Loading ...
Sorry, an error occurred while loading the content.
 

Re: being mailbombed..or something

Expand Messages
  • Terry Carmen
    ... Dyndns never enters into it. It s looking up the *reverse* DNS, which would return the ISP s DN, not the home user. In any case, I m more than willing to
    Message 1 of 20 , Jan 1, 2008
      Matthias Schmidt wrote:
      >> Bots are pretty easy to kill. You can refuse to talk to them by matching
      >> their reverse DNS against a regular expression.
      >>
      >> This has also been a huge help.
      >>
      > with these rules you might also reject legal eMails from servers running
      > via dyndns, or?
      >
      Dyndns never enters into it. It's looking up the *reverse* DNS, which
      would return the ISP's DN, not the home user.

      In any case, I'm more than willing to take a chance on temporarily
      rejecting a few legitimate emails from dynamic IPs in exchange for
      eliminating millions of zombie spams.

      If you look at the regexp, you'll note that it contains a reject
      message, which in the case of the companies I manage mail servers for,
      includes a contact phone number for the IT department, so they can be
      white-listed. They generally average maybe a couple of calls a week for
      whitelisting, in contrast to millions of rejects.

      Businesses are more than happy to make that trade-off, especially since
      it lowers their risk of infection, spam and scams.

      Dynamic users should be routing their mail through their ISPs mail
      servers. If they don't want to, that's fine, but I don't have to talk to
      them.

      Terry
    • Kevin Stevens
      ... Well - no. You can certainly decide to accept or reject whatever mail you want by whatever rules you define, but legality, in this context, means RFC
      Message 2 of 20 , Jan 1, 2008
        On Jan 1, 2008, at 18:08, terry.gilsenan@... wrote:

        > Matthias Schmidt wrote:
        >> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
        >>
        >> with these rules you might also reject legal eMails from servers
        >> running
        >> via dyndns, or?
        >>
        > <snip>
        >
        > Surely that would depend entirely on the recipients interpretation
        > of "legal eMails", eg: my server, my rules.
        >
        > I am of the opinion that people on dynamic connections should ether
        > be relaying emails via their ISP's SmartHost, or connecting to the
        > submission port and authenticating (method not discussed here). Its
        > one or the other.
        >
        > Regards,
        > T

        Well - no.

        You can certainly decide to accept or reject whatever mail you want by
        whatever rules you define, but legality, in this context, means RFC
        compliant. As someone who runs a compliant mailserver, on a business
        DSL IP (static), I get a lot of blocks from over-enthusiastic
        blacklists.

        KeS
      • terry.gilsenan@interoil.com
        ... It is Legal according to the RCF s for an MX server to reject any email for any reason at all, so long as the appropriate reply is made by the server to
        Message 3 of 20 , Jan 1, 2008
          Kevin Stevens wrote:
          >
          > On Jan 1, 2008, at 18:08, terry.gilsenan@... wrote:
          >
          >> Matthias Schmidt wrote:
          >>> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
          >>>
          >>> with these rules you might also reject legal eMails from servers
          >>> running
          >>> via dyndns, or?
          >>>
          >> <snip>
          >>
          >> Surely that would depend entirely on the recipients interpretation of
          >> "legal eMails", eg: my server, my rules.
          >>
          >> I am of the opinion that people on dynamic connections should ether
          >> be relaying emails via their ISP's SmartHost, or connecting to the
          >> submission port and authenticating (method not discussed here). Its
          >> one or the other.
          >>
          >> Regards,
          >> T
          >
          > Well - no.
          >
          > You can certainly decide to accept or reject whatever mail you want by
          > whatever rules you define, but legality, in this context, means RFC
          > compliant. As someone who runs a compliant mailserver, on a business
          > DSL IP (static), I get a lot of blocks from over-enthusiastic blacklists.
          >
          > KeS
          >
          It is "Legal" according to the RCF's for an MX server to reject any
          email for any reason at all, so long as the appropriate reply is made by
          the server to the client. For example the Server could be configured to
          reject all email from IP addresses that have a odd number in it, or
          reject on all email addresses from a .com domain, or even all emails
          that have any X- headers inserted, or perhaps all email from email
          addresses with female gender inflected names in either domain or email
          address. It is legal so long as the server replies to the attempted
          transmission from the client with an appropriate response.

          Using a blacklist is entirely legal as per RFC's, so long as the email
          is rejected _DURING_ the SMTP transaction, any time before issuing a 200
          OK for the email data.

          Even rejecting entire netblocks based on Country is legal according to
          RFC's provided the appropriate response is given to the client by the
          server _during_ the SMTP transaction.

          The only overarching requirement is that abuse@ and postmaster@ are able
          to rec'v email from everywhere.

