Re: [cobalt-users] Blocking email

["Steve Werby" <steve-lists@xxxxxxxxxxxx>]

"Wayne Sagar" <shortfork@xxxxxxxxxxx> wrote:
> I probably wouldn't mind no email from china.. prolly couldn't read it
> anyway but now I'm confused... does it work or not?? I mean, if we remove
> the . and put in like kr for all of the korea mail, it sure would make it
> easier than what I have been doing, that being, putting in ip ranges into
my
> chains rules like xx.xx.xx.xx/xx for port 25 and that keeps them out.

I guess I didn't explain it well.  These are two *entirely different* ways
of blocking email.  By entering the host/domain (in this case "kr") you are
blocking email whose From header ends in kr.  This email could be sent from
a machine in the US, Korea, or Neptune.  It doesn't matter where it
originates since the IP address isn't being looked at.  The other way is to
block an IP address or subnet.  Instead of looking at the From header, in
this case sendmail looks at the IP address of the box relaying the message.
In this case it doesn't matter what the From address is.  So though it would
be nice to conceptually be able to add "kr" and have it block all email from
addresses in the kr top-level domain *and* machines in Korea this is not how
it works.  Hope that's clear now.

> but
> what a long list!!

Yes.  Open relays are pretty extensive and spam is rampant.  The truth is
that you're but a small fish in a big sea.  Fortunately, there are a lot of
other fish like you and they have joined forces to create longer lists of
open relays which are constantly updated.  Instead of spending your time and
energy building your own list, a list which can never be as good as one
collaborated on by many fish, why not join forces with some other fish and
use their master list?  Take a look at http://www.ordb.org/ or one of the
many other open relay dbs like it.

> I also worry at what point that a set of ipchains rules
> gets so many entries into it that it would begin to slow the system due to
> having to check against all of the ranges..

Maybe IPCHAINS isn't the best solution.  After all, by and large, these IPs
are IPs of machines trying to send bulk email, not machines being used to
hack into servers.  So they're not a much greater security risk than you're
average machine, at least from the traditional sense.  IMO, it's better to
use a sendmail-specific solution to block email from these machines.

> The only other thing that I worry about.. I've added things into the
control
> panel mail ban list and then, I believe it actually sends back the mail
with
> a "blocked do to possible spam"

Correct.

> which, because after doing this to about 25
> in a day, I see about 25 to 50 new ones, more than usual the next day. Is
it
> possible this triggers thier "valid email" thing, similar to what happens
> when someone clicks on the remove or responds with remove in the
address???

It's possible.  I don't know how likely it is though.  Common sense says
that it doesn't make much sense to add an email address to a list of good
addresses if that address sent back an error code saying it rejects spam.
But I'm not a spammer so I can only guess how a spammer's mind works.

> Did I mention that I HATE spam??? The sandwiches are ok.. as long as you
> bury them in enough lettuce to hide the taste.. but the email version can
go
> bury itself!!

There are several fairly high traffic email lists at http://www.spamcop.net/
which might interest you.  Several other sites/orgs have spam-related
mailing lists too.  Write me off-list if you want more info...best to do so
through the contact form on my site since non-list email to my list address
gets dumped to a folder I rarely peek into.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/