[Mimedefang] rejecting on helo,drive-by-relay,forged_sender,

Tue Jan 13 02:46:15 EST 2004

I've been playing around with rejecting on helo/name/ip matching.

If domain of helo and $hostname don't match and machine is a just an ip
address, reject the email.
A further refinement would be to check the mx servers for the listed $helo
domain and if the ip address matches the mx record for the machine, then
accept it, even if it fails the previous test.

I remember someone posting mx code, to verify mail from a domain came from
the mx servers for the domain, but can't find it on the archive.
Could someone post a link on this, again?

Anecdotally, after implementing this for 2 weeks I've seen my detected
virus's volume drop by 60%.

caveats:
A number of sites give just localhost names, even big name sites.

A number of sites send mail through a completelly different domain then
what their helo command says.

I've rejected around 1800 mail messages with this rule with 3
false positives.
2 of the FP would have matched on outgoing mx servers for listed domain.

Not good enough for major mail load sites.
The nice thing is it it rejects before the data stage, which cuts your
mail load.
So to use this rule on production sites you could do thus:
greylist for 1 hour, or add to spam score.
I'm a big believer in variable-greylist levels based on your level of
false positives.
The nice thing about greylisting is that it signifigantly reduces your
load without causing ANY problems, (my users have not complained.)

I'm currently slowly working on improving my greylisting code, my next
improvement is to implment throttle code for virus sites.
This really only helps high load sites, as your virus scanner will catch
the virus anyway.
For machines that send a virus, greylist the <sender><recipient><ip> pair
for 1 hour.
This assumes that no virus's will come through a mailing list or similar.
What benefit does this give you, exactly?
Lower mail load, is about it.
If you get a single site just spewing out virus, you cut it back to at
most 1 virus every hour.
It might be better to match on <ip><recipient> as virus's usually send to
the same recipient. This would remove problems with mailing lists?

you could also use a higher greylist reject time for sites that send you
spam over a certain threshold.
if a site sends over SA score 9.0 then reset the greylist to 2 minutes for
that relay.

If a site sends spam tagged as probable, then-renable greylist for 10 more
minutes.(So mail marked as probable_spam is rejected for 10 minutes
instead of the default of 2 minutes. So you are greylist rejecting after
content analysis.)

I'm also trying to determine the logic for rejecting drive-by-relays.

With greylisting code enabled a sender will reattempt delivery to the same
message using upwards of 15 different relays in less than 5-10 seconds.

The general condition for blocking this would be (assuming greylist code)
If a recipient receives mail from 1 never before seen relay in a 15 second
timespan, then tempfail all mail to that recipient for 5 seconds.
Set the maximum delay time to the normal greylist time of (for me) 3 minutes.
You will also see, if mail is sent through multiple relays in under a 15
second timescale with the same helo command, you are being
drive-by-relayed.
I am still thinking through my logic.
I have not implemented anything until I think it through.
If you analyze your logs you will see the same behavior on your mail server.
If you can figure a better set of rules/logic, I'd be interested...

In related news, I started using sial.org sender checking code.
http://sial.org/howto/mimedefang/check-sender/
Is their any reason you could not use this to check and see if a sender
exists on your system?
You have to add an entry to have it check your domain, by default it will
not.
I have enabled checks against my domain, and it appears to be working...
GREAT!

Is it just me or has your spam volume also gone up signifigantly in the
past 2 months?
-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana