[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How to block a LOT of spam (Was: RE: [cobalt-users] excessive spam)

Subject: How to block a LOT of spam (Was: RE: [cobalt-users] excessive spam)
From: Jeroen Wunnink <jeroen@xxxxxxxxxxxxxx>
Date: Wed Jul 16 07:34:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Okay, I have some time on my hands now, let me add a few solutions for spam which seem to work fairly well on my side..

sendmail.cf entries: (BACK IT UP BEFORE TRYING ALL THIS)

#####
# Blocking Email Marketing spammer
#####
HSubject:       $>Check_Subject
D{MPat}Email Marketing
D{MMsg}This message is SPAM, it is blocked from this host.
SCheck_Subject
R${MPat} $*     $#error $: 553 ${MMsg}
RRe: ${MPat} $* $#error $: 553 ${MMsg}
RFwd: ${MPat} $*        $#error $: 553 ${MMsg}

Add this somewhere at the end of sendmail.cf, it'll block any Subject starting with: Email Marketing
You can add some spamblocks already this way which occur often with a specific subject start, just add it as many times as you feel suitable, this is a nice first block..
Mind though, that above needs to be inserted with tabs on certain locations.., the format above is like this:

#####
# Blocking Email Marketing spammer
#####
HSubject:<TAB>$>Check_Subject
D{MPat}Email Marketing
D{MMsg}This message is SPAM, it is blocked from this host.
SCheck_Subject
R${MPat} $*<TAB>$#error $: 553 ${MMsg}
RRe: ${MPat} $*<TAB>$#error $: 553 ${MMsg}
RFwd: ${MPat} $*<TAB>$#error $: 553 ${MMsg}

Second, as I wrote earlier to this list, I've also got a massive access block list.., run this script nightly when times are quiet in /etc/mail

#!/bin/bash
# Dynamic Spam access block retreival

# Retreiving the up-to-date spamlist
wget http://basic.wirehub.nl/spamlist.txt

# Building the access file
cat access > access.new
cat spamlist.txt >> access.new
makemap hash access.db < access.new

# Cleaning up
rm -f spamlist.txt
rm -f access.new

Third, some online spamblocking techniques from sendmail.cf:

# DNS based IP address spam list relays.ordb.org
R$*

        $: $&{client_addr}
R$-.$-.$-.$-            $: <?> $(dnsbl $4.$3.$2.$1.relays.ordb.org. $: OK $)
R<?>OK

        $: OKSOFAR
R<?>$+<TMP>             $: TMPOK
R<?>$+

$#error $@ 5.7.1 $: "550 Mail from " $&{client_addr} " refused by blackhole site relays.ordb.org"

# DNS based IP address spam list sbl.spamhaus.org
R$*

        $: $&{client_addr}
R$-.$-.$-.$-            $: <?> $(dnsbl $4.$3.$2.$1.sbl.spamhaus.org. $: OK $)
R<?>OK

        $: OKSOFAR
R<?>$+<TMP>             $: TMPOK
R<?>$+

$#error $@ 5.7.1 $: "550 Mail from " $&{client_addr} " refused by spamhaus site sbl.spamhaus.org"

# DNS based IP address spam list spews
R$*

        $: $&{client_addr}
R$-.$-.$-.$-            $: <?> $(dnsbl $4.$3.$2.$1.spews.relays.osirusoft.com. $: OK $)
R<?>OK

        $: OKSOFAR
R<?>$+<TMP>             $: TMPOK
R<?>$+

$#error $@ 5.7.1 $: "550 Mail from " $&{client_addr} " refused by spews site spews.relays.osirusoft.com"

The format for these is:
# DNS based IP address spam list spews
R$*<TAB><TAB><TAB>$: $&{client_addr}
R$-.$-.$-.$-<TAB><TAB>$: <?> $(dnsbl $4.$3.$2.$1.spews.relays.osirusoft.com. $: OK $)
R<?>OK<TAB><TAB><TAB>$: OKSOFAR
R<?>$+<TMP><TAB><TAB>$: TMPOK
R<?>$+<TAB><TAB><TAB>$#error $@ 5.7.1 $: "550 Mail from " $&{client_addr} " refused by spews site spews.relays.osirusoft.com"

The tabs are a bit tricky, though critical to do right (sendmail's .cf is a bitch to do modify manually at some parts)

# DNS based IP address spam list spews
R$*

        $: $&{client_addr}
R$-.$-.$-.$-            $: <?> $(dnsbl $4.$3.$2.$1.spews.relays.osirusoft.com. $: OK $)
R<?>OK

        $: OKSOFAR
R<?>$+<TMP>             $: TMPOK
R<?>$+

$#error $@ 5.7.1 $: "550 Mail from " $&{client_addr} " refused by spews site spews.relays.osirusoft.com"

Then last (but certainly not least) I have for local users a Razor based checklist.., this is an application which will make a md5 checksum out of each mail that gets delivered locally, and check that sum to an online known database of spam messagebodies, if it matches, it'll dump it in a seperate mailbox..

http://razor.sourceforge.net/

Read and install the package on that site.., then add the following in /etc/procmailrc

:0 Wc
| razor-check
:0 Wa
| /var/spool/mail/caughtspam

It'll dump all caught spam in /var/spool/mail/caughtspam

Downside to this one is that it will only work for local mailboxes, not for off-site aliases..

These are manual additions, you can also install Mailscanner, which has a lot of these functions built in and are easier to set up in that.., though in my experience Mailscanner is a decent resource hogger..., so if you do a lot of mail and are already quite loaded on the system, add these seperately..

I also have a virusscanner (amavis) running, which runs as a wrapper around sendmail, it'll scan every incoming and outgoing mail for viruses.., though once again this hogs some resources with a lot of mail.., if there's interest on the list for this, I can write up a quick manual on how to implement this into sendmail..., the site is www.amavis.org, take note though that this is just the wrapper connecting sendmail and the virusscanner together, you'll need a seperate linux based virusscanner with license for it (personally I use uvscan from www.nai.com)

Let me know if you'd like a quick setup for this, I'm going home right now, and it's a bit tricky to get to work.., and I'm not very found of making a howto if there's no interest for it anyways ;-)

This isn't specifically cobalt related, I've been running these methods for 2 years on my Redhat 7.2 box at home with a LOT of success, in my experience all this manages to catch 95% of all spam, and 99,9% of all viruses..

At 09:37 AM 7/16/2003 -0400, you wrote:

> Thanks for the info. This time it ran with no errors. There
> was a duplicate in the GUI list as you said. Unfortunately,
> it didn't stop the spam or even slow it down a little. This
> morning, I have 400 spam messages in my 5 addresses (from
> 11:00pm last night until 8:00am this morning). I know this is
> a fact of life these days, but we seem to get too much spam.
> I removed the @www.domain.com from all accounts and it slowed
> it down a lot.
>

Unfortunately, having a catchall is another thing stolen by spammers. I
don't use many of the standard addresses such as webmaster, info, sales,
etc. on my Cobalt. I haven't looked into the configuration of Sendmail
on the Cobalt so that it doesn't confirm addresses either. None of my
form to mail pages have the email address in the HTML as spammers
harvest those as well.

--
C2003 Dan Kriwitsky

Please reply to the list only. Off list replies are not read.

_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

Met vriendelijke groet,

Jeroen Wunnink,
EasyHosting B.V. Systeembeheerder
systeembeheer@xxxxxxxxxxxxxx

telefoon:+31 (035) 6285455              Postbus 1332
fax: +31 (035) 6838242                  1200 BH Hilversum

http://www.easyhosting.nl

Follow-Ups:
- RE: How to block a LOT of spam (Was: RE: [cobalt-users] excessive spam)
  - From: Dan Kriwitsky

References:
- Re: [cobalt-users] excessive spam
  - From: wcstaff
- RE: [cobalt-users] excessive spam
  - From: Dan Kriwitsky

Prev by Date: Re: [cobalt-users] excessive spam
Next by Date: RE: [cobalt-users] I don't even know where to start!
Previous by thread: RE: [cobalt-users] excessive spam
Next by thread: RE: How to block a LOT of spam (Was: RE: [cobalt-users] excessive spam)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index