rejecting botnets with sendmail

Scott Silva ssilva at sgvwater.com
Wed Nov 1 20:43:51 GMT 2006


DAve spake the following on 11/1/2006 10:31 AM:
> Denis Beauchemin wrote:
>> DAve a écrit :
>>> Denis Beauchemin wrote:
>>>> Andoni Auzmendi a écrit :
>>>>> Experiencing the recent increase in spam from botnets, is there a
>>>>> way to
>>>>> reject (or discard) connections coming from servers containing
>>>>> their ip
>>>>> address within the hostname? I can see lots of connections from
>>>>> broadband or dialup addresses. Some of them even bypass greylilst as
>>>>> they resend the messages several times. We use Sendmail here and I
>>>>> guess
>>>>> there must be a milter which is capable of doing that.
>>>>>
>>>>> Andoni Auzmendi
>>>>>   
>>>> Andoni,
>>>>
>>>> This saved us:
>>>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected "
>>>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl
>>>
>>> What list is this? I don't see it on the sorbs.net website.
>>
>> Dave,
>>
>> It's an aggregate of:
>>
>> http.dnsbl.sorbs.net
>> socks.dnsbl.sorbs.net
>> misc.dnsbl.sorbs.net
>> smtp.dnsbl.sorbs.net
>> new.spam.dnsbl.sorbs.net
>> web.dnsbl.sorbs.net
>> block.dnsbl.sorbs.net
>> zombie.dnsbl.sorbs.net
>> dul.dnsbl.sorbs.net
>>
>>
>> I really needed to block them at the MTA level because our hw wasn't
>> able to cope with the big increase of spam we saw in the last weeks. 
>> Even though I had 3 equal priority MX servers, one was receiving twice
>> as much as the other 2 combined.
>>
>> Denis
>>
> 
> Ouch, I wouldn't call anything using dul safe ;^) I guess I'll just hold
> on and keep my pager batteries fresh.
> 
> DAve
> 
> 
Here are the other aggregate lists they have. A few don't include the dul list.
<quote>
SORBS also provides other aggregate zones as follows:

               Zone Name                Zones Included
               =========                ==============

         dnsbl.sorbs.net          http.dnsbl.sorbs.net
                                 socks.dnsbl.sorbs.net
                                  misc.dnsbl.sorbs.net
                                  smtp.dnsbl.sorbs.net
                              new.spam.dnsbl.sorbs.net
                           recent.spam.dnsbl.sorbs.net
                           escalations.dnsbl.sorbs.net
                                   web.dnsbl.sorbs.net
                                   dul.dnsbl.sorbs.net
                                 block.dnsbl.sorbs.net
                                zombie.dnsbl.sorbs.net

    safe.dnsbl.sorbs.net          http.dnsbl.sorbs.net
                                 socks.dnsbl.sorbs.net
                                  misc.dnsbl.sorbs.net
                                  smtp.dnsbl.sorbs.net
                              new.spam.dnsbl.sorbs.net
                                   web.dnsbl.sorbs.net
                                 block.dnsbl.sorbs.net
                                zombie.dnsbl.sorbs.net
                                   dul.dnsbl.sorbs.net

problems.dnsbl.sorbs.net          http.dnsbl.sorbs.net
                                 socks.dnsbl.sorbs.net
                                  misc.dnsbl.sorbs.net
                                  smtp.dnsbl.sorbs.net
                              new.spam.dnsbl.sorbs.net
                           recent.spam.dnsbl.sorbs.net
                              old.spam.dnsbl.sorbs.net
                           escalations.dnsbl.sorbs.net
                                   web.dnsbl.sorbs.net
                                 block.dnsbl.sorbs.net
                                zombie.dnsbl.sorbs.net

  relays.dnsbl.sorbs.net          http.dnsbl.sorbs.net
                                 socks.dnsbl.sorbs.net
                                  misc.dnsbl.sorbs.net
                                  smtp.dnsbl.sorbs.net

 proxies.dnsbl.sorbs.net          http.dnsbl.sorbs.net
                                 socks.dnsbl.sorbs.net
                                  misc.dnsbl.sorbs.net

</quote>
-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!



More information about the MailScanner mailing list