Loading ...
Sorry, an error occurred while loading the content.

Re: being mailbombed..or something

Expand Messages
  • terry.gilsenan@interoil.com
    ... * * If I want to send email to aol or hotmail, then I need to play by their rules, if they want to send email to me, then they will play by my rules.
    Message 1 of 20 , Jan 1, 2008
    • 0 Attachment
      vg_us@... wrote:
      >
      > ----- Original Message ----- From: <terry.gilsenan@...>
      > Cc: <postfix-users@...>
      > Sent: Tuesday, January 01, 2008 9:08 PM
      > Subject: Re: being mailbombed..or something
      >
      >
      >> Matthias Schmidt wrote:
      >>> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
      >>>
      >>>
      >>>>>>> 1 merloptlq@... (<>)
      >>>>>>> 1 Mikhail-Rowen@... (<>)
      >>>>>>> 1 Miu_Connolly@... (<>)
      >>>>>>> 1 Natorywa@... (<>)
      >>>>>>> (tons and tons of these)
      >>>>>>>
      >>>>>> Backscatter. Joe-job.
      >>>>>>
      >>>>> I don't think so.
      >>>>> imho it is a bot-net spam-attack.
      >>>>>
      >>>> Bots are pretty easy to kill. You can refuse to talk to them by
      >>>> matching their reverse DNS against a regular expression.
      >>>>
      >>>> This has also been a huge help.
      >>>>
      >>>> There's just no reason to accept mail from a Dynamic IP or an IP
      >>>> with no reverse DNS, so blocking them cuts WAY down on bots. I
      >>>> can't take credit for the list. Most of it was written by someone
      >>>> else (sorry, don't remember who). I added the last handful of entries.
      >>>>
      >>>> Save the text below as spam_ip_regex, and add:
      >>>>
      >>>> check_client_access regexp:/etc/postfix/spam_ip_regex
      >>>>
      >>>> and
      >>>>
      >>>> reject_unknown_reverse_client_hostname
      >>>>
      >>>> to your smtpd_client_restrictions section.
      >>>>
      >>>> Postfix can handle a ton of traffic when all it has to do is
      >>>> reject. 8-)
      >>>>
      >>>> Terry
      >>>>
      >>>>
      >>>>
      >>>> ####################################################33
      >>>> /^dsl.*\..*\..*/i 553 AUTO_DSL Email
      >>>> Rejected.
      >>>> /[ax]dsl.*\..*\..*/i 553 AUTO_XDSL Email
      >>>> Rejected.
      >>>> /client.*\..*\..*/i 553 AUTO_CLIENT Email
      >>>> Rejected.
      >>>> /cable.*\..*\..*/i 553 AUTO_CABLE Email
      >>>> Rejected.
      >>>> /dial.*\..*\..*/i 553 AUTO_DIAL Email
      >>>> Rejected.
      >>>> /.*dial[\-]*in.*/i 553 AUTO_DIAL2 Email
      >>>> Rejected.
      >>>> /ppp.*\..*\..*/i 553 AUTO_PPP Email
      >>>> Rejected.
      >>>> /dslam.*\..*\..*/i 553 AUTO_DSLAM Email
      >>>> Rejected.
      >>>> /node.*\..*\..*/i 553 AUTO_NODE Email
      >>>> Rejected.
      >>>> /.*dial-up.*/i 553
      >>>> AUTO_DIAL_UP_ID_PATTERN Email Rejected.
      >>>> /.*\.dhcp.*/i 553 AUTO_DHCP_ID_PATTERN
      >>>> Email Rejected.
      >>>> /.*[0-9]+[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i 553
      >>>> AUTO_DYNAMIC_ID_PATTERN_DOT_DASH Email Rejected.
      >>>> /.*[0-9]+[\.-]net[\.-][0-9]+[\.-][0-9]+[\.-][0-9]+[\.-]+.*/i
      >>>> 553 AUTO_DYNAMIC_ID_PATTERN_DOT_DASH_NET Email Rejected.
      >>>> /.*[0-9]+-[0-9]+-[0-9]+-[0-9]+\..*/i 553
      >>>> AUTO_DYNAMIC_ID_PATTERN_DASHES Email Rejected.
      >>>> /.*internetdsl.tpnet.pl/i 553
      >>>> AUTO_PL_DSL_PATTERN Email Rejected.
      >>>> /.*\.cable.net.co\..*/i 553 AUTO_CABLE_DOT_NET
      >>>> Email Rejected.
      >>>> /.*dynamic.*/i 553 AUTO_DYNAMIC_PATTERN
      >>>> Email Rejected.
      >>>> /.*ppp.*/i 553 AUTO_PPP_PATTERN Email
      >>>> Rejected.
      >>>> /.*user.*/i 553 AUTO_USER_PATTERN Email
      >>>> Rejected.
      >>>>
      >>>>
      >>>
      >>>
      >>> with these rules you might also reject legal eMails from servers
      >>> running
      >>> via dyndns, or?
      >>>
      >> <snip>
      >>
      >> Surely that would depend entirely on the recipients interpretation of
      >> "legal eMails", eg: my server, my rules.
      >>
      >> I am of the opinion that people on dynamic connections should ether
      >> be relaying emails via their ISP's SmartHost, or connecting to the
      >> submission port and authenticating (method not discussed here). Its
      >> one or the other.
      >>
      >> Regards,
      >> T
      >>
      >
      > your server, your rules? say "hi" to aol and hotmail, my friend.
      *<blink>*

