You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Mike Kenny <in...@gmail.com> on 2006/12/27 12:10:44 UTC

mapping dynamic IPs to specific accounts

A client of mine provides an email service to a number of mobile users. This
leave my client open to abuse as addresses are assigned dynamically and
blocking specific users is difficult. We have set up an internal, private
DNS which we update with the authentication details of the user and the IP
assigned to him/her at that  time. We now want to configure
postfix/spamassassin to query this DNS and return the authentication
details. This will allow us to blacklist the abusive users until they
re-register (at a cost) and should help us fight the proliferation of spam.

How best can this be done? It is not enough that the IP is in the DNS, we
expect it to be and we don not want to blacklist based on the IP. We
actually need to get the authentication details back and look these up in a
blacklist. So how do we configure postfix or spamassassin to look up one DNS
and pass the returned value to a second DNS or hash or whatever to return
the final judgement?

Thanks,

mike

RE: mapping dynamic IPs to specific accounts

Posted by Sietse van Zanen <si...@wizdom.nu>.

SA catches and classifies spam. It does not configure, secure or synchronize your MTA with any external source.

esto, this is the wrong mailing list for such a question.

The first thing you want to do is try and find an MTA that can achieve the goals you set. Sendmail probably can, but will need a lot of customization. which has nothing to do with and does not involve SA.

My advice, take this question to a number of MTA mailing lists (eg sendmail, postfix, exim, etc).

-Sietse



From: Mike Kenny
Sent: Wed 27-Dec-06 12:10
To: users@spamassassin.apache.org
Subject: mapping dynamic IPs to specific accounts


A client of mine provides an email service to a number of mobile users. This leave my client open to abuse as addresses are assigned dynamically and blocking specific users is difficult. We have set up an internal, private DNS which we update with the authentication details of the user and the IP assigned to him/her at that  time. We now want to configure postfix/spamassassin to query this DNS and return the authentication details. This will allow us to blacklist the abusive users until they re-register (at a cost) and should help us fight the proliferation of spam. 

How best can this be done? It is not enough that the IP is in the DNS, we expect it to be and we don not want to blacklist based on the IP. We actually need to get the authentication details back and look these up in a blacklist. So how do we configure postfix or spamassassin to look up one DNS and pass the returned value to a second DNS or hash or whatever to return the final judgement? 

Thanks,

mike

Re: mapping dynamic IPs to specific accounts

Posted by Benny Pedersen <me...@junc.org>.

On Wed, December 27, 2006 16:44, Richard Frovarp wrote:

>> into your MUA.  SMTP AUTH just adds some crypto to it - users just
>> check a different box when they set up their clients.
> Good point. Are the users force to authenticate a second time when they
> want to read mail?

who says thay care about complains that there FROM: email is used in spam ?

but good point anyway, users should learn to use smtpd auth period

-- 
This message was sent using 100% recycled spam mails.

Re: mapping dynamic IPs to specific accounts

Posted by Richard Frovarp <Ri...@sendit.nodak.edu>.

Miles Fidelman wrote:
> Mike,
>
> I'm not sure why "It is not considered acceptable to force the users 
> to authenticate a second time when they want to send email" - we all 
> do that all do that all the time anyway.  Pretty much all MTAs ask 
> clients for a username and password as part of the connection cycle - 
> it's just usually set up to be automatic, with the info configured 
> into your MUA.  SMTP AUTH just adds some crypto to it - users just 
> check a different box when they set up their clients.

Good point. Are the users force to authenticate a second time when they 
want to read mail?

Re: mapping dynamic IPs to specific accounts

Posted by Miles Fidelman <mf...@meetinghouse.net>.

Mike,

I'm not sure why "It is not considered acceptable to force the users to 
authenticate a second time when they want to send email" - we all do 
that all do that all the time anyway.  Pretty much all MTAs ask clients 
for a username and password as part of the connection cycle - it's just 
usually set up to be automatic, with the info configured into your MUA.  
SMTP AUTH just adds some crypto to it - users just check a different box 
when they set up their clients.

It sound like you're still going to need custom code if you're trying to 
control the activity of authenticated users.

