[Mimedefang] The nerve of these people...
Chad Stalvey
cstalvey at hcsmail.com
Thu Jan 16 17:02:01 EST 2003
My fix for this, and has been working quite well, was to edit the actual
sendmail code, not trying to get off topic here...
But to use the BadRcptThrottle set to two, and changed the last line of code
below ( (void) sleep(1); ) to goto doquit;
So now it hangs up the connection after the third bad RCPT. Works well. The
result is that it slows down the spammers software drastically in hopes that
he/she decides that I'm not worth wasting the time on anymore.
Only drawback however, not to me, is you have to recompile sendmail.
The file to edit is sendmail-x.x.x/sendmail/srvrsmtp.c
Line: 2142 - replace (void) sleep(1); with goto doquit;
snip
sm_syslog(LOG_INFO, e->e_id,
"%.100s: Possible SMTPRCPT
flood, throttling.",
CurSmtpClient);
/* To avoid duplicated message */
n_badrcpts++;
}
/*
** Don't use exponential backoff for now.
** Some servers will open more connections
** and actually overload the receiver even
** more.
*/
(void) sleep(1);
/snip
-----Original Message-----
From: mimedefang-admin at lists.roaringpenguin.com
[mailto:mimedefang-admin at lists.roaringpenguin.com]On Behalf Of Fox,
Randy
Sent: Thursday, January 16, 2003 4:50 PM
To: mimedefang at lists.roaringpenguin.com
Subject: RE: [Mimedefang] The nerve of these people...
> From: Chad Stalvey [mailto:cstalvey at hcsmail.com]
>
> Is there any way to stop people that try this sort of thing?
>
>
> 1) Jan 7 14:40:38 mail sendmail[2590]: h07JeWdL002590:
> from=<akara31 at excite.com>, size=0, class=0, nrcpts=0, proto=ESMTP,
> daemon=MTA, relay=200-207-76-198.terra.com.br [200.207.76.198] (may be
> forged)
>
I've just implemented a filter_sender that would work for cases like this.
However, it's a reactionary filter, not a proactive filter. You can only
put it into place after you under attack. The filter looks like this:
sub filter_sender {
my($sender, $hostip, $hostname, $helo) = @_;
if ($sender =~ /ert\d+try\@yahoo.com/) {
return(0, "Mail from $sender not permitted");
}
return (1, "OK");
}
Trying to get proactive seems to present interesting challenges. There was
a filter posted in early November that looked like this:
sub filter_sender {
my($sender, $hostip, $hostname, $helo) = @_;
my($i1, $i2);
# Regularize sender to lower-case, no <> signs
$sender = lc($sender);
$sender =~ tr/<>//d;
foreach $domain qw(aol.com hotmail.com earthlink.net yahoo.com) {
$i1 = rindex($sender, $domain);
$i2 = rindex($hostname, $domain);
if ($i1 >= 0 and $i1 == length($sender) - length($domain)) {
if (length($hostname) < length($domain) or
$i2 != length($hostname) - length($domain)) {
return(0, "Mail from $domain not permitted from relay
$hostip");
}
}
}
return (1, "OK");
}
excite.com won't work with this filter because it appears that all their
mail comes through a domain called excitenetwork.com. The logic could be
re-worked to drop the top-level domain (.com, .net, .kr, etc.) and only look
for aol, hotmail, excite, etc., but would this be acceptable? How much do
folks think it would be vulnerable to false positives?
Randy
_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list