4.40.5: IPBlock 451 versus 550

Stephen Swaney steve.swaney at FSL.COM
Sun Mar 20 15:14:38 GMT 2005


> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Jeff A. Earickson
> Sent: Sunday, March 20, 2005 8:40 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: 4.40.5: IPBlock 451 versus 550
>
> That's the google article that I stumbled across, which got me to
> add conncontrol and ratecontrol to my setup.  A good read.  Jeff
>

Thanks Jeff.

I'm running all of the configurations suggested in the article on a test
server that gets little real mail. Almost 3,000 rejections in less than 24
hours with what I believe are fairly conservative values.

The typical rejection:

Mar 20 10:00:56 mta70 sendmail[778]: j2KF0ZYL000778: rejecting commands from
ALille-201-1-1-174.w193-251.abo.wanadoo.fr [193.251.0.174] due to
pre-greeting traffic

I've pretty carefully screened all of these notices and nothing looks like
real email. They appear to be mostly foreign, zombies, dial-ups or systems
with bad or missing DNS records.

Steve

Steve Swaney
President
Fortress Systems Ltd.
Phone: 202 338-1670
Cell: 202 352-3262
www.fsl.com
steve.swaney at fsl.com

> On Sat, 19 Mar 2005, Stephen Swaney wrote:
>
> > Date: Sat, 19 Mar 2005 08:48:46 -0500
> > From: Stephen Swaney <steve.swaney at FSL.COM>
> > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: 4.40.5: IPBlock 451 versus 550
> >
> >> -----Original Message-----
> >> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >> Behalf Of Jeff A. Earickson
> >> Sent: Saturday, March 19, 2005 7:56 AM
> >> To: MAILSCANNER at JISCMAIL.AC.UK
> >> Subject: Re: 4.40.5: IPBlock 451 versus 550
> >>
> >> Y'all,
> >>
> >> My IPBlock ruleset for the outside world is almost identical to what is
> >> posted on the FAQ:
> >> http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html
> >>
> >> The numbers there are tuned to my site, YMMV.  My internal rules vary
> >> from subnet to subnet (dorms vs offices).  IPBlock has always been more
> >> useful for blocking foreign spam sites, eg Asia/Pacific spammers, than
> >> it has been in throttling runaway machines on-campus.
> >>
> >> I get a daily report (small) of numbers that got IPBlocked.  I
> >> investigate.
> >> Nearly always spammers.
> >>
> >> Yesterday I implemented the conncontrol and ratecontrol FEATURES of
> >> sendmail, so this issue should be more handled upstream by the MTA.
> >>
> >> Jeff Earickson
> >> Colby College
> >>
> >
> > Jeff makes a very interesting point. A nice explanation of how sendmail
> 8.13
> > can be configured to help stop attacks on e-mail servers, including (but
> not
> > limited to) denial-of-service (DoS) attacks, distributed denial-of-
> service
> > (DDoS) attacks, Joe Jobs, dictionary attacks, slamming, and other
> assorted
> > nuisances can be found at:
> >
> >        http://www.technoids.org/dossed.html
> >
> > It would be interesting to hear what settings people are using in these
> new
> > connection control and rate control features of sendmail 8.13 of
> sendmail.
> >
> > Steve
> >
> > Steve Swaney
> > President
> > Fortress Systems Ltd.
> > www.fsl.com
> > steve.swaney at fsl.com
> >
> >> On Sat, 19 Mar 2005, Julian Field wrote:
> >>
> >>> Date: Sat, 19 Mar 2005 11:47:28 +0000
> >>> From: Julian Field <MailScanner at ECS.SOTON.AC.UK>
> >>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> >>> To: MAILSCANNER at JISCMAIL.AC.UK
> >>> Subject: Re: 4.40.5: IPBlock 451 versus 550
> >>>
> >>> I think you've got it exactly right. I primarily intended it to
> throttle
> >>> flooding from your own users/customers' boxes. So I would specify a
> low
> >>> limit for your customers IP netblocks, and have a fairly high default
> >>> for the rest of the world.
> >>>
> >>> Rakesh wrote:
> >>>
> >>>> thanks Jeff,
> >>>>
> >>>> test it on real time scenarios and suggest what would help to make
> >>>> things better and easier. Even I have implemented it on my live
> >> servers.
> >>>> Probably one thing down the line we have to do is by default maintain
> a
> >>>> list of some well known outgoing servers of yahoo or other heavy
> >> traffic
> >>>> outgoing servers and set them to have a greater connection limit
> >>>> (specify greater limits for them in IPBlock.conf). That we have to
> see
> >>>> if it would really help others.  What do you think on this ? Julian
> >>>> please let us know your views as well.
> >>>>
> >>>> Rakesh
> >>>>
> >>>> Jeff A. Earickson wrote:
> >>>>
> >>>>> Rakesh,
> >>>>>    Point taken.  I have changed my CustomConfig.pm back to using 451
> >>>>> instead of 550.  I'll see if the problem returns.  Hey, this is
> >>>>> a beta version of MailScanner and those of us who run it should
> >>>>> be willing to test the new features.
> >>>>>
> >>>>> Jeff Earickson
> >>>>> Colby College
> >>>>>
> >>>>> On Thu, 17 Mar 2005, Rakesh wrote:
> >>>>>
> >>>>>> Date: Thu, 17 Mar 2005 18:30:35 +0530
> >>>>>> From: Rakesh <rakesh at NETCORE.CO.IN>
> >>>>>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> >>>>>> To: MAILSCANNER at JISCMAIL.AC.UK
> >>>>>> Subject: Re: 4.40.5: IPBlock 451 versus 550
> >>>>>>
> >>>>>> Jeff A. Earickson wrote:
> >>>>>>
> >>>>>>> Julian,
> >>>>>>>
> >>>>>>> Just curious as to why you changed IPBlock from fatal rejections
> >>>>>>> to tmpfail.  I've had a couple of spammers pounding on my system
> >>>>>>> with crap that would have ordinarily been booted by IPBlock for
