry.gilsenan@interoil.com
          ... * * If I want to send email to aol or hotmail, then I need to play by their rules, if they want to send email to me, then they will play by my rules.
          Message 4 of 20 , Jan 1, 2008
            vg_us@... wrote:
            >
            > ----- Original Message ----- From: <terry.gilsenan@...>
            > Cc: <postfix-users@...>
            > Sent: Tuesday, January 01, 2008 9:08 PM
            > Subject: Re: being mailbombed..or something
            >
            >
            >> Matthias Schmidt wrote:
            >>> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
            >>>
            >>>
            >>>>>>> 1 merloptlq@... (<>)
            >>>>>>> 1 Mikhail-Rowen@... (<>)
            >>>>>>> 1 Miu_Connolly@... (<>)
            >>>>>>> 1 Natorywa@... (<>)
            >>>>>>> (tons and tons of these)
            >>>>>>>
            >>>>>> Backscatter. Joe-job.
            >>>>>>
            >>>>> I don't think so.
            >>>>> imho it is a bot-net spam-attack.
            >>>>>
            >>>> Bots are pretty easy to kill. You can refuse to talk to them by
            >>>> matching their reverse DNS against a regular expression.
            >>>>
            >>>> This has also been a huge help.
            >>>>
            >>>> There's just no reason to accept mail from a Dynamic IP or an IP
            >>>> with no reverse DNS, so blocking them cuts WAY down on bots. I
            >>>> can't take credit for the list. Most of it was written by someone
            >>>> else (sorry, don't remember who). I added the last handful of entries.
            >>>>
            >>>> Save the text below as spam_ip_regex, and add:
            >>>>
            >>>> check_client_access regexp:/etc/postfix/spam_ip_regex
            >>>>
            >>>> and
            >>>>
            >>>> reject_unknown_reverse_client_hostname
            >>>>
            >>>> to your smtpd_client_restrictions section.
            >>>>
            >>>> Postfix can handle a ton of traffic when all it has to do is
            >>>> reject. 8-)
            >>>>
            >>>> Terry
            >>>>
            >>>>
            >>>>
            >>>> ####################################################33
            >>>> /^dsl.*\..*\..*/i 553 AUTO_DSL Email
            >>>> Rejected.
            >>>> /[ax]dsl.*\..*\..*/i 553 AUTO_XDSL Email
            >>>> Rejected.
            >>>> /client.*\..*\..*/i 553 AUTO_CLIENT Email
            >>>> Rejected.
            >>>> /cable.*\..*\..*/i 553 AUTO_CABLE Email
            >>>> Rejected.
            >>>> /dial.*\..*\..*/i 553 AUTO_DIAL Email
            >>>> Rejected.
            >>>> /.*dial[\-]*in.*/i 553 AUTO_DIAL2 Email
            >>>> Rejected.
            >>>> /ppp.*\..*\..*/i 553 AUTO_PPP Email
            >>>> Rejected.
            >>>> /dslam.*\..*\..*/i 553 AUTO_DSLAM Email
            >>>> Rejected.
            >>>> /node.*\..*\..*/i 553 AUTO_NODE Email
            >>>> Rejected.
            >>>> /.*dial-up.*/i 553
            >>>> AUTO_DIAL_UP_ID_PATTERN Email Rejected.
            >>>> /.*\.dhcp.*/i 553 AUTO_DHCP_ID_PATTERN
            >>>> Email Rejected.
            >>>> /.*[0-9]+[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
            >>>> AUTO_DYNAMIC_ID_PATTERN_DOT_DASH Email Rejected.
            >>>> /.*[0-9]+[\.-]net[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i
            >>>> 553 AUTO_DYNAMIC_ID_PATTERN_DOT_DASH_NET Email Rejected.
            >>>> /.*[0-9]+-[0-9]+-[0-9]+-[0-9]+\..*/i 553
            >>>> AUTO_DYNAMIC_ID_PATTERN_DASHES Email Rejected.
            >>>> /.*internetdsl.tpnet.pl/i 553
            >>>> AUTO_PL_DSL_PATTERN Email Rejected.
            >>>> /.*\.cable.net.co\..*/i 553 AUTO_CABLE_DOT_NET
            >>>> Email Rejected.
            >>>> /.*dynamic.*/i 553 AUTO_DYNAMIC_PATTERN
            >>>> Email Rejected.
            >>>> /.*ppp.*/i 553 AUTO_PPP_PATTERN Email
            >>>> Rejected.
            >>>> /.*user.*/i 553 AUTO_USER_PATTERN Email
            >>>> Rejected.
            >>>>
            >>>>
            >>>
            >>>
            >>> with these rules you might also reject legal eMails from servers
            >>> running
            >>> via dyndns, or?
            >>>
            >> <snip>
            >>
            >> Surely that would depend entirely on the recipients interpretation of
            >> "legal eMails", eg: my server, my rules.
            >>
            >> I am of the opinion that people on dynamic connections should ether
            >> be relaying emails via their ISP's SmartHost, or connecting to the
            >> submission port and authenticating (method not discussed here). Its
            >> one or the other.
            >>
            >> Regards,
            >> T
            >>
            >
            > your server, your rules? say "hi" to aol and hotmail, my friend.
            *<blink>*

