rejecting botnets with sendmail

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Thu Nov 2 14:21:02 GMT 2006


Scott Silva a écrit :
>>> I use exim and it allows you to reject based on specific returns 
>>> (such as
>>> 127.0.0.10) or anything but a specific return for rbls that return
>>> more than
>>> one possible address. I figured this is such a good idea perhaps sendmail
>>> had something similar so I hit google and found enhdnsbl, did a quick
>>> google
>>> on FEATURE(enhdnsbl, and found you could use something like
>>>
>>> FEATURE(`enhdnsbl',`safe.dnsbl.sorbs.net',`"554 Rejected "
>>>  $&{client_addr} " found in safe.dnsbl.sorbs.net"',
>>> ,`127.0.0.2.',`127.0.0.3.', `127.0.0.4.', , `127.0.0.5.', , `127.0.0.6.',
>>> `127.0.0.7.', `127.0.0.8.', `127.0.0.9.')
>>>
>>> Which would reject on all the lists except dul. Or you could have
>>> multiple
>>> FEATURE(`dnsbl', entries, one for each of the lists you wanted to use
>>> (there
>>> are more too). Of course the single call and choose your reject
>>> addresses,
>>> would be more economical I would think.
>>>
>>> Rick
>>>   
>>>       
>> Rick,
>>
>> This is really interesting!  My stats for yesterday are:
>> 127.0.0.2 : 929
>> 127.0.0.3 : 608
>> 127.0.0.4 : 46
>> 127.0.0.5 : 5
>> 127.0.0.6 : 539
>> 127.0.0.7 : 12587
>> 127.0.0.9 : 2
>> 127.0.0.10 : 97940
>>
>> So if I omit dul.dnsbl.sorbs.net I will not block much...
>>
>> Any ideas on how I could whitelist some IP addresses or domain names if
>> needed?
>>
>> Thanks!
>>
>> Denis
>>
>>     
> You can add whitelisted entries in the access file if you use
> feature_delay_checks in sendmail.
> http://www.technoids.org/
> Has a lot of good sendmail stuff.
> Are you using the new stuff in sendmail like greetpause, conncontrol, and
> ratecontrol?
> http://www.technoids.org/dossed.html
>   
Yes, I am using greetpause, conncontrol, and ratecontrol but they're not 
enough.

I knew about http://www.technoids.org/dossed but not the rest of the 
site.  It's quite interesting.  However I'm not sure how to whitelist a 
remote site that appears on safe.dnsbl.sorbs.net.  The examples I saw 
referred to email addresses...

After some more reading on sendmail.org, I think I need the following in 
my access file:
ip.of.remote.host:   OK

OK: "Accept mail even if other rules in the running ruleset would reject 
it, for example, if the domain name is unresolvable. "Accept" does not 
mean "relay", but at most acceptance for local recipients. That is, OK 
allows less than RELAY."

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20061102/c72d9722/smime.bin


More information about the MailScanner mailing list