> >>>>>>> good.  Now they just keep trying.  I've modified my copy of
> >>>>>>> CustomConfig.pm in 4.40.5 to do the 550 rejections again.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> my idea of suggesting Jules for 451 error instead of 550 error code
> >> was
> >>>>>> that, unknowingly we do not bounce back some geniune mails just
> >> because
> >>>>>> the sending server is sending too many mails to us. For e.g. a
> >> yahoo's
> >>>>>> outgoing server might be sending quite a good amount of mails to an
> >> MX
> >>>>>> server hosting many domains. So if we just temporarily deny from
> >>>>>> accepting the mail then however i am quaranteed that a good
> outgoing
> >>>>>> server would definitely try again for delivery which won't be
> >>>>>> applicable
> >>>>>> incase of a 550 rejection and probably some sending out an
> important
> >>>>>> mail would finally get a bounce back for no good reason. This
> totally
> >>>>>> different from the greylisting concept in which any server
> initiating
> >> a
> >>>>>> first time connections will have to compulsarily try again later.
> >>>>>>
> >>>>>> However majority spammers use hijacked machines or poor SMTP
> engines
> >> to
> >>>>>> send out spams and asking them to try again later with 451 error
> code
> >>>>>> wouldnt be of any harm as they don't bother to try again later so
> the
> >>>>>> spams doesn't come at all. However if they are using someone else's
> >>>>>> server which actually does retry sending the spam, then we can
> >> probably
> >>>>>> notify the administrator to checkout his system or atleast have 1
> >> hour
> >>>>>> to block the IP on the firewall.
> >>>>>>
> >>>>>> --
> >>>>>> Regards,
> >>>>>> Rakesh B. Pal
> >>>>>> Emergic CleanMail Team.
> >>>>>> Netcore Solutions Pvt. Ltd.
> >>>>>>
> >>>>>>
> >>
> ========================================================================
> >>>>>>
> >>>>>> "First they ignore you. Then they laugh at you.
> >>>>>> Then they fight you. Then you win."
> >>>>>>                                               - M. Gandhi
> >>>>>>
> >>
> ========================================================================
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> ----------------------------------------------------------
> >>>>>> Netcore Solutions Pvt. Ltd.
> >>>>>> Website:  http://www.netcore.co.in
> >>>>>> Spamtraps: http://cleanmail.netcore.co.in/directory.html
> >>>>>> ----------------------------------------------------------
> >>>>>>
> >>>>>> ------------------------ MailScanner list ------------------------
> >>>>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>>>> 'leave mailscanner' in the body of the email.
> >>>>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>>>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>>>>
> >>>>>> Support MailScanner development - buy the book off the website!
> >>>>>>
> >>>>>
> >>>>> ------------------------ MailScanner list ------------------------
> >>>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>>> 'leave mailscanner' in the body of the email.
> >>>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>>>
> >>>>> Support MailScanner development - buy the book off the website!
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Regards,
> >>>> Rakesh B. Pal
> >>>> Emergic CleanMail Team.
> >>>> Netcore Solutions Pvt. Ltd.
> >>>>
> >>>>
> >>
> ========================================================================
> >>>> "First they ignore you. Then they laugh at you.
> >>>> Then they fight you. Then you win."
> >>>>                                                - M. Gandhi
> >>>>
> >>
> ========================================================================
> >>>>
> >>>> ------------------------ MailScanner list ------------------------
> >>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>>> 'leave mailscanner' in the body of the email.
> >>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>>
> >>>> Support MailScanner development - buy the book off the website!
> >>>>
> >>>
> >>> --
> >>> Julian Field
> >>> www.MailScanner.info
> >>> Buy the MailScanner book at www.MailScanner.info/store
> >>> Professional Support Services at www.MailScanner.biz
> >>> MailScanner thanks transtec Computers for their support
> >>>
> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >>>
> >>> ------------------------ MailScanner list ------------------------
> >>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >>> 'leave mailscanner' in the body of the email.
> >>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>>
> >>> Support MailScanner development - buy the book off the website!
> >>>
> >>
> >> ------------------------ MailScanner list ------------------------
> >> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >> 'leave mailscanner' in the body of the email.
> >> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >>
> >> Support MailScanner development - buy the book off the website!
> >
> > ------------------------ MailScanner list ------------------------
> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> > 'leave mailscanner' in the body of the email.
> > Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> > the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> > Support MailScanner development - buy the book off the website!
> >
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list