      If I want to send email to aol or hotmail, then I need to play by their
      rules, if they want to send email to me, then they will play by my
      rules. My MX currently accepts about 500k legit emails / day, and
      rejects several million connection/delivery attempts / day using various
      rules, and DNSBL's etc.

      My users appreciate having _useful_ email, and many of the users have
      never yet rec'd a single spam. I am somewhat draconian, and the users
      know that I am approachable if they suspect a false positive, and on
      several occasions I have added temporary manual white-listing, whils at
      the same time assisting to educate the sender (or their ISP) in getting
      their MTA "fixed"

      So I say again, my server, my rules.

      Regards,
      T
    • Wietse Venema
      Matthias Schmidt: [ Charset ISO-8859-1 unsupported, converting... ] ... Lots of mail from is backscatter. Wietse
      Message 2 of 20 , Jan 1, 2008
      • 0 Attachment
        Matthias Schmidt:
        [ Charset ISO-8859-1 unsupported, converting... ]
        > Am/On Tue, 1 Jan 2008 17:31:29 -0500 schrieb/wrote Wietse Venema:
        >
        > >JD Bronson:
        > >> I am looking for any advice on how to mitigate an attack.
        > >>
        > >> I appear to be under attack from IPs all over the world attempting
        > >> to send email to one of my domains with all invalid usernames:
        > >>
        > >> For example:
        > >> 1 Laa@... (<>)
        > >> 1 Leitnerkkiwh@... (<>)
        > >> 1 lemerand@... (<>)
        > >> 1 Linas@... (<>)
        > >> 1 Littleflower@... (<>)
        > >> 1 Lounekmmhvp@... (<>)
        > >> 1 isabelle.lundquist@... (<>)
        > >> 1 merloptlq@... (<>)
        > >> 1 Mikhail-Rowen@... (<>)
        > >> 1 Miu_Connolly@... (<>)
        > >> 1 Natorywa@... (<>)
        > >> (tons and tons of these)
        > >
        > >Backscatter. Joe-job.
        >
        > I don't think so.
        > imho it is a bot-net spam-attack.

        Lots of mail from <> is backscatter.

        Wietse
      • Terry Carmen
        ... Dyndns never enters into it. It s looking up the *reverse* DNS, which would return the ISP s DN, not the home user. In any case, I m more than willing to
        Message 3 of 20 , Jan 1, 2008
        • 0 Attachment
          Matthias Schmidt wrote:
          >> Bots are pretty easy to kill. You can refuse to talk to them by matching
          >> their reverse DNS against a regular expression.
          >>
          >> This has also been a huge help.
          >>
          > with these rules you might also reject legal eMails from servers running
          > via dyndns, or?
          >
          Dyndns never enters into it. It's looking up the *reverse* DNS, which
          would return the ISP's DN, not the home user.

          In any case, I'm more than willing to take a chance on temporarily
          rejecting a few legitimate emails from dynamic IPs in exchange for
          eliminating millions of zombie spams.

          If you look at the regexp, you'll note that it contains a reject
          message, which in the case of the companies I manage mail servers for,
          includes a contact phone number for the IT department, so they can be
          white-listed. They generally average maybe a couple of calls a week for
          whitelisting, in contrast to millions of rejects.

          Businesses are more than happy to make that trade-off, especially since
          it lowers their risk of infection, spam and scams.

