OT: third party relay attack
Pierre Abbat
phma at leaf.dragonflybsd.org
Thu Jan 23 18:55:05 PST 2020
On Friday, 10 January 2020 15.22.37 EST Matthew Dillon wrote:
> I last looked at it a few years ago but there were numerous DNS based
> services that you could use to test IP addresses and domains. But they
> never worked well... they tended to block a lot of legitimate mail along
> with the spam, and tended to always be out of date.
I use several blacklists, some of which automatically delist an address after
spam stops. I also set the reject code to 421 or 451, which tells the sender
to retry until it gives up, instead of 5xx, which would tell it to give up
immediately. That way, if a server is temporarily blocked, the spam run ends,
and the server is delisted, legitimate mail gets through. I've seen it happen.
Here's my current list of blacklists:
reject_rbl_client dnsbl-1.uceprotect.net
reject_rbl_client dnsbl-3.uceprotect.net
reject_rbl_client psbl.surriel.com
reject_rbl_client recent.spam.dnsbl.sorbs.net
reject_rbl_client ix.dnsbl.manitu.net
reject_rbl_client cbl.abuseat.org
reject_rbl_client ubl.unsubscore.com
reject_rbl_client spamsources.fabel.dk
reject_rbl_client dev.null.dk
reject_rbl_client dnsrbl.org
reject_rbl_client truncate.gbudb.net
reject_rbl_client rbl.interserver.net
reject_rbl_client bl.nosolicitado.org
reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2
I also greylist. That way, if a spammer sends me an email, my server tells him
to try again. Fairly often, by the time he tries again, his IP address has
been added to a blacklist.
The Turkish spammer buys a netblock and a bunch of domains (all of the form
<word><word>.<tld>, e.g. enemyfree.co) and sends spam from each IP address and
domain in turn. When he starts spamming from a new netblock, a few spams get
through, until the entire netblock is included in a blacklist. Considering his
tactics, I think a cluster of a few spams let through every few weeks is an
acceptable error rate.
As to the relay attack, it's someone trying to use my server as third party
relay, not trying to send me spam through someone else's relay.
Pierre
--
When a barnacle settles down, its brain disintegrates.
Já não percebe nada, já não percebe nada.
More information about the Users
mailing list