[Mimedefang] Failed looping spam

Barry Byrne barry.byrne at wbtsystems.com
Mon Oct 14 09:23:01 EDT 2002 

In case it's of use to any of you, I run the following script as a cronjob
on an hourly basis to do what Les suggests below. Works very well.

Cheers,

Barry

---------------------------------------------

#!/bin/sh

MAILLOG=/var/log/maillog
FAILUSERS=/etc/mail/nosuchusers
AUTOACCESS=/etc/mail/access.auto
ACCESS=/etc/mail/access

# Add entries to failed used list

grep "stat=User unknown" $MAILLOG \
	| grep "relay=pop.dublin.wbtsystems.com" \
	| tr "[:upper:]" "[:lower:]" \
	| perl -e 'while(<>) { if (/: to=<(.*)>, /) {print("$1\n"); }}' \
	| sort -u \
	>> $FAILUSERS

# sort uniquely ignoring leading white space

sort -b -u -o $FAILUSERS $FAILUSERS

# add entries to 'normal access list'

cat $ACCESS > $AUTOACCESS

while read ADDRESS
       do
         echo "To:$ADDRESS    ERROR:550 User Unknown" >> $AUTOACCESS
       done < $FAILUSERS

# rebuild database

/usr/sbin/makemap hash $ACCESS < $AUTOACCESS

-----------------------------------------------

--
Barry Byrne, IT Manager,
WBT Systems, Block 2, Harcourt Centre
Harcourt Street, Dublin 2, Ireland

> -----Original Message-----
> From: mimedefang-admin at lists.roaringpenguin.com
> [mailto:mimedefang-admin at lists.roaringpenguin.com]On Behalf Of Les
> Mikesell
> Sent: 11 October 2002 18:55
> To: mimedefang at lists.roaringpenguin.com
> Subject: RE: [Mimedefang] Failed looping spam
>
>
> > From: Tom Horan
> >
> > Yes, getting a list of valid smtp address from Exchange onto my sendmail
> > boxes wouldnt be a problem.
> >
> > So if spam=true, and user=notexist then drop, else relay.
>
> You can do this with the sendmail 'access' facility as well and
> reject them immediately.  I've used an 'outside/inside' pair
> of servers long before adding filtering and have had enough
> turnover in the company to get a lot of undeliverable mail
> that the outside relay accepts, then tries to return and of
> course all the spam is from unreachable addresses.  I reduced
> this a lot by periodically grepping the outside relay logs
> for the 'no such user' error generated by the inside server's
> rejection and turning these addresses into access rules like
> user at domain ERROR:550 user unknown
> and rebuilding the database.  You do have to pay attention
> when someone who has been removed comes back, though.
>
>   Les Mikesell
>     les at futuresource.com
>
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>

More information about the MIMEDefang mailing list