          Dynamic users should be routing their mail through their ISPs mail
          servers. If they don't want to, that's fine, but I don't have to talk to
          them.

          Terry
        • Kevin Stevens
          ... Well - no. You can certainly decide to accept or reject whatever mail you want by whatever rules you define, but legality, in this context, means RFC
          Message 4 of 20 , Jan 1, 2008
          • 0 Attachment
            On Jan 1, 2008, at 18:08, terry.gilsenan@... wrote:

            > Matthias Schmidt wrote:
            >> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
            >>
            >> with these rules you might also reject legal eMails from servers
            >> running
            >> via dyndns, or?
            >>
            > <snip>
            >
            > Surely that would depend entirely on the recipients interpretation
            > of "legal eMails", eg: my server, my rules.
            >
            > I am of the opinion that people on dynamic connections should ether
            > be relaying emails via their ISP's SmartHost, or connecting to the
            > submission port and authenticating (method not discussed here). Its
            > one or the other.
            >
            > Regards,
            > T

            Well - no.

            You can certainly decide to accept or reject whatever mail you want by
            whatever rules you define, but legality, in this context, means RFC
            compliant. As someone who runs a compliant mailserver, on a business
            DSL IP (static), I get a lot of blocks from over-enthusiastic
            blacklists.

            KeS
          • terry.gilsenan@interoil.com
            ... It is Legal according to the RCF s for an MX server to reject any email for any reason at all, so long as the appropriate reply is made by the server to
            Message 5 of 20 , Jan 1, 2008
            • 0 Attachment
              Kevin Stevens wrote:
              >
              > On Jan 1, 2008, at 18:08, terry.gilsenan@... wrote:
              >
              >> Matthias Schmidt wrote:
              >>> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
              >>>
              >>> with these rules you might also reject legal eMails from servers
              >>> running
              >>> via dyndns, or?
              >>>
              >> <snip>
              >>
              >> Surely that would depend entirely on the recipients interpretation of
              >> "legal eMails", eg: my server, my rules.
              >>
              >> I am of the opinion that people on dynamic connections should ether
              >> be relaying emails via their ISP's SmartHost, or connecting to the
              >> submission port and authenticating (method not discussed here). Its
              >> one or the other.
              >>
              >> Regards,
              >> T
              >
              > Well - no.
              >
              > You can certainly decide to accept or reject whatever mail you want by
              > whatever rules you define, but legality, in this context, means RFC
              > compliant. As someone who runs a compliant mailserver, on a business
              > DSL IP (static), I get a lot of blocks from over-enthusiastic blacklists.
              >
              > KeS
              >
              It is "Legal" according to the RCF's for an MX server to reject any
              email for any reason at all, so long as the appropriate reply is made by
              the server to the client. For example the Server could be configured to
              reject all email from IP addresses that have a odd number in it, or
              reject on all email addresses from a .com domain, or even all emails
              that have any X- headers inserted, or perhaps all email from email
              addresses with female gender inflected names in either domain or email
              address. It is legal so long as the server replies to the attempted
              transmission from the client with an appropriate response.

              Using a blacklist is entirely legal as per RFC's, so long as the email
              is rejected _DURING_ the SMTP transaction, any time before issuing a 200
              OK for the email data.

              Even rejecting entire netblocks based on Country is legal according to
              RFC's provided the appropriate response is given to the client by the
              server _during_ the SMTP transaction.

              The only overarching requirement is that abuse@ and postmaster@ are able
              to rec'v email from everywhere.

              Your server on the other hand, may be RCF compliant, however that is
              irrelevant if the MTA to which you are trying to deliver email is
              rejecting dynamic IP's. people can be as enthusiastic as the wish with
              their blocklist usage, after all, it is their bandwidth that they are
              saving. Many people in this world have to pay for each and every
              megabyte that they use, and is they want to restrict emails to a 0/8
              blocklist and a small whitelist, with a 50kb message size limit, then
              that is entirely their call.

              If you get your email blocked by servers configured to block email from
              DSL links, then that is the recipients choice, you can ask them to
              whitelist, or you can contact your ISP and use their SmartHost perhaps
              (if they have one for their clients use that is).