            If I want to send email to aol or hotmail, then I need to play by their
            rules, if they want to send email to me, then they will play by my
            rules. My MX currently accepts about 500k legit emails / day, and
            rejects several million connection/delivery attempts / day using various
            rules, and DNSBL's etc.

            My users appreciate having _useful_ email, and many of the users have
            never yet rec'd a single spam. I am somewhat draconian, and the users
            know that I am approachable if they suspect a false positive, and on
            several occasions I have added temporary manual white-listing, whils at
            the same time assisting to educate the sender (or their ISP) in getting
            their MTA "fixed"

            So I say again, my server, my rules.

            Regards,
            T
          • Wietse Venema
            Matthias Schmidt: [ Charset ISO-8859-1 unsupported, converting... ] ... Lots of mail from is backscatter. Wietse
            Message 5 of 20 , Jan 1, 2008
              Matthias Schmidt:
              [ Charset ISO-8859-1 unsupported, converting... ]
              > Am/On Tue, 1 Jan 2008 17:31:29 -0500 schrieb/wrote Wietse Venema:
              >
              > >JD Bronson:
              > >> I am looking for any advice on how to mitigate an attack.
              > >>
              > >> I appear to be under attack from IPs all over the world attempting
              > >> to send email to one of my domains with all invalid usernames:
              > >>
              > >> For example:
              > >> 1 Laa@... (<>)
              > >> 1 Leitnerkkiwh@... (<>)
              > >> 1 lemerand@... (<>)
              > >> 1 Linas@... (<>)
              > >> 1 Littleflower@... (<>)
              > >> 1 Lounekmmhvp@... (<>)
              > >> 1 isabelle.lundquist@... (<>)
              > >> 1 merloptlq@... (<>)
              > >> 1 Mikhail-Rowen@... (<>)
              > >> 1 Miu_Connolly@... (<>)
              > >> 1 Natorywa@... (<>)
              > >> (tons and tons of these)
              > >
              > >Backscatter. Joe-job.
              >
              > I don't think so.
              > imho it is a bot-net spam-attack.

              Lots of mail from <> is backscatter.

              Wietse
            • Terry Carmen
              ... Dyndns never enters into it. It s looking up the *reverse* DNS, which would return the ISP s DN, not the home user. In any case, I m more than willing to
              Message 6 of 20 , Jan 1, 2008
                Matthias Schmidt wrote:
                >> Bots are pretty easy to kill. You can refuse to talk to them by matching
                >> their reverse DNS against a regular expression.
                >>
                >> This has also been a huge help.
                >>
                > with these rules you might also reject legal eMails from servers running
                > via dyndns, or?
                >
                Dyndns never enters into it. It's looking up the *reverse* DNS, which
                would return the ISP's DN, not the home user.

                In any case, I'm more than willing to take a chance on temporarily
                rejecting a few legitimate emails from dynamic IPs in exchange for
                eliminating millions of zombie spams.

                If you look at the regexp, you'll note that it contains a reject
                message, which in the case of the companies I manage mail servers for,
                includes a contact phone number for the IT department, so they can be
                white-listed. They generally average maybe a couple of calls a week for
                whitelisting, in contrast to millions of rejects.

                Businesses are more than happy to make that trade-off, especially since
                it lowers their risk of infection, spam and scams.

                Dynamic users should be routing their mail through their ISPs mail
                servers. If they don't want to, that's fine, but I don't have to talk to
                them.

