OT: third party relay attack

Pierre Abbat phma at leaf.dragonflybsd.org
Thu Jan 23 18:55:05 PST 2020 

On Friday, 10 January 2020 15.22.37 EST Matthew Dillon wrote:
> I last looked at it a few years ago but there were numerous DNS based
> services that you could use to test IP addresses and domains.  But they
> never worked well... they tended to block a lot of legitimate mail along
> with the spam, and tended to always be out of date.

I use several blacklists, some of which automatically delist an address after 
spam stops. I also set the reject code to 421 or 451, which tells the sender 
to retry until it gives up, instead of 5xx, which would tell it to give up 
immediately. That way, if a server is temporarily blocked, the spam run ends, 
and the server is delisted, legitimate mail gets through. I've seen it happen.

Here's my current list of blacklists:

        reject_rbl_client dnsbl-1.uceprotect.net
        reject_rbl_client dnsbl-3.uceprotect.net
        reject_rbl_client psbl.surriel.com
        reject_rbl_client recent.spam.dnsbl.sorbs.net
        reject_rbl_client ix.dnsbl.manitu.net
        reject_rbl_client cbl.abuseat.org
        reject_rbl_client ubl.unsubscore.com
        reject_rbl_client spamsources.fabel.dk
        reject_rbl_client dev.null.dk
        reject_rbl_client dnsrbl.org
        reject_rbl_client truncate.gbudb.net
        reject_rbl_client rbl.interserver.net
        reject_rbl_client bl.nosolicitado.org
        reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2

I also greylist. That way, if a spammer sends me an email, my server tells him 
to try again. Fairly often, by the time he tries again, his IP address has 
been added to a blacklist.

The Turkish spammer buys a netblock and a bunch of domains (all of the form 
<word><word>.<tld>, e.g. enemyfree.co) and sends spam from each IP address and 
domain in turn. When he starts spamming from a new netblock, a few spams get 
through, until the entire netblock is included in a blacklist. Considering his 
tactics, I think a cluster of a few spams let through every few weeks is an 
acceptable error rate.

As to the relay attack, it's someone trying to use my server as third party 
relay, not trying to send me spam through someone else's relay.

Pierre
-- 
When a barnacle settles down, its brain disintegrates.
Já não percebe nada, já não percebe nada.

More information about the Users mailing list