          Your server on the other hand, may be RCF compliant, however that is
          irrelevant if the MTA to which you are trying to deliver email is
          rejecting dynamic IP's. people can be as enthusiastic as the wish with
          their blocklist usage, after all, it is their bandwidth that they are
          saving. Many people in this world have to pay for each and every
          megabyte that they use, and is they want to restrict emails to a 0/8
          blocklist and a small whitelist, with a 50kb message size limit, then
          that is entirely their call.

          If you get your email blocked by servers configured to block email from
          DSL links, then that is the recipients choice, you can ask them to
          whitelist, or you can contact your ISP and use their SmartHost perhaps
          (if they have one for their clients use that is).

          Regards,
          T
        • terry.gilsenan@interoil.com
          ... Bingo!
          Message 4 of 20 , Jan 1, 2008
            Terry Carmen wrote:
            > Matthias Schmidt wrote:
            >>> Bots are pretty easy to kill. You can refuse to talk to them by
            >>> matching their reverse DNS against a regular expression.
            >>>
            >>> This has also been a huge help.
            >>>
            >> with these rules you might also reject legal eMails from servers running
            >> via dyndns, or?
            >>
            > Dyndns never enters into it. It's looking up the *reverse* DNS, which
            > would return the ISP's DN, not the home user.
            >
            > In any case, I'm more than willing to take a chance on temporarily
            > rejecting a few legitimate emails from dynamic IPs in exchange for
            > eliminating millions of zombie spams.
            >
            > If you look at the regexp, you'll note that it contains a reject
            > message, which in the case of the companies I manage mail servers for,
            > includes a contact phone number for the IT department, so they can be
            > white-listed. They generally average maybe a couple of calls a week
            > for whitelisting, in contrast to millions of rejects.
            >
            > Businesses are more than happy to make that trade-off, especially
            > since it lowers their risk of infection, spam and scams.
            >
            > Dynamic users should be routing their mail through their ISPs mail
            > servers. If they don't want to, that's fine, but I don't have to talk
            > to them.
            >
            > Terry
            >
            Bingo!
            >
            >
            >
            >
            >
          • JD Bronson
            ... Thanks for all of the discussion guys. I already block dynamic IPs with pcre but have a client_checks just before that for whitelisting. I do get a false
            Message 5 of 20 , Jan 2, 2008
              At 02:44 PM 01/02/2008 +1000, terry.gilsenan@... wrote:
              >>Dynamic users should be routing their mail through their ISPs mail
              >>servers. If they don't want to, that's fine, but I don't have to talk to them.

              Thanks for all of the discussion guys.

              I already block dynamic IPs with pcre but have a client_checks just
              before that for whitelisting.

              I do get a false positive from time to time, but my error message
              states to use your ISP:

              "550 Connecting IP appears dynamic - Use ISP to relay email"

              Smart people should figure that out. If not, oh well :-)

              So far, using pf has helped me the most. It watches the number of
              concurrent sessions and the number of sessions within a given amount
              of time and then blacklists/blackholes the IP until midnight. I am
              then emailed a list of the offending IPs and then the IPs are flushed
              out of the table.

              At least this way, if it is a legit IP, it will have a chance again.
              If not, it will be blacklisted again as well.

              I do have overrides within pf for certain sites that we receive a
              large quantity of email from in a short time.

              -JD
            • Leonardo Rodrigues Magalhães
              ... I think this discussion on mail servers running on DSL/Cable static IP connections are far beyond from RFC scope discussions. Those people, who chooses to
              Message 6 of 20 , Jan 2, 2008
                Kevin Stevens escreveu:
                >
                > On Jan 1, 2008, at 18:08, terry.gilsenan@... wrote:
                >
                >> Matthias Schmidt wrote:
                >>> Am/On Tue, 1 Jan 2008 20:45:37 -0500 schrieb/wrote Terry Carmen:
                >>>
                >>> with these rules you might also reject legal eMails from servers
                >>> running
                >>> via dyndns, or?
                >>>
                >>
                >> Surely that would depend entirely on the recipients interpretation of
                >> "legal eMails", eg: my server, my rules.
                >>
                >> I am of the opinion that people on dynamic connections should ether
                >> be relaying emails via their ISP's SmartHost, or connecting to the
                >> submission port and authenticating (method not discussed here). Its
                >> one or the other.
                >>
                >
                > Well - no.
                >
                > You can certainly decide to accept or reject whatever mail you want by
                > whatever rules you define, but legality, in this context, means RFC
                > compliant. As someone who runs a compliant mailserver, on a business
                > DSL IP (static), I get a lot of blocks from over-enthusiastic blacklists.
                >

                I think this discussion on mail servers running on DSL/Cable static
                IP connections are far beyond from RFC scope discussions.