                Terry
              • Kevin Stevens
                ... Well - no. You can certainly decide to accept or reject whatever mail you want by whatever rules you define, but legality, in this context, means RFC
                Message 7 of 20 , Jan 1, 2008
                  On Jan 1, 2008, at 18:08, terry.gilsenan@... wrote:

                  > Matthias Schmidt wrote:
                  >> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
                  >>
                  >> with these rules you might also reject legal eMails from servers
                  >> running
                  >> via dyndns, or?
                  >>
                  > <snip>
                  >
                  > Surely that would depend entirely on the recipients interpretation
                  > of "legal eMails", eg: my server, my rules.
                  >
                  > I am of the opinion that people on dynamic connections should ether
                  > be relaying emails via their ISP's SmartHost, or connecting to the
                  > submission port and authenticating (method not discussed here). Its
                  > one or the other.
                  >
                  > Regards,
                  > T

                  Well - no.

                  You can certainly decide to accept or reject whatever mail you want by
                  whatever rules you define, but legality, in this context, means RFC
                  compliant. As someone who runs a compliant mailserver, on a business
                  DSL IP (static), I get a lot of blocks from over-enthusiastic
                  blacklists.

                  KeS
                • terry.gilsenan@interoil.com
                  ... It is Legal according to the RCF s for an MX server to reject any email for any reason at all, so long as the appropriate reply is made by the server to
                  Message 8 of 20 , Jan 1, 2008
                    Kevin Stevens wrote:
                    >
                    > On Jan 1, 2008, at 18:08, terry.gilsenan@... wrote:
                    >
                    >> Matthias Schmidt wrote:
                    >>> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
                    >>>
                    >>> with these rules you might also reject legal eMails from servers
                    >>> running
                    >>> via dyndns, or?
                    >>>
                    >> <snip>
                    >>
                    >> Surely that would depend entirely on the recipients interpretation of
                    >> "legal eMails", eg: my server, my rules.
                    >>
                    >> I am of the opinion that people on dynamic connections should ether
                    >> be relaying emails via their ISP's SmartHost, or connecting to the
                    >> submission port and authenticating (method not discussed here). Its
                    >> one or the other.
                    >>
                    >> Regards,
                    >> T
                    >
                    > Well - no.
                    >
                    > You can certainly decide to accept or reject whatever mail you want by
                    > whatever rules you define, but legality, in this context, means RFC
                    > compliant. As someone who runs a compliant mailserver, on a business
                    > DSL IP (static), I get a lot of blocks from over-enthusiastic blacklists.
                    >
                    > KeS
                    >
                    It is "Legal" according to the RCF's for an MX server to reject any
                    email for any reason at all, so long as the appropriate reply is made by
                    the server to the client. For example the Server could be configured to
                    reject all email from IP addresses that have a odd number in it, or
                    reject on all email addresses from a .com domain, or even all emails
                    that have any X- headers inserted, or perhaps all email from email
                    addresses with female gender inflected names in either domain or email
                    address. It is legal so long as the server replies to the attempted
                    transmission from the client with an appropriate response.

                    Using a blacklist is entirely legal as per RFC's, so long as the email
                    is rejected _DURING_ the SMTP transaction, any time before issuing a 200
                    OK for the email data.

                    Even rejecting entire netblocks based on Country is legal according to
                    RFC's provided the appropriate response is given to the client by the
                    server _during_ the SMTP transaction.

                    The only overarching requirement is that abuse@ and postmaster@ are able
                    to rec'v email from everywhere.

                    Your server on the other hand, may be RCF compliant, however that is
                    irrelevant if the MTA to which you are trying to deliver email is
                    rejecting dynamic IP's. people can be as enthusiastic as the wish with
                    their blocklist usage, after all, it is their bandwidth that they are
                    saving. Many people in this world have to pay for each and every
                    megabyte that they use, and is they want to restrict emails to a 0/8
                    blocklist and a small whitelist, with a 50kb message size limit, then
                    that is entirely their call.

                    If you get your email blocked by servers configured to block email from
                    DSL links, then that is the recipients choice, you can ask them to
                    whitelist, or you can contact your ISP and use their SmartHost perhaps
                    (if they have one for their clients use that is).

