4.40.5: IPBlock 451 versus 550

Stephen Swaney steve.swaney at FSL.COM
Sat Mar 19 13:48:46 GMT 2005 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Jeff A. Earickson
> Sent: Saturday, March 19, 2005 7:56 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: 4.40.5: IPBlock 451 versus 550
>
> Y'all,
>
> My IPBlock ruleset for the outside world is almost identical to what is
> posted on the FAQ:
> http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html
>
> The numbers there are tuned to my site, YMMV.  My internal rules vary
> from subnet to subnet (dorms vs offices).  IPBlock has always been more
> useful for blocking foreign spam sites, eg Asia/Pacific spammers, than
> it has been in throttling runaway machines on-campus.
>
> I get a daily report (small) of numbers that got IPBlocked.  I
> investigate.
> Nearly always spammers.
>
> Yesterday I implemented the conncontrol and ratecontrol FEATURES of
> sendmail, so this issue should be more handled upstream by the MTA.
>
> Jeff Earickson
> Colby College
>

Jeff makes a very interesting point. A nice explanation of how sendmail 8.13
can be configured to help stop attacks on e-mail servers, including (but not
limited to) denial-of-service (DoS) attacks, distributed denial-of-service
(DDoS) attacks, Joe Jobs, dictionary attacks, slamming, and other assorted
nuisances can be found at:

        http://www.technoids.org/dossed.html

It would be interesting to hear what settings people are using in these new
connection control and rate control features of sendmail 8.13 of sendmail.

Steve

Steve Swaney
President
Fortress Systems Ltd.
www.fsl.com
steve.swaney at fsl.com

> On Sat, 19 Mar 2005, Julian Field wrote:
>
> > Date: Sat, 19 Mar 2005 11:47:28 +0000
> > From: Julian Field <MailScanner at ECS.SOTON.AC.UK>
> > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: 4.40.5: IPBlock 451 versus 550
> >
> > I think you've got it exactly right. I primarily intended it to throttle
> > flooding from your own users/customers' boxes. So I would specify a low
> > limit for your customers IP netblocks, and have a fairly high default
> > for the rest of the world.
> >
> > Rakesh wrote:
> >
> >> thanks Jeff,
> >>
> >> test it on real time scenarios and suggest what would help to make
> >> things better and easier. Even I have implemented it on my live
> servers.
> >> Probably one thing down the line we have to do is by default maintain a
> >> list of some well known outgoing servers of yahoo or other heavy
> traffic
> >> outgoing servers and set them to have a greater connection limit
> >> (specify greater limits for them in IPBlock.conf). That we have to see
> >> if it would really help others.  What do you think on this ? Julian
> >> please let us know your views as well.
> >>
> >> Rakesh
> >>
> >> Jeff A. Earickson wrote:
> >>
> >>> Rakesh,
> >>>    Point taken.  I have changed my CustomConfig.pm back to using 451
> >>> instead of 550.  I'll see if the problem returns.  Hey, this is
> >>> a beta version of MailScanner and those of us who run it should
> >>> be willing to test the new features.
> >>>
> >>> Jeff Earickson
> >>> Colby College
> >>>
> >>> On Thu, 17 Mar 2005, Rakesh wrote:
> >>>
> >>>> Date: Thu, 17 Mar 2005 18:30:35 +0530
> >>>> From: Rakesh <rakesh at NETCORE.CO.IN>
> >>>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> >>>> To: MAILSCANNER at JISCMAIL.AC.UK
> >>>> Subject: Re: 4.40.5: IPBlock 451 versus 550
> >>>>
> >>>> Jeff A. Earickson wrote:
> >>>>
> >>>>> Julian,
> >>>>>
> >>>>> Just curious as to why you changed IPBlock from fatal rejections
> >>>>> to tmpfail.  I've had a couple of spammers pounding on my system
> >>>>> with crap that would have ordinarily been booted by IPBlock for
> >>>>> good.  Now they just keep trying.  I've modified my copy of
> >>>>> CustomConfig.pm in 4.40.5 to do the 550 rejections again.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> my idea of suggesting Jules for 451 error instead of 550 error code
> was
> >>>> that, unknowingly we do not bounce back some geniune mails just
> because
> >>>> the sending server is sending too many mails to us. For e.g. a
> yahoo's
> >>>> outgoing server might be sending quite a good amount of mails to an
> MX
> >>>> server hosting many domains. So if we just temporarily deny from
> >>>> accepting the mail then however i am quaranteed that a good outgoing
> >>>> server would definitely try again for delivery which won't be
> >>>> applicable
> >>>> incase of a 550 rejection and probably some sending out an important
> >>>> mail would finally get a bounce back for no good reason. This totally
> >>>> different from the greylisting concept in which any server initiating
> a
> >>>> first time connections will have to compulsarily try again later.
> >>>>
> >>>> However majority spammers use hijacked machines or poor SMTP engines
> to
> >>>> send out spams and asking them to try again later with 451 error code
> >>>> wouldnt be of any harm as they don't bother to try again later so the
> >>>> spams doesn't come at all. However if they are using someone else's
> >>>> server which actually does retry sending the spam, then we can
> probably
> >>>> notify the administrator to checkout his system or atleast have 1
> hour
> >>>> to block the IP on the firewall.
> >>>>
> >>>> --
> >>>> Regards,
> >>>> Rakesh B. Pal
> >>>> Emergic CleanMail Team.
> >>>> Netcore Solutions Pvt. Ltd.
> >>>>
> >>>>
> ========================================================================
> >>>>
> >>>> "First they ignore you. Then they laugh at you.
> >>>> Then they fight you. Then you win."
> >>>>                                               - M. Gandhi
> >>>>
> ========================================================================
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> ----------------------------------------------------------
> >>>> Netcore Solutions Pvt. Ltd.
> >>>> Website:  http://www.netcore.co.in
> >>>> Spamtraps: http://cleanmail.netcore.co.in/directory.html
> >>>> ----------------------------------------------------------
> >>>>
> >>>> ------------------------ MailScanner list ------------------------
> >>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>> 'leave mailscanner' in the body of the email.
> >>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>>
> >>>> Support MailScanner development - buy the book off the website!
> >>>>
> >>>
> >>> ------------------------ MailScanner list ------------------------
> >>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>> 'leave mailscanner' in the body of the email.
> >>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>
> >>> Support MailScanner development - buy the book off the website!
> >>
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Rakesh B. Pal
> >> Emergic CleanMail Team.
> >> Netcore Solutions Pvt. Ltd.
> >>
> >>
> ========================================================================
> >> "First they ignore you. Then they laugh at you.
> >> Then they fight you. Then you win."
> >>                                                - M. Gandhi
> >>
> ========================================================================
> >>
> >> ------------------------ MailScanner list ------------------------
> >> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >> 'leave mailscanner' in the body of the email.
> >> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>
> >> Support MailScanner development - buy the book off the website!
> >>
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > Buy the MailScanner book at www.MailScanner.info/store
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks transtec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> > ------------------------ MailScanner list ------------------------
> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> > 'leave mailscanner' in the body of the email.
> > Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> > the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> > Support MailScanner development - buy the book off the website!
> >
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list