You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Monty Ree <ch...@hotmail.com> on 2005/05/18 09:05:13 UTC

against this spam mail...

Hello, all.

When I see maillog, I can see lots of logs like below..
Some spammer send spam mails from aaaa@xxxx.com to zzzz@xxxx.com, I guess.
So mail server load is high to accept this spam and reply with"User 
unknown".

Is there any good way or solution against thess series spam?

Thanks in advance.

May 18 15:11:04 mail02 sendmail[22487]: j4I6B4i22487: <ho...@xxxxx.com>... 
User unknown
May 18 15:11:04 mail02 sendmail[22490]: j4I6B4i22490: <da...@xxxxx.com>... 
User unknown
May 18 15:11:04 mail02 sendmail[22493]: j4I6B4i22493: <da...@xxxxx.com>... 
User unknown
May 18 15:11:04 mail02 sendmail[22494]: j4I6B4i22494: <ja...@xxxxx.com>... 
User unknown
May 18 15:11:05 mail02 sendmail[22498]: j4I6B5i22498: <jo...@xxxxx.com>... 
User unknown
May 18 15:11:05 mail02 sendmail[22515]: j4I6B5i22515: <to...@xxxxx.com>... 
User unknown
May 18 15:11:05 mail02 sendmail[22516]: j4I6B5i22516: <jo...@xxxxx.com>... 
User unknown
May 18 15:11:06 mail02 sendmail[22525]: j4I6B6i22525: <sa...@xxxxx.com>... 
User unknown

_________________________________________________________________
증권 정보 가장 빠르고 편하게 보실 수 있습니다. MSN 증권/투자   
http://www.msn.co.kr/stock/

Re: against this spam mail...

Posted by turgut kalfaoglu <tu...@egenet.com.tr>.

What I did against this , is first, have a virtusertable that lists all 
your users, and at the end has something like

@mydomain.edu.tr    error: sorry no one by that name

(syntax may be off I am writing this from the top of my head)

so it rejects it outright before the mail has to go thru spamassassin, etc.

second thing I did: hack the sendmail source so that when 
BadRcptThrottle is reached, it closes the connection instead.
Life has been peaceful since :)

-t



David B Funk wrote:

>On Wed, 18 May 2005, Jeff Chan wrote:
>
>  
>
>>On Wednesday, May 18, 2005, 12:05:13 AM, Monty Ree wrote:
>>    
>>
>>>Hello, all.
>>>      
>>>
>>>When I see maillog, I can see lots of logs like below..
>>>Some spammer send spam mails from aaaa@xxxx.com to zzzz@xxxx.com, I guess.
>>>So mail server load is high to accept this spam and reply with"User
>>>unknown".
>>>      
>>>
>>>Is there any good way or solution against thess series spam?
>>>      
>>>
>>>Thanks in advance.
>>>      
>>>
>>>May 18 15:11:04 mail02 sendmail[22487]: j4I6B4i22487: <ho...@xxxxx.com>...
>>>User unknown
>>>May 18 15:11:04 mail02 sendmail[22490]: j4I6B4i22490: <da...@xxxxx.com>...
>>>User unknown
>>>May 18 15:11:04 mail02 sendmail[22493]: j4I6B4i22493: <da...@xxxxx.com>...
>>>User unknown
>>>      
>>>
>>This is called a "dictionary attack".  If you search for that and
>>sendmail, you may find some answers.  It's not specifically a
>>SpamAssassin question.
>>
>>    
>>
>
>For sendmail, enable the "BadRcptThrottle" threshold. This feature
>will cause sendmail to rate limit transactions once a specified number
>of bad recipients have been seen.
>sendmail will still have to tell the spammers "No No No" but at a slower
>rate so they don't drive up your server load average.
>(the default is 20, I've got mine set to 3 ;)
>
>Combine this with ConnectionRateThrottle & MaxDaemonChildren to limit
>the total simultaneous sessions to prevent your SpamAssassin from
>being driven into meltdown by these kinds of attacks.
>
>You can also add in dnsbl lists such as xbl.spamhaus.org to block
>connections by infected PCs at the SMTP level.
>Lots of this kind of trash is coming from 'bot nets' and can be
>blocked by good dnsbl lists.
>
>
>  
>

Re: against this spam mail...

Posted by David B Funk <db...@engineering.uiowa.edu>.

