rejecting botnets with sendmail
Scott Silva
ssilva at sgvwater.com
Wed Nov 1 20:43:51 GMT 2006
DAve spake the following on 11/1/2006 10:31 AM:
> Denis Beauchemin wrote:
>> DAve a écrit :
>>> Denis Beauchemin wrote:
>>>> Andoni Auzmendi a écrit :
>>>>> Experiencing the recent increase in spam from botnets, is there a
>>>>> way to
>>>>> reject (or discard) connections coming from servers containing
>>>>> their ip
>>>>> address within the hostname? I can see lots of connections from
>>>>> broadband or dialup addresses. Some of them even bypass greylilst as
>>>>> they resend the messages several times. We use Sendmail here and I
>>>>> guess
>>>>> there must be a milter which is capable of doing that.
>>>>>
>>>>> Andoni Auzmendi
>>>>>
>>>> Andoni,
>>>>
>>>> This saved us:
>>>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected "
>>>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl
>>>
>>> What list is this? I don't see it on the sorbs.net website.
>>
>> Dave,
>>
>> It's an aggregate of:
>>
>> http.dnsbl.sorbs.net
>> socks.dnsbl.sorbs.net
>> misc.dnsbl.sorbs.net
>> smtp.dnsbl.sorbs.net
>> new.spam.dnsbl.sorbs.net
>> web.dnsbl.sorbs.net
>> block.dnsbl.sorbs.net
>> zombie.dnsbl.sorbs.net
>> dul.dnsbl.sorbs.net
>>
>>
>> I really needed to block them at the MTA level because our hw wasn't
>> able to cope with the big increase of spam we saw in the last weeks.
>> Even though I had 3 equal priority MX servers, one was receiving twice
>> as much as the other 2 combined.
>>
>> Denis
>>
>
> Ouch, I wouldn't call anything using dul safe ;^) I guess I'll just hold
> on and keep my pager batteries fresh.
>
> DAve
>
>
Here are the other aggregate lists they have. A few don't include the dul list.
<quote>
SORBS also provides other aggregate zones as follows:
Zone Name Zones Included
========= ==============
dnsbl.sorbs.net http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
new.spam.dnsbl.sorbs.net
recent.spam.dnsbl.sorbs.net
escalations.dnsbl.sorbs.net
web.dnsbl.sorbs.net
dul.dnsbl.sorbs.net
block.dnsbl.sorbs.net
zombie.dnsbl.sorbs.net
safe.dnsbl.sorbs.net http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
new.spam.dnsbl.sorbs.net
web.dnsbl.sorbs.net
block.dnsbl.sorbs.net
zombie.dnsbl.sorbs.net
dul.dnsbl.sorbs.net
problems.dnsbl.sorbs.net http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
new.spam.dnsbl.sorbs.net
recent.spam.dnsbl.sorbs.net
old.spam.dnsbl.sorbs.net
escalations.dnsbl.sorbs.net
web.dnsbl.sorbs.net
block.dnsbl.sorbs.net
zombie.dnsbl.sorbs.net
relays.dnsbl.sorbs.net http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net
proxies.dnsbl.sorbs.net http.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
misc.dnsbl.sorbs.net
</quote>
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
More information about the MailScanner
mailing list