                Those people, who chooses to run their mailserver on DSL/cable
                connections and NOT relay on their ISPs are already having bad times
                when sending mail to big ISPs and big companies.

                Even it's 'OK' on RFC scope, this is not OK on the real world
                anymore. The real world seems to be completly happy with some
                false-positive rejections when these dynamic-ip rules do block MILLIONS
                of bad messages.

                I had some mailservers running on static IP DSL lines here in Brazil
                and tried, for some time, to avoid upstreaming the messages to the ISPs.
                But .... for more than a year now, i realized that that was a lost war.
                And i started upstreaming messages to ISPs. Received messages comes
                directly to my static IP DSL lines, but outgoing messages goes to the
                ISP mailservers.


                --


                Atenciosamente / Sincerily,
                Leonardo Rodrigues
                Solutti Tecnologia
                http://www.solutti.com.br

                Minha armadilha de SPAM, NÃO mandem email
                gertrudes@...
                My SPAMTRAP, do not email it
              • mouss
                ... unfortunately, it s not that easy. rejecting them still consumes resources. when your smtpd is rejecting zombies, it s busy doing that. And if there are
                Message 7 of 20 , Jan 2, 2008
                  Terry Carmen wrote:
                  >
                  > Bots are pretty easy to kill. You can refuse to talk to them by matching
                  > their reverse DNS against a regular expression.
                  >

                  unfortunately, it's not that easy. rejecting them still consumes
                  resources. when your smtpd is rejecting zombies, it's busy doing that.
                  And if there are too many zombies sending you traffic, then that will
                  kill your connectivity, even if you firewall traffic at the IP level.

                  all you can do is reduce their effects.

                  > This has also been a huge help.
                  >
                  > There's just no reason to accept mail from a Dynamic IP

                  The problem is how to detect that it is a dynamic IP. regular
                  expressions have both False Negatives (there is no registery of every
                  possible format) and False Positives, like this:

                  ... connect from DD.CC-AA-BB.ripe.coltfrance.com[AA.BB.CC.DD]

                  This is from a colo host, which is not dynamic at all.

                  an alternative is to reject mail from clients with generic rDNS (because
                  "they did not do efforts to have a meaningful rDNS"). This reduces the
                  false positives (by changing the goal, not by blocking different people!).


                  > or an IP with no reverse DNS,

                  Be warned that in the case of DNS failures (which may be on your side),
                  you'll delay legitimate mail.


                  > [snip]
                • Robert Schetterer
                  ... why not use fail2ban, works here like charme here -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
                  Message 8 of 20 , Jan 2, 2008
                    mouss schrieb:
                    > Terry Carmen wrote:
                    >>
                    >> Bots are pretty easy to kill. You can refuse to talk to them by
                    >> matching their reverse DNS against a regular expression.
                    >>
                    >
                    > unfortunately, it's not that easy. rejecting them still consumes
                    > resources. when your smtpd is rejecting zombies, it's busy doing that.
                    > And if there are too many zombies sending you traffic, then that will
                    > kill your connectivity, even if you firewall traffic at the IP level.
                    >
                    > all you can do is reduce their effects.
                    >
                    >> This has also been a huge help.
                    >>
                    >> There's just no reason to accept mail from a Dynamic IP
                    >
                    > The problem is how to detect that it is a dynamic IP. regular
                    > expressions have both False Negatives (there is no registery of every
                    > possible format) and False Positives, like this:
                    >
                    > ... connect from DD.CC-AA-BB.ripe.coltfrance.com[AA.BB.CC.DD]
                    >
                    > This is from a colo host, which is not dynamic at all.
                    >
                    > an alternative is to reject mail from clients with generic rDNS (because
                    > "they did not do efforts to have a meaningful rDNS"). This reduces the
                    > false positives (by changing the goal, not by blocking different people!).
                    >
                    >
                    >> or an IP with no reverse DNS,
                    >
                    > Be warned that in the case of DNS failures (which may be on your side),
                    > you'll delay legitimate mail.
                    >
                    >
                    >> [snip]

                    why not use fail2ban, works here like charme
                    here

                    --
                    Best Regards

                    MfG Robert Schetterer

                    Germany/Munich/Bavaria
                  • Terry Carmen
                    ... I can live with that. As long as the protocol remains RFC compliant and the sender gets a meaningful reject or delay message, it s a manageable (and not
                    Message 9 of 20 , Jan 2, 2008
                      mouss wrote:
                      >> or an IP with no reverse DNS,
                      >
                      > Be warned that in the case of DNS failures (which may be on your
                      > side), you'll delay legitimate mail.
                      I can live with that. As long as the protocol remains RFC compliant and
                      the sender gets a meaningful reject or delay message, it's a manageable
                      (and not very significant) problem.

                      Terry
                    Your message has been successfully submitted and would be delivered to recipients shortly.