OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bo Kleve (BoKUNIT.LiU.SE)
Date: Fri Jan 19 2001 - 04:59:07 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Jozsef,

    I know what you are going through since this has happened a number of times
    to us. Last time was about a week ago with about 50000 bounced mails
    returned to us as the sender was faking liu.se addresses. Before the regexp
    versions I had to put in blockings manually. But when we had the
    possibility to add regexp's I only had to put in a good filter to say no
    thank you. And the good thing was that I could also send back a message so
    that people who didn't know how to read a spam mail would get a hint that
    we were not responsible.

    I have made myself a "bad_recipients" file with contents like

    /Paula[0-9]*mailgw.liu.se/ 550 Address faked by spam sender outside
    Linkoping university
    /Kenu[0-9]*liu.se/ 550 Address faked by spam sender outside Linkoping
    university

    and in main.cf i have:

    smtpd_recipient_restrictions =
     check_recipient_access dbm:/service/postfix-mail/etc/special_recipients
     check_recipient_access regexp:/service/postfix-mail/etc/bad_recipients
     check_recipient_access dbm:/service/postfix-mail/etc/faked
     check_sender_access dbm:/service/postfix-mail/etc/access
    ....

    The special_recipients file has the few addresses that would match the
    regexp. They won't be protected agains spam but at least they will get
    their mail. The faked file is from the first filters we had. And the rest
    is what you already have as a restriction.

    In notify_classes I don't have bounce. I don't want all those mails coming
    in and bouncing to postmaster.

    I praise the time we installed the version that had regexp capability and
    only shortly after that we had a surge of bounces coming in. Just a new
    rule a reload and we were saved and I could relax and just look at the
    maillog as the filters refused the mails. That filter has since saved us a
    number of times and the complaints to abuseliu.se has gone from hundreds
    to just a handfull at worst.

    /BoK

    At 09.38 +0100 2001-01-18, Jozsef Kadlecsik wrote:
    >Hello,
    >
    >I think we are really in big trouble, and I have no idea at all how to
    >solve it ASAP.
    >
    >Somewhere on the planet somebody created a spammer software, which sends
    >the messages with forged From header. The From header looks like:
    >
    >From: <random string>kfki.hu
    >
    >Now, this simple trick kills us. On our mail gateways only two hours mail
    >log amunts 18MB. Fortunately the only valid kfki.hu addresses are
    >abusekfki.hu and postmasterkfki.hu, but it does not really help.
    >
    >Any tiny idea how to lessen at least the generated log?
    >And how to stop the forgery? I have no idea at all :-(((
    >
    >Regards,
    >Jozsef
    >-
    >E-mail : kadlecblackhole.kfki.hu, kadlecsunserv.kfki.hu
    >WWW-Home: http://www.kfki.hu/~kadlec
    >Address : KFKI Research Institute for Particle and Nuclear Physics
    > H-1525 Budapest 114, POB. 49, Hungary

     --------------------------------------------------
     Bo Kleve Mail: BoKUNIT.LiU.SE
     Linkoping University Phone: +46 13 281761
     Sweden Fax: +46 13 284400