Miles

Mike Kenny wrote:
> Thanks Miles, but I am not sure that this is what I am looking for. My 
> client's users will already have authenticated to access the data 
> network, but all that remains to identify them is the IP address that 
> they were assigned for that session. The data network guys have added 
> code to update a DNS with both the IP and the original authentication 
> string provided by the user. When one of these dynamically assiged IPs 
> connects to our SMT Pserver we want to be able to look up the auth 
> string in the DNS and check this against a blacklist.
>
> It is not considered acceptable to force the users to authenticate a 
> second time when they want to send email. We must accept the network 
> authentication as being valid (it is, our problem is not 
> unauthenticated users, but authenticated users who perform 
> unauthorized actions line spamming) and then impose our own rules of 
> behavior on those users by blacklisting them
>
> mike
>
> On 12/27/06, *Miles Fidelman* <mfidelman@meetinghouse.net 
> <ma...@meetinghouse.net>> wrote:
>
>     Mike Kenny wrote:
>     > A client of mine provides an email service to a number of mobile
>     > users. This leave my client open to abuse as addresses are assigned
>     > dynamically and blocking specific users is difficult. We have
>     set up
>     > an internal, private DNS which we update with the authentication
>     > details of the user and the IP assigned to him/her at that  time. We
>     > now want to configure postfix/spamassassin to query this DNS and
>     > return the authentication details. This will allow us to
>     blacklist the
>     > abusive users until they re-register (at a cost) and should help us
>     > fight the proliferation of spam.
>     >
>     > How best can this be done? It is not enough that the IP is in
>     the DNS,
>     > we expect it to be and we don not want to blacklist based on the IP.
>     > We actually need to get the authentication details back and look
>     these
>     > up in a blacklist. So how do we configure postfix or
>     spamassassin to
>     > look up
>     Mike,
>
>     You're barking up the wrong tree.  There are several well-established
>     mechanisms specifically designed to authenticate mobile users to email
>     systems.  What you want is SMTP AUTH, possibly w/ TLS.  Look at the
>     wikipedia entries for SMTP-AUTH and SASL, and then look at the Postfix
>     howtos.
>
>     Miles Fidelman
>
>

Re: mapping dynamic IPs to specific accounts

Posted by Mike Kenny <in...@gmail.com>.

Thanks Miles, but I am not sure that this is what I am looking for. My
client's users will already have authenticated to access the data network,
but all that remains to identify them is the IP address that they were
assigned for that session. The data network guys have added code to update a
DNS with both the IP and the original authentication string provided by the
user. When one of these dynamically assiged IPs connects to our SMT Pserver
we want to be able to look up the auth string in the DNS and check this
against a blacklist.

It is not considered acceptable to force the users to authenticate a second
time when they want to send email. We must accept the network authentication
as being valid (it is, our problem is not unauthenticated users, but
authenticated users who perform unauthorized actions line spamming) and then
impose our own rules of behavior on those users by blacklisting them

mike

On 12/27/06, Miles Fidelman <mf...@meetinghouse.net> wrote:
>
> Mike Kenny wrote:
> > A client of mine provides an email service to a number of mobile
> > users. This leave my client open to abuse as addresses are assigned
> > dynamically and blocking specific users is difficult. We have set up
> > an internal, private DNS which we update with the authentication
> > details of the user and the IP assigned to him/her at that  time. We
> > now want to configure postfix/spamassassin to query this DNS and
> > return the authentication details. This will allow us to blacklist the
> > abusive users until they re-register (at a cost) and should help us
> > fight the proliferation of spam.
> >
> > How best can this be done? It is not enough that the IP is in the DNS,
> > we expect it to be and we don not want to blacklist based on the IP.
> > We actually need to get the authentication details back and look these
> > up in a blacklist. So how do we configure postfix or spamassassin to
> > look up
> Mike,
>
> You're barking up the wrong tree.  There are several well-established
> mechanisms specifically designed to authenticate mobile users to email
> systems.  What you want is SMTP AUTH, possibly w/ TLS.  Look at the
> wikipedia entries for SMTP-AUTH and SASL, and then look at the Postfix
> howtos.
>
> Miles Fidelman
>

Re: mapping dynamic IPs to specific accounts

Posted by Miles Fidelman <mf...@meetinghouse.net>.

Mike Kenny wrote:
> A client of mine provides an email service to a number of mobile 
> users. This leave my client open to abuse as addresses are assigned 
> dynamically and blocking specific users is difficult. We have set up 
> an internal, private DNS which we update with the authentication 
> details of the user and the IP assigned to him/her at that  time. We 
> now want to configure postfix/spamassassin to query this DNS and 
> return the authentication details. This will allow us to blacklist the 
> abusive users until they re-register (at a cost) and should help us 
> fight the proliferation of spam.
>
> How best can this be done? It is not enough that the IP is in the DNS, 
> we expect it to be and we don not want to blacklist based on the IP. 
> We actually need to get the authentication details back and look these 
> up in a blacklist. So how do we configure postfix or spamassassin to 
> look up 
Mike,

You're barking up the wrong tree.  There are several well-established 
mechanisms specifically designed to authenticate mobile users to email 
systems.  What you want is SMTP AUTH, possibly w/ TLS.  Look at the 
wikipedia entries for SMTP-AUTH and SASL, and then look at the Postfix 
howtos.

Miles Fidelman