rejecting botnets with sendmail

Scott Silva ssilva at sgvwater.com
Wed Nov 1 20:50:45 GMT 2006


Denis Beauchemin spake the following on 11/1/2006 12:07 PM:
> Rick Cooper a écrit :
>>  
>>
>>  
>>> -----Original Message-----
>>> From: mailscanner-bounces at lists.mailscanner.info
>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of DAve
>>> Sent: Wednesday, November 01, 2006 1:31 PM
>>> To: MailScanner discussion
>>> Subject: Re: rejecting botnets with sendmail
>>>
>>>     
>> [...]
>>  
>>>>>> This saved us:
>>>>>> FEATURE(`dnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected "
>>>>>> $&{client_addr} " found in safe.dnsbl.sorbs.net"')dnl
>>>>>>           
>>>>> What list is this? I don't see it on the sorbs.net website.
>>>>>         
>>>> Dave,
>>>>
>>>> It's an aggregate of:
>>>>
>>>> http.dnsbl.sorbs.net
>>>> socks.dnsbl.sorbs.net
>>>> misc.dnsbl.sorbs.net
>>>> smtp.dnsbl.sorbs.net
>>>> new.spam.dnsbl.sorbs.net
>>>> web.dnsbl.sorbs.net
>>>> block.dnsbl.sorbs.net
>>>> zombie.dnsbl.sorbs.net
>>>> dul.dnsbl.sorbs.net
>>>>
>>>>
>>>>       
>>
>> [...]
>>
>>  
>>> Ouch, I wouldn't call anything using dul safe ;^) I guess I'll just
>>> hold on and keep my pager batteries fresh.
>>>
>>> DAve
>>>
>>>
>>>     
>>
>> I use exim and it allows you to reject based on specific returns (such as
>> 127.0.0.10) or anything but a specific return for rbls that return
>> more than
>> one possible address. I figured this is such a good idea perhaps sendmail
>> had something similar so I hit google and found enhdnsbl, did a quick
>> google
>> on FEATURE(enhdnsbl, and found you could use something like
>>
>> FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected "
>>  $&{client_addr} " found in safe.dnsbl.sorbs.net"',
>> ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.',
>> `127.0.0.7.', `127.0.0.8.', `127.0.0.9.')
>>
>> Which would reject on all the lists except dul. Or you could have
>> multiple
>> FEATURE(`dnsbl', entries, one for each of the lists you wanted to use
>> (there
>> are more too). Of course the single call and choose your reject
>> addresses,
>> would be more economical I would think.
>>
>> Rick
>>   
> Rick,
> 
> This is really interesting!  My stats for yesterday are:
> 127.0.0.2 : 929
> 127.0.0.3 : 608
> 127.0.0.4 : 46
> 127.0.0.5 : 5
> 127.0.0.6 : 539
> 127.0.0.7 : 12587
> 127.0.0.9 : 2
> 127.0.0.10 : 97940
> 
> So if I omit dul.dnsbl.sorbs.net I will not block much...
> 
> Any ideas on how I could whitelist some IP addresses or domain names if
> needed?
> 
> Thanks!
> 
> Denis
> 
You can add whitelisted entries in the access file if you use
feature_delay_checks in sendmail.
http://www.technoids.org/
Has a lot of good sendmail stuff.
Are you using the new stuff in sendmail like greetpause, conncontrol, and
ratecontrol?
http://www.technoids.org/dossed.html


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!



More information about the MailScanner mailing list