[Mimedefang] Modify SA score if to many unknown users

John Scully jscully at isupportisp.com
Tue Sep 23 10:34:00 EDT 2003 

I could not find a way in filter_recipient to check how many of the
recipient addresses have been denied, so I wrote my own code to do so by
writing to a temp file in the working directory of the message:
#***********************************************************************
#  write bad recipient so we can track total
#  we will check return total, and if there are more then 5 bad
recipients
#  we junk message silently
#  return number of bad recipients so far
#***********************************************************************
sub write_bad_recipient {
    my($recipient_addr) = @_;
    #there is not already a BAD_RECIPIENTS file create it.
    # if there is, then count entries and append to it
    if (!open(BAD_RCPT2, "<BAD_RECIPIENTS")) {
      open (BAD_RCPT2, ">>BAD_RECIPIENTS");
      print BAD_RCPT2 "$recipient_addr\n";
      close (BAD_RCPT2);
      return(1);
    } else {
      my($bad_addr_count);
      while (<BAD_RCPT2>) {
        $bad_addr_count++;
      } # close while
      close (BAD_RCPT2);
      open BAD_RCPT2, ">>BAD_RECIPIENTS";
      print BAD_RCPT2 "$recipient_addr\n";
      close BAD_RCPT2;
      return($bad_addr_count);
    }
}

This is called from filter_recipient if it found that that recipient did
not exist.  If it returns 5 or more (there have been 5 bad recipients so
far) discard silently.  Here is a code snippet (we use a mySQL based
mail system, so I am checking in an sql DB for the user address)

$query = "select UserStatus from Users where
Users.Account='$recipient_addr";
$dbq2 = $db2->prepare($query) ;
$numrows = $dbq2->execute ;
if ($numrows lt 1 ) {  # no such user - how many so far?
  my($no_user_count) = write_bad_recipient($recipient_addr);
  if ($no_user_count ge 5) { #dump the whole message
       return('DISCARD', "Error: Too many bad recipients
($no_user_count)");
  } 
  # less then 5 so far, so just reject this recipient
  return ('REJECT', "Error: No such user");
}
code after this point checks to see if the account is inactive or over
quote and responds accordingly, but those responses are not counted
against the bad_rcpt total.

An important note is that I took some advice form someone else on this
list and added a ram disk y adding this to my FSTAB:

none  /var/spool/MIMEDefang   tmpfs   uid=defang,gid=defang,mode=700 0 0

This makes a HUGE difference in performance of spamassassin, clamav and
doing things like writing and checking temp files.

Several other interesting points - I had already turned on
BadRcptThrottle, set to 5 in sendmail.
define(`confBAD_RCPT_THROTTLE',`5')dnl in your sendmail.mc or
O BadRcptThrottle=5 if you edit your sendmail.cf directly.
This tells sendmail that after 5 bad recipients delay one second before
processing each following recipient.  This way a message with 100
recipients takes a few millisecs for the first 5, but then delays the
spammer for 95 seconds for the rest.  Of course, each of those following
recipients called mimedefang filter-recipient, causing a DB lookup etc.

Well...when I started discarding the messages after the fifth bad rcpt I
noticed that sendmail keeps accepting additional ones, with the delay
(and even responds recipient OK...but then junks the message silently at
the end.  The reason for this is that sendmail can not interrupt the
rcpt flow from the sender.

The net effect is that it throttles the spammer way down, while
minimizing load.  We are running 250 ISPs with more than 400 email
domains, so at times those damn dictionary attacks really get out of
hand.  I have seen 4,000 "no such user" responses PER MINUTE at peak.
That is not 4,000 messages - more like 160 with 25 recipients each.  I
would rather tie up a little resources with a sendmail thread slowly
accepting recipients then have a new message start.

John Scully

 - I hate Windows with the burning heat of a thousand suns (but let me
tell you how I really feel).

-----Original Message-----
From: mimedefang-admin at lists.roaringpenguin.com
[mailto:mimedefang-admin at lists.roaringpenguin.com] On Behalf Of Dave
Ellenberger
Sent: Tuesday, September 23, 2003 5:36 AM
To: mimedefang at lists.roaringpenguin.com
Subject: RE: [Mimedefang] Modify SA score if to many unknown users

Hi John,

That's an idea. Do you want to share your code with us?

-Dave

On Mon, 22 Sep 2003 14:43:18 -0400, John Scully wrote
> I went one step further - if there are more than 5 bad recipients on 
> one message I silently discard it.  After reviewing several hundred
such
> messages I found that 100% were both spam and part of a dictionary
> attack.
> 
> John

_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang




This email scanned for Viruses and Spam by iSupportISP using SpamViper. 
For more information on our best in class VISP Solutions please visit us at http://www.isupportisp.com

More information about the MIMEDefang mailing list