sendmail greet_pause feature

Alex Neuman van der Hans alex at nkpanama.com
Tue Feb 7 15:29:17 GMT 2006


We have about a half-dozen major ISP's in our country, and I usually 
will add their particular dialup-dsl-cable reverse dns domains (like, 
for example, .dslsubscriber.localisp.com) with a high (30s) delay, and 
default to something more sensible (8s) for everybody else except for 
trusted domains. That way, legitimate mail from legitimate SME's who 
happen to use their services will come through, and compromised machines 
will not. Speaking of SME's, greylisting also works extremely well, and 
is almost transparent when the delay is set to something small, like a 
minute.

Speaking of which, it would be somewhat trivial for a programmer (IANAP, 
but I can try, in "bash" or something) to have a script that runs every 
minute, looks at /var/log/maillog, and inserts iptables rules blocking 
port 25 from IP's who have tried unsuccessfully more than a specific 
number of times in the last minute to send mail violating the rfc's, 
only to be unblocked after another specified interval. In very sloppy 
pseudocode it would be something like (again, IANAP):
------------------------
sleep till the next minute (or 60s, or whatever);
for addresses in

    `grep the maillog for (time(now)-(time - 1min) | grep "pre-greeting" 
/var/log/maillog | cut -d \[ -f 3 | cut -f 1 -d \] | sort -u`
       do;
           store time (now) + separator + address in 
(database|textfile|whatever);
           exec ('iptables -A INPUT -p tcp --dport 25 -j DROP -s' + 
address);
       done;
while not eof(database|textfile|whatever) do;
    read timerecord,address;
    if time(now) > timerecord+interval then
       exec ('iptables -D INPUT -p tcp --dport 25 -j DROP -s' + address);
    fi;
    done;
--------------------------
Doable? Anyone?

Randal, Phil wrote:
> I've done that, it was more a cautionary note to others.
>
> greet_pause is currently catching about 10% of our incoming emails.
>
> Around 40% of our incoming mail was spam, so it helps.
>
> Cheers,
>
> Phil
>
> ----
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK  
>
>   
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info 
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
>> Of Alex Neuman van der Hans
>> Sent: 07 February 2006 13:22
>> To: MailScanner discussion
>> Subject: Re: sendmail greet_pause feature
>>
>> Whitelist them using the access db (put their netblocks or 
>> domains on a, say, 3 second delay instead).
>>
>> Randal, Phil wrote:
>>     
>>> Looking at the last couple of days' sendmail logs I'm finding a few 
>>> who really should know better falling foul of a greet_pause 
>>>       
>> 10 second delay:
>>     
>>> ncsmtp02.partner.nspcc.org.uk
>>> gateway.brent.gov.uk
>>>
>>> and these ISPs.  Tut tut!
>>>
>>> various mx servers at mail.freeuk.net (mx0.mail.freeuk.net, mx1) 
>>> various mx servers at mail.uk.clara.net 
>>>       
>> (mx0.mail.uk.clara.net through
>>     
>>> mx5)
>>> store0.mail.uk.easynet.net
>>>
>>> Cheers,
>>>
>>> Phil
>>> ----
>>> Phil Randal
>>> Network Engineer
>>> Herefordshire Council
>>> Hereford, UK
>>>
>>>   
>>>       
>>>> -----Original Message-----
>>>> From: mailscanner-bounces at lists.mailscanner.info
>>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On 
>>>>         
>> Behalf Of Will 
>>     
>>>> McDonald
>>>> Sent: 07 February 2006 11:44
>>>> To: MailScanner discussion
>>>> Subject: Re: sendmail greet_pause feature
>>>>
>>>> On 07/02/06, Roger Jochem <roger at rudnick.com.br> wrote:
>>>>     
>>>>         
>>>>> I just enabled the greet_pause im my sendmail. I'm seing a lot of 
>>>>> warnings in my maillog about messages being rejected
>>>>>       
>>>>>           
>>>> becouse there was
>>>>     
>>>>         
>>>>> a pre-greeting traffic. Is there some way I could see 
>>>>>           
>> what messages 
>>     
>>>>> were this rejected messages, just to be sure I'm not
>>>>>       
>>>>>           
>>>> rejecting "good mail".
>>>>
>>>> Given what greet_pause is doing, and why, I doubt there's anyway 
>>>> you're going to get more than is already contained in the log 
>>>> message.
>>>>
>>>> Most of the rejections we've seen since enabling it last week have 
>>>> been
>>>>
>>>> * from IP addresses without reverse DNS
>>>> * within dynamically assigned ranges (DSL, cable modems 
>>>>         
>> and the like)
>>     
>>>> * from *.pl, *.ru, *.kr and other usually suspicious TLDs.
>>>>
>>>> Try something like...
>>>>
>>>> $ awk '/due to pre-greeting/ { print $10 }' 
>>>>         
>> /var/log/maillog | sort 
>>     
>>>> -u
>>>>
>>>> Have a scan through and the chances are it'll all be suspicious 
>>>> looking. And remember, even if the reverse lookup makes them look 
>>>> potentially legit, they're still trying to inject mail 
>>>>         
>> traffic before 
>>     
>>>> you've told them to, which should immediately raise concerns.
>>>>
>>>> Will.
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website! 
>>>>
>>>>     
>>>>         
>> -- 
>>
>> Alex Neuman van der Hans
>> N&K Technology Consultants
>> Tel. +507 214-9002 - http://nkpanama.com/
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website! 
>>
>>     

-- 

Alex Neuman van der Hans
N&K Technology Consultants
Tel. +507 214-9002 - http://nkpanama.com/



More information about the MailScanner mailing list