[Mimedefang] New spammer trick?

Kelson Vibber kelson at speed.net
Tue Nov 25 18:02:03 EST 2003

At 12:44 PM 11/25/2003, David F. Skoll wrote:
>I only check for the specific case of a machine I know I don't own claiming
>to be a roaringpenguin.com machine.

This should work well for businesses or other local installations where you 
know where all the clients are.  But for an ISP's public mail server, you 
may need to make the rule even *more* specific.

We tried something similar, with an added check against a list of local 
relays.  We found out during testing that some mail clients - notably 
Eudora - construct a HELO based on the local hostname and the domain name 
of the SMTP server.  Since we have customers on shared dynamic IP ranges, 
we couldn't make exceptions for all the possible places someone might be 
connecting from with Eudora.

What we *have* been doing is checking for the names and IP addresses of our 
mail servers, compared against the actual IP address of the sender.  Even 
with this limited check, we still catch about 1000 messages a day just with 
this rule.

Mark suggested exempting hosts that appear in the DRAC database or that use 
smtp-auth.  Are the relevant sendmail macros available in filter_relay, or 
would I have to move this to filter_begin?

Kelson Vibber
SpeedGate Communications <www.speed.net> 

More information about the MIMEDefang mailing list