4.40.5: IPBlock 451 versus 550
Jeff A. Earickson
jaearick at COLBY.EDU
Sun Mar 20 13:40:16 GMT 2005
That's the google article that I stumbled across, which got me to
add conncontrol and ratecontrol to my setup. A good read. Jeff
On Sat, 19 Mar 2005, Stephen Swaney wrote:
> Date: Sat, 19 Mar 2005 08:48:46 -0500
> From: Stephen Swaney <steve.swaney at FSL.COM>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: 4.40.5: IPBlock 451 versus 550
>
>> -----Original Message-----
>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>> Behalf Of Jeff A. Earickson
>> Sent: Saturday, March 19, 2005 7:56 AM
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: 4.40.5: IPBlock 451 versus 550
>>
>> Y'all,
>>
>> My IPBlock ruleset for the outside world is almost identical to what is
>> posted on the FAQ:
>> http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html
>>
>> The numbers there are tuned to my site, YMMV. My internal rules vary
>> from subnet to subnet (dorms vs offices). IPBlock has always been more
>> useful for blocking foreign spam sites, eg Asia/Pacific spammers, than
>> it has been in throttling runaway machines on-campus.
>>
>> I get a daily report (small) of numbers that got IPBlocked. I
>> investigate.
>> Nearly always spammers.
>>
>> Yesterday I implemented the conncontrol and ratecontrol FEATURES of
>> sendmail, so this issue should be more handled upstream by the MTA.
>>
>> Jeff Earickson
>> Colby College
>>
>
> Jeff makes a very interesting point. A nice explanation of how sendmail 8.13
> can be configured to help stop attacks on e-mail servers, including (but not
> limited to) denial-of-service (DoS) attacks, distributed denial-of-service
> (DDoS) attacks, Joe Jobs, dictionary attacks, slamming, and other assorted
> nuisances can be found at:
>
> http://www.technoids.org/dossed.html
>
> It would be interesting to hear what settings people are using in these new
> connection control and rate control features of sendmail 8.13 of sendmail.
>
> Steve
>
> Steve Swaney
> President
> Fortress Systems Ltd.
> www.fsl.com
> steve.swaney at fsl.com
>
>> On Sat, 19 Mar 2005, Julian Field wrote:
>>
>>> Date: Sat, 19 Mar 2005 11:47:28 +0000
>>> From: Julian Field <MailScanner at ECS.SOTON.AC.UK>
>>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>> Subject: Re: 4.40.5: IPBlock 451 versus 550
>>>
>>> I think you've got it exactly right. I primarily intended it to throttle
>>> flooding from your own users/customers' boxes. So I would specify a low
>>> limit for your customers IP netblocks, and have a fairly high default
>>> for the rest of the world.
>>>
>>> Rakesh wrote:
>>>
>>>> thanks Jeff,
>>>>
>>>> test it on real time scenarios and suggest what would help to make
>>>> things better and easier. Even I have implemented it on my live
>> servers.
>>>> Probably one thing down the line we have to do is by default maintain a
>>>> list of some well known outgoing servers of yahoo or other heavy
>> traffic
>>>> outgoing servers and set them to have a greater connection limit
>>>> (specify greater limits for them in IPBlock.conf). That we have to see
>>>> if it would really help others. What do you think on this ? Julian
>>>> please let us know your views as well.
>>>>
>>>> Rakesh
>>>>
>>>> Jeff A. Earickson wrote:
>>>>
>>>>> Rakesh,
>>>>> Point taken. I have changed my CustomConfig.pm back to using 451
>>>>> instead of 550. I'll see if the problem returns. Hey, this is
>>>>> a beta version of MailScanner and those of us who run it should
>>>>> be willing to test the new features.
>>>>>
>>>>> Jeff Earickson
>>>>> Colby College
>>>>>
>>>>> On Thu, 17 Mar 2005, Rakesh wrote:
>>>>>
>>>>>> Date: Thu, 17 Mar 2005 18:30:35 +0530
>>>>>> From: Rakesh <rakesh at NETCORE.CO.IN>
>>>>>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>>>>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>>>>> Subject: Re: 4.40.5: IPBlock 451 versus 550
>>>>>>
>>>>>> Jeff A. Earickson wrote:
>>>>>>
>>>>>>> Julian,
>>>>>>>
>>>>>>> Just curious as to why you changed IPBlock from fatal rejections
>>>>>>> to tmpfail. I've had a couple of spammers pounding on my system
>>>>>>> with crap that would have ordinarily been booted by IPBlock for
>>>>>>> good. Now they just keep trying. I've modified my copy of
>>>>>>> CustomConfig.pm in 4.40.5 to do the 550 rejections again.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> my idea of suggesting Jules for 451 error instead of 550 error code
>> was
>>>>>> that, unknowingly we do not bounce back some geniune mails just
>> because
>>>>>> the sending server is sending too many mails to us. For e.g. a
>> yahoo's
>>>>>> outgoing server might be sending quite a good amount of mails to an
>> MX
>>>>>> server hosting many domains. So if we just temporarily deny from
>>>>>> accepting the mail then however i am quaranteed that a good outgoing
>>>>>> server would definitely try again for delivery which won't be
>>>>>> applicable
>>>>>> incase of a 550 rejection and probably some sending out an important
>>>>>> mail would finally get a bounce back for no good reason. This totally
>>>>>> different from the greylisting concept in which any server initiating
>> a
>>>>>> first time connections will have to compulsarily try again later.
>>>>>>
>>>>>> However majority spammers use hijacked machines or poor SMTP engines
>> to
>>>>>> send out spams and asking them to try again later with 451 error code
>>>>>> wouldnt be of any harm as they don't bother to try again later so the
>>>>>> spams doesn't come at all. However if they are using someone else's
>>>>>> server which actually does retry sending the spam, then we can
>> probably
>>>>>> notify the administrator to checkout his system or atleast have 1
>> hour
>>>>>> to block the IP on the firewall.
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Rakesh B. Pal
>>>>>> Emergic CleanMail Team.
>>>>>> Netcore Solutions Pvt. Ltd.
>>>>>>
>>>>>>
>> ========================================================================
>>>>>>
>>>>>> "First they ignore you. Then they laugh at you.
>>>>>> Then they fight you. Then you win."
>>>>>> - M. Gandhi
>>>>>>
>> ========================================================================
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----------------------------------------------------------
>>>>>> Netcore Solutions Pvt. Ltd.
>>>>>> Website: http://www.netcore.co.in
>>>>>> Spamtraps: http://cleanmail.netcore.co.in/directory.html
>>>>>> ----------------------------------------------------------
>>>>>>
>>>>>> ------------------------ MailScanner list ------------------------
>>>>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>>> 'leave mailscanner' in the body of the email.
>>>>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>>
>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>
>>>>>
>>>>> ------------------------ MailScanner list ------------------------
>>>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>>> 'leave mailscanner' in the body of the email.
>>>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Rakesh B. Pal
>>>> Emergic CleanMail Team.
>>>> Netcore Solutions Pvt. Ltd.
>>>>
>>>>
>> ========================================================================
>>>> "First they ignore you. Then they laugh at you.
>>>> Then they fight you. Then you win."
>>>> - M. Gandhi
>>>>
>> ========================================================================
>>>>
>>>> ------------------------ MailScanner list ------------------------
>>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>> 'leave mailscanner' in the body of the email.
>>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>
>>> --
>>> Julian Field
>>> www.MailScanner.info
>>> Buy the MailScanner book at www.MailScanner.info/store
>>> Professional Support Services at www.MailScanner.biz
>>> MailScanner thanks transtec Computers for their support
>>>
>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list