              Regards,
              T
            • terry.gilsenan@interoil.com
              ... Bingo!
              Message 6 of 20 , Jan 1, 2008
              • 0 Attachment
                Terry Carmen wrote:
                > Matthias Schmidt wrote:
                >>> Bots are pretty easy to kill. You can refuse to talk to them by
                >>> matching their reverse DNS against a regular expression.
                >>>
                >>> This has also been a huge help.
                >>>
                >> with these rules you might also reject legal eMails from servers running
                >> via dyndns, or?
                >>
                > Dyndns never enters into it. It's looking up the *reverse* DNS, which
                > would return the ISP's DN, not the home user.
                >
                > In any case, I'm more than willing to take a chance on temporarily
                > rejecting a few legitimate emails from dynamic IPs in exchange for
                > eliminating millions of zombie spams.
                >
                > If you look at the regexp, you'll note that it contains a reject
                > message, which in the case of the companies I manage mail servers for,
                > includes a contact phone number for the IT department, so they can be
                > white-listed. They generally average maybe a couple of calls a week
                > for whitelisting, in contrast to millions of rejects.
                >
                > Businesses are more than happy to make that trade-off, especially
                > since it lowers their risk of infection, spam and scams.
                >
                > Dynamic users should be routing their mail through their ISPs mail
                > servers. If they don't want to, that's fine, but I don't have to talk
                > to them.
                >
                > Terry
                >
                Bingo!
                >
                >
                >
                >
                >
              • JD Bronson
                ... Thanks for all of the discussion guys. I already block dynamic IPs with pcre but have a client_checks just before that for whitelisting. I do get a false
                Message 7 of 20 , Jan 2, 2008
                • 0 Attachment
                  At 02:44 PM 01/02/2008 +1000, terry.gilsenan@... wrote:
                  >>Dynamic users should be routing their mail through their ISPs mail
                  >>servers. If they don't want to, that's fine, but I don't have to talk to them.

                  Thanks for all of the discussion guys.

                  I already block dynamic IPs with pcre but have a client_checks just
                  before that for whitelisting.

                  I do get a false positive from time to time, but my error message
                  states to use your ISP:

                  "550 Connecting IP appears dynamic - Use ISP to relay email"

                  Smart people should figure that out. If not, oh well :-)

                  So far, using pf has helped me the most. It watches the number of
                  concurrent sessions and the number of sessions within a given amount
                  of time and then blacklists/blackholes the IP until midnight. I am
                  then emailed a list of the offending IPs and then the IPs are flushed
                  out of the table.

                  At least this way, if it is a legit IP, it will have a chance again.
                  If not, it will be blacklisted again as well.

                  I do have overrides within pf for certain sites that we receive a
                  large quantity of email from in a short time.

                  -JD
                • Leonardo Rodrigues Magalhães
                  ... I think this discussion on mail servers running on DSL/Cable static IP connections are far beyond from RFC scope discussions. Those people, who chooses to
                  Message 8 of 20 , Jan 2, 2008
                  • 0 Attachment
                    Kevin Stevens escreveu:
                    >
                    > On Jan 1, 2008, at 18:08, terry.gilsenan@... wrote:
                    >
                    >> Matthias Schmidt wrote:
                    >>> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
                    >>>
                    >>> with these rules you might also reject legal eMails from servers
                    >>> running
                    >>> via dyndns, or?
                    >>>
                    >>
                    >> Surely that would depend entirely on the recipients interpretation of
                    >> "legal eMails", eg: my server, my rules.
                    >>
                    >> I am of the opinion that people on dynamic connections should ether
                    >> be relaying emails via their ISP's SmartHost, or connecting to the
                    >> submission port and authenticating (method not discussed here). Its
                    >> one or the other.
                    >>
                    >
                    > Well - no.
                    >
                    > You can certainly decide to accept or reject whatever mail you want by
                    > whatever rules you define, but legality, in this context, means RFC
                    > compliant. As someone who runs a compliant mailserver, on a business
                    > DSL IP (static), I get a lot of blocks from over-enthusiastic blacklists.
                    >

                    I think this discussion on mail servers running on DSL/Cable static
                    IP connections are far beyond from RFC scope discussions.

                    Those people, who chooses to run their mailserver on DSL/cable
                    connections and NOT relay on their ISPs are already having bad times
                    when sending mail to big ISPs and big companies.

                    Even it's 'OK' on RFC scope, this is not OK on the real world
                    anymore. The real world seems to be completly happy with some
                    false-positive rejections when these dynamic-ip rules do block MILLIONS
                    of bad messages.

