rejecting botnets with sendmail

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Wed Nov 1 20:07:02 GMT 2006 

Rick Cooper a écrit :
>  
>
>   
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info 
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of DAve
>> Sent: Wednesday, November 01, 2006 1:31 PM
>> To: MailScanner discussion
>> Subject: Re: rejecting botnets with sendmail
>>
>>     
> [...]
>   
>>>>> This saved us:
>>>>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " 
>>>>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl
>>>>>           
>>>> What list is this? I don't see it on the sorbs.net website.
>>>>         
>>> Dave,
>>>
>>> It's an aggregate of:
>>>
>>> http.dnsbl.sorbs.net
>>> socks.dnsbl.sorbs.net
>>> misc.dnsbl.sorbs.net
>>> smtp.dnsbl.sorbs.net
>>> new.spam.dnsbl.sorbs.net
>>> web.dnsbl.sorbs.net
>>> block.dnsbl.sorbs.net
>>> zombie.dnsbl.sorbs.net
>>> dul.dnsbl.sorbs.net
>>>
>>>
>>>       
>
> [...]
>
>   
>> Ouch, I wouldn't call anything using dul safe ;^) I guess 
>> I'll just hold 
>> on and keep my pager batteries fresh.
>>
>> DAve
>>
>>
>>     
>
> I use exim and it allows you to reject based on specific returns (such as
> 127.0.0.10) or anything but a specific return for rbls that return more than
> one possible address. I figured this is such a good idea perhaps sendmail
> had something similar so I hit google and found enhdnsbl, did a quick google
> on FEATURE(enhdnsbl, and found you could use something like
>
> FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected " 
>  $&{client_addr} " found in safe.dnsbl.sorbs.net"',
> ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.',
> `127.0.0.7.', `127.0.0.8.', `127.0.0.9.')
>
> Which would reject on all the lists except dul. Or you could have multiple
> FEATURE(`dnsbl', entries, one for each of the lists you wanted to use (there
> are more too). Of course the single call and choose your reject addresses,
> would be more economical I would think.
>
> Rick
>   
Rick,

This is really interesting!  My stats for yesterday are:
127.0.0.2 : 929
127.0.0.3 : 608
127.0.0.4 : 46
127.0.0.5 : 5
127.0.0.6 : 539
127.0.0.7 : 12587
127.0.0.9 : 2
127.0.0.10 : 97940

So if I omit dul.dnsbl.sorbs.net I will not block much...

Any ideas on how I could whitelist some IP addresses or domain names if 
needed?

Thanks!

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061101/c29bd8b6/smime.bin

More information about the MailScanner mailing list