                    Regards,
                    T
                  • terry.gilsenan@interoil.com
                    ... Bingo!
                    Message 9 of 20 , Jan 1, 2008
                      Terry Carmen wrote:
                      > Matthias Schmidt wrote:
                      >>> Bots are pretty easy to kill. You can refuse to talk to them by
                      >>> matching their reverse DNS against a regular expression.
                      >>>
                      >>> This has also been a huge help.
                      >>>
                      >> with these rules you might also reject legal eMails from servers running
                      >> via dyndns, or?
                      >>
                      > Dyndns never enters into it. It's looking up the *reverse* DNS, which
                      > would return the ISP's DN, not the home user.
                      >
                      > In any case, I'm more than willing to take a chance on temporarily
                      > rejecting a few legitimate emails from dynamic IPs in exchange for
                      > eliminating millions of zombie spams.
                      >
                      > If you look at the regexp, you'll note that it contains a reject
                      > message, which in the case of the companies I manage mail servers for,
                      > includes a contact phone number for the IT department, so they can be
                      > white-listed. They generally average maybe a couple of calls a week
                      > for whitelisting, in contrast to millions of rejects.
                      >
                      > Businesses are more than happy to make that trade-off, especially
                      > since it lowers their risk of infection, spam and scams.
                      >
                      > Dynamic users should be routing their mail through their ISPs mail
                      > servers. If they don't want to, that's fine, but I don't have to talk
                      > to them.
                      >
                      > Terry
                      >
                      Bingo!
                      >
                      >
                      >
                      >
                      >
                    • JD Bronson
                      ... Thanks for all of the discussion guys. I already block dynamic IPs with pcre but have a client_checks just before that for whitelisting. I do get a false
                      Message 10 of 20 , Jan 2, 2008
                        At 02:44 PM 01/02/2008 +1000, terry.gilsenan@... wrote:
                        >>Dynamic users should be routing their mail through their ISPs mail
                        >>servers. If they don't want to, that's fine, but I don't have to talk to them.

                        Thanks for all of the discussion guys.

                        I already block dynamic IPs with pcre but have a client_checks just
                        before that for whitelisting.

                        I do get a false positive from time to time, but my error message
                        states to use your ISP:

                        "550 Connecting IP appears dynamic - Use ISP to relay email"

                        Smart people should figure that out. If not, oh well :-)

                        So far, using pf has helped me the most. It watches the number of
                        concurrent sessions and the number of sessions within a given amount
                        of time and then blacklists/blackholes the IP until midnight. I am
                        then emailed a list of the offending IPs and then the IPs are flushed
                        out of the table.

                        At least this way, if it is a legit IP, it will have a chance again.
                        If not, it will be blacklisted again as well.

                        I do have overrides within pf for certain sites that we receive a
                        large quantity of email from in a short time.

                        -JD
                      • Leonardo Rodrigues Magalhães
                        ... I think this discussion on mail servers running on DSL/Cable static IP connections are far beyond from RFC scope discussions. Those people, who chooses to
                        Message 11 of 20 , Jan 2, 2008
                          Kevin Stevens escreveu:
                          >
                          > On Jan 1, 2008, at 18:08, terry.gilsenan@... wrote:
                          >
                          >> Matthias Schmidt wrote:
                          >>> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
                          >>>
                          >>> with these rules you might also reject legal eMails from servers
                          >>> running
                          >>> via dyndns, or?
                          >>>
                          >>
                          >> Surely that would depend entirely on the recipients interpretation of
                          >> "legal eMails", eg: my server, my rules.
                          >>
                          >> I am of the opinion that people on dynamic connections should ether
                          >> be relaying emails via their ISP's SmartHost, or connecting to the
                          >> submission port and authenticating (method not discussed here). Its
                          >> one or the other.
                          >>
                          >
                          > Well - no.
                          >
                          > You can certainly decide to accept or reject whatever mail you want by
                          > whatever rules you define, but legality, in this context, means RFC
                          > compliant. As someone who runs a compliant mailserver, on a business
                          > DSL IP (static), I get a lot of blocks from over-enthusiastic blacklists.
                          >

                          I think this discussion on mail servers running on DSL/Cable static
                          IP connections are far beyond from RFC scope discussions.

                          Those people, who chooses to run their mailserver on DSL/cable
                          connections and NOT relay on their ISPs are already having bad times
                          when sending mail to big ISPs and big companies.

                          Even it's 'OK' on RFC scope, this is not OK on the real world
                          anymore. The real world seems to be completly happy with some
                          false-positive rejections when these dynamic-ip rules do block MILLIONS
                          of bad messages.

