rejecting botnets with sendmail

Rick Cooper rcooper at dwford.com
Thu Nov 2 01:04:25 GMT 2006 

 

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Res
> Sent: Wednesday, November 01, 2006 5:39 PM
> To: MailScanner discussion
> Subject: RE: rejecting botnets with sendmail
> 
> On Wed, 1 Nov 2006, Rick Cooper wrote:
> 
[...]

> > FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected "
> > $&{client_addr} " found in safe.dnsbl.sorbs.net"',
> > ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , 
> `127.0.0.6.',
> > `127.0.0.7.', `127.0.0.8.', `127.0.0.9.')
> >
> > Which would reject on all the lists except dul. Or you 
> could have multiple
> > FEATURE(`dnsbl', entries, one for each of the lists you 
> wanted to use (there
> > are more too). Of course the single call and choose your 
> reject addresses,
> > would be more economical I would think.
> 
> 
> Sendmail works the identical way, its an "enhanced dnsbl" feature

That which I listed above (hopefully correct syntax) was from sendmail. In
my exim configuration it looks like

deny  message  = rejected because $sender_host_address is in a black list \
				 at $dnslist_domain $dnslist_text
 hosts = !/somedir/Mail_local_net:!/somedir/mail_relay_from_hosts
 senders = !/somedir/Mail_sender_white_list.conf
 dnslists   = ${readfile{/somedir/mail_rbl_lists}{:}}

Which says, basically, if the host is *not* in my local network list, and
it's not a host I relay for and the sender is not in a special whitelist,
then submit to the rbls listed in /somedir/mail_rbl_lists. If the host is
already excluded the call is never made (wasted). The lists can be changed
without having to do anything with exim, if the file changes exim reads it
again, otherwise it's cached.
 

/somedir/mail_rbl_lists contains entries like (several more than listed):

 safe.dnsbl.sorbs.net
 combined-HIB.dnsiplists.completewhois.com=127.0.0.2,127.0.0.3

Which says deny any thing returned from  safe.dnsbl.sorbs.net, but only deny
127.0.0.2 or 127.0.0.3 from combined-HIB.dnsiplists.completewhois.com

This would basically accomplish what Denis wanted but I have no clue as to
how to do it with SendMail

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list