                    I had some mailservers running on static IP DSL lines here in Brazil
                    and tried, for some time, to avoid upstreaming the messages to the ISPs.
                    But .... for more than a year now, i realized that that was a lost war.
                    And i started upstreaming messages to ISPs. Received messages comes
                    directly to my static IP DSL lines, but outgoing messages goes to the
                    ISP mailservers.


                    --


                    Atenciosamente / Sincerily,
                    Leonardo Rodrigues
                    Solutti Tecnologia
                    http://www.solutti.com.br

                    Minha armadilha de SPAM, NÃO mandem email
                    gertrudes@...
                    My SPAMTRAP, do not email it
                  • mouss
                    ... unfortunately, it s not that easy. rejecting them still consumes resources. when your smtpd is rejecting zombies, it s busy doing that. And if there are
                    Message 9 of 20 , Jan 2, 2008
                    • 0 Attachment
                      Terry Carmen wrote:
                      >
                      > Bots are pretty easy to kill. You can refuse to talk to them by matching
                      > their reverse DNS against a regular expression.
                      >

                      unfortunately, it's not that easy. rejecting them still consumes
                      resources. when your smtpd is rejecting zombies, it's busy doing that.
                      And if there are too many zombies sending you traffic, then that will
                      kill your connectivity, even if you firewall traffic at the IP level.

                      all you can do is reduce their effects.

                      > This has also been a huge help.
                      >
                      > There's just no reason to accept mail from a Dynamic IP

                      The problem is how to detect that it is a dynamic IP. regular
                      expressions have both False Negatives (there is no registery of every
                      possible format) and False Positives, like this:

                      ... connect from DD.CC-AA-BB.ripe.coltfrance.com[AA.BB.CC.DD]

                      This is from a colo host, which is not dynamic at all.

                      an alternative is to reject mail from clients with generic rDNS (because
                      "they did not do efforts to have a meaningful rDNS"). This reduces the
                      false positives (by changing the goal, not by blocking different people!).


                      > or an IP with no reverse DNS,

                      Be warned that in the case of DNS failures (which may be on your side),
                      you'll delay legitimate mail.


                      > [snip]
                    • Robert Schetterer
                      ... why not use fail2ban, works here like charme here -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
                      Message 10 of 20 , Jan 2, 2008
                      • 0 Attachment
                        mouss schrieb:
                        > Terry Carmen wrote:
                        >>
                        >> Bots are pretty easy to kill. You can refuse to talk to them by
                        >> matching their reverse DNS against a regular expression.
                        >>
                        >
                        > unfortunately, it's not that easy. rejecting them still consumes
                        > resources. when your smtpd is rejecting zombies, it's busy doing that.
                        > And if there are too many zombies sending you traffic, then that will
                        > kill your connectivity, even if you firewall traffic at the IP level.
                        >
                        > all you can do is reduce their effects.
                        >
                        >> This has also been a huge help.
                        >>
                        >> There's just no reason to accept mail from a Dynamic IP
                        >
                        > The problem is how to detect that it is a dynamic IP. regular
                        > expressions have both False Negatives (there is no registery of every
                        > possible format) and False Positives, like this:
                        >
                        > ... connect from DD.CC-AA-BB.ripe.coltfrance.com[AA.BB.CC.DD]
                        >
                        > This is from a colo host, which is not dynamic at all.
                        >
                        > an alternative is to reject mail from clients with generic rDNS (because
                        > "they did not do efforts to have a meaningful rDNS"). This reduces the
                        > false positives (by changing the goal, not by blocking different people!).
                        >
                        >
                        >> or an IP with no reverse DNS,
                        >
                        > Be warned that in the case of DNS failures (which may be on your side),
                        > you'll delay legitimate mail.
                        >
                        >
                        >> [snip]

                        why not use fail2ban, works here like charme
                        here

                        --
                        Best Regards

                        MfG Robert Schetterer

                        Germany/Munich/Bavaria
                      • Terry Carmen
                        ... I can live with that. As long as the protocol remains RFC compliant and the sender gets a meaningful reject or delay message, it s a manageable (and not
                        Message 11 of 20 , Jan 2, 2008
                        • 0 Attachment
                          mouss wrote:
                          >> or an IP with no reverse DNS,
                          >
                          > Be warned that in the case of DNS failures (which may be on your
                          > side), you'll delay legitimate mail.
                          I can live with that. As long as the protocol remains RFC compliant and
                          the sender gets a meaningful reject or delay message, it's a manageable
                          (and not very significant) problem.

                          Terry
                        Your message has been successfully submitted and would be delivered to recipients shortly.