[Mimedefang] Am I overlooking something in my filter_relay method

John Rudd john at rudd.cc
Sun Jul 16 05:37:58 EDT 2006 


On Jul 16, 2006, at 2:02 AM, ML Listuser wrote:

> Hello list, I'd gladly like your opinion on this.
>
> For some days I switched sendmails loglevel to 15 and noticed that 99% 
> of
> the spamflow is sent to me from smtp clients: PC's with names as
> 'pool,adsl,dynamic,..' or just an IP number. They send smtp but don't 
> listen
> on the smtp port theirself.
> Well, I'm not a service provider and execept for clients on my own 
> internal
> network, I don't have business for smtp clients.
> So I created a filter_relay which, on a connect-request, tries to 
> establish a
> telnet/smtp connection with the calling host and if it does _not_ 
> succeed,
> rejects the connection with '554 <my mx> ESMTP not accepting messages'.

What I do is:

1) I put this in filter_sender instead of filter_relay, so that 
SMTP-AUTH can over-ride it

2) instead of trying to make an SMTP connection back to the sender's 
host (in case they're a legitimate client workstation or something), I 
just take the IP address and hostname sendmail/mimedefang gave me, 
verify that
    a) the hostname is not just the IP addr in brackets, such as: 
[1.2.3.4]
    b) the hostname resolves to an IP address that matches the IP

If it fails either of those, then drop them for having bad DNS 
(basically enforcing section 2.1 of RFC 1912 which says make sure hosts 
have a matching A and PTR record).  If I get "no answer" for these DNS 
checks, then I tempfail in case it's a slow DNS response.  If I get a 
_wrong_ answer, then I reject the message.

3) if they had good DNS, then I take that hostname and match it against:
   a) cable|dsl|dynamic|ppp|dhcp|dial-?up  (and a few other terms)
   b) has 2 or more of its IP octets in its hostname (in forward or 
reverse order, in hex or in decimal, and with or without leading zeros 
and/or a single separating character

If they match #3a or #3b, then I reject the message and tell them to 
use their own ISP's mail server.

#2 and #3 catch a TON of spam for me since I instituted this.  I even 
cut back my sendmail greet_pause from 30 seconds to 3, and it hasn't 
been a problem.


I also reject any message that has a SpamAssassin score higher than 10. 
  I don't tell them the score, or that SpamAssassin was the mechanism I 
used.  I just say "this message really looks like spam" or something 
like that (don't recall the exact wording).

More information about the MIMEDefang mailing list