                          I had some mailservers running on static IP DSL lines here in Brazil
                          and tried, for some time, to avoid upstreaming the messages to the ISPs.
                          But .... for more than a year now, i realized that that was a lost war.
                          And i started upstreaming messages to ISPs. Received messages comes
                          directly to my static IP DSL lines, but outgoing messages goes to the
                          ISP mailservers.


                          --


                          Atenciosamente / Sincerily,
                          Leonardo Rodrigues
                          Solutti Tecnologia
                          http://www.solutti.com.br

                          Minha armadilha de SPAM, NÃO mandem email
                          gertrudes@...
                          My SPAMTRAP, do not email it
                        • mouss
                          ... unfortunately, it s not that easy. rejecting them still consumes resources. when your smtpd is rejecting zombies, it s busy doing that. And if there are
                          Message 12 of 20 , Jan 2, 2008
                            Terry Carmen wrote:
                            >
                            > Bots are pretty easy to kill. You can refuse to talk to them by matching
                            > their reverse DNS against a regular expression.
                            >

                            unfortunately, it's not that easy. rejecting them still consumes
                            resources. when your smtpd is rejecting zombies, it's busy doing that.
                            And if there are too many zombies sending you traffic, then that will
                            kill your connectivity, even if you firewall traffic at the IP level.

                            all you can do is reduce their effects.

                            > This has also been a huge help.
                            >
                            > There's just no reason to accept mail from a Dynamic IP

                            The problem is how to detect that it is a dynamic IP. regular
                            expressions have both False Negatives (there is no registery of every
                            possible format) and False Positives, like this:

                            ... connect from DD.CC-AA-BB.ripe.coltfrance.com[AA.BB.CC.DD]

                            This is from a colo host, which is not dynamic at all.

                            an alternative is to reject mail from clients with generic rDNS (because
                            "they did not do efforts to have a meaningful rDNS"). This reduces the
                            false positives (by changing the goal, not by blocking different people!).


                            > or an IP with no reverse DNS,

                            Be warned that in the case of DNS failures (which may be on your side),
                            you'll delay legitimate mail.


                            > [snip]
                          • Robert Schetterer
                            ... why not use fail2ban, works here like charme here -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
                            Message 13 of 20 , Jan 2, 2008
                              mouss schrieb:
                              > Terry Carmen wrote:
                              >>
                              >> Bots are pretty easy to kill. You can refuse to talk to them by
                              >> matching their reverse DNS against a regular expression.
                              >>
                              >
                              > unfortunately, it's not that easy. rejecting them still consumes
                              > resources. when your smtpd is rejecting zombies, it's busy doing that.
                              > And if there are too many zombies sending you traffic, then that will
                              > kill your connectivity, even if you firewall traffic at the IP level.
                              >
                              > all you can do is reduce their effects.
                              >
                              >> This has also been a huge help.
                              >>
                              >> There's just no reason to accept mail from a Dynamic IP
                              >
                              > The problem is how to detect that it is a dynamic IP. regular
                              > expressions have both False Negatives (there is no registery of every
                              > possible format) and False Positives, like this:
                              >
                              > ... connect from DD.CC-AA-BB.ripe.coltfrance.com[AA.BB.CC.DD]
                              >
                              > This is from a colo host, which is not dynamic at all.
                              >
                              > an alternative is to reject mail from clients with generic rDNS (because
                              > "they did not do efforts to have a meaningful rDNS"). This reduces the
                              > false positives (by changing the goal, not by blocking different people!).
                              >
                              >
                              >> or an IP with no reverse DNS,
                              >
                              > Be warned that in the case of DNS failures (which may be on your side),
                              > you'll delay legitimate mail.
                              >
                              >
                              >> [snip]

                              why not use fail2ban, works here like charme
                              here

                              --
                              Best Regards

                              MfG Robert Schetterer

                              Germany/Munich/Bavaria
                            • Terry Carmen
                              ... I can live with that. As long as the protocol remains RFC compliant and the sender gets a meaningful reject or delay message, it s a manageable (and not
                              Message 14 of 20 , Jan 2, 2008
                                mouss wrote:
                                >> or an IP with no reverse DNS,
                                >
                                > Be warned that in the case of DNS failures (which may be on your
                                > side), you'll delay legitimate mail.
                                I can live with that. As long as the protocol remains RFC compliant and
                                the sender gets a meaningful reject or delay message, it's a manageable
                                (and not very significant) problem.

                                Terry
                              Your message has been successfully submitted and would be delivered to recipients shortly.