On Wed, 18 May 2005, Jeff Chan wrote:

> On Wednesday, May 18, 2005, 12:05:13 AM, Monty Ree wrote:
> > Hello, all.
>
> > When I see maillog, I can see lots of logs like below..
> > Some spammer send spam mails from aaaa@xxxx.com to zzzz@xxxx.com, I guess.
> > So mail server load is high to accept this spam and reply with"User
> > unknown".
>
> > Is there any good way or solution against thess series spam?
>
> > Thanks in advance.
>
> > May 18 15:11:04 mail02 sendmail[22487]: j4I6B4i22487: <ho...@xxxxx.com>...
> > User unknown
> > May 18 15:11:04 mail02 sendmail[22490]: j4I6B4i22490: <da...@xxxxx.com>...
> > User unknown
> > May 18 15:11:04 mail02 sendmail[22493]: j4I6B4i22493: <da...@xxxxx.com>...
> > User unknown
>
> This is called a "dictionary attack".  If you search for that and
> sendmail, you may find some answers.  It's not specifically a
> SpamAssassin question.
>

For sendmail, enable the "BadRcptThrottle" threshold. This feature
will cause sendmail to rate limit transactions once a specified number
of bad recipients have been seen.
sendmail will still have to tell the spammers "No No No" but at a slower
rate so they don't drive up your server load average.
(the default is 20, I've got mine set to 3 ;)

Combine this with ConnectionRateThrottle & MaxDaemonChildren to limit
the total simultaneous sessions to prevent your SpamAssassin from
being driven into meltdown by these kinds of attacks.

You can also add in dnsbl lists such as xbl.spamhaus.org to block
connections by infected PCs at the SMTP level.
Lots of this kind of trash is coming from 'bot nets' and can be
blocked by good dnsbl lists.

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: against this spam mail...

Posted by Saurabh Barve <sa...@atmos.colostate.edu>.

Jeff Chan wrote:
> On Wednesday, May 18, 2005, 12:05:13 AM, Monty Ree wrote:
> 
>>Hello, all.
> 
> 
>>When I see maillog, I can see lots of logs like below..
>>Some spammer send spam mails from aaaa@xxxx.com to zzzz@xxxx.com, I guess.
>>So mail server load is high to accept this spam and reply with"User 
>>unknown".
> 
> 
>>Is there any good way or solution against thess series spam?
> 
> 
>>Thanks in advance.
> 
> 
>>May 18 15:11:04 mail02 sendmail[22487]: j4I6B4i22487: <ho...@xxxxx.com>... 
>>User unknown
>>May 18 15:11:04 mail02 sendmail[22490]: j4I6B4i22490: <da...@xxxxx.com>... 
>>User unknown
>>May 18 15:11:04 mail02 sendmail[22493]: j4I6B4i22493: <da...@xxxxx.com>... 
>>User unknown
>>May 18 15:11:04 mail02 sendmail[22494]: j4I6B4i22494: <ja...@xxxxx.com>... 
>>User unknown
>>May 18 15:11:05 mail02 sendmail[22498]: j4I6B5i22498: <jo...@xxxxx.com>... 
>>User unknown
>>May 18 15:11:05 mail02 sendmail[22515]: j4I6B5i22515: <to...@xxxxx.com>... 
>>User unknown
>>May 18 15:11:05 mail02 sendmail[22516]: j4I6B5i22516: <jo...@xxxxx.com>... 
>>User unknown
>>May 18 15:11:06 mail02 sendmail[22525]: j4I6B6i22525: <sa...@xxxxx.com>... 
>>User unknown
> 
> 
> This is called a "dictionary attack".  If you search for that and
> sendmail, you may find some answers.  It's not specifically a
> SpamAssassin question.
> 
> Jeff C.

What I do for these kinds of e-mails is just block them at the sendmail 
level. If you're using FC2 (paths on other OS's may vary), just add a 
line like this in /etc/mail/access:

xxxxx.com			REJECT

This file is to allow relay access to domains. If you block out 
xxxxx.com, these messages will be rejected at the sendmail level.

Saurabh.

-- 
--------------------------------------------------------------------------
"Yours is to work. The results will take care of themselves"
-- Swami Vivekanad
--------------------------------------------------------------------------

Saurabh Barve
sa@atmos.colostate.edu
(970)491-7714

Re: against this spam mail...

Posted by Jeff Chan <je...@surbl.org>.

On Wednesday, May 18, 2005, 12:05:13 AM, Monty Ree wrote:
> Hello, all.

> When I see maillog, I can see lots of logs like below..
> Some spammer send spam mails from aaaa@xxxx.com to zzzz@xxxx.com, I guess.
> So mail server load is high to accept this spam and reply with"User 
> unknown".

> Is there any good way or solution against thess series spam?

> Thanks in advance.

> May 18 15:11:04 mail02 sendmail[22487]: j4I6B4i22487: <ho...@xxxxx.com>... 
> User unknown
> May 18 15:11:04 mail02 sendmail[22490]: j4I6B4i22490: <da...@xxxxx.com>... 
> User unknown
> May 18 15:11:04 mail02 sendmail[22493]: j4I6B4i22493: <da...@xxxxx.com>... 
> User unknown
> May 18 15:11:04 mail02 sendmail[22494]: j4I6B4i22494: <ja...@xxxxx.com>... 
> User unknown
> May 18 15:11:05 mail02 sendmail[22498]: j4I6B5i22498: <jo...@xxxxx.com>... 
> User unknown
> May 18 15:11:05 mail02 sendmail[22515]: j4I6B5i22515: <to...@xxxxx.com>... 
> User unknown
> May 18 15:11:05 mail02 sendmail[22516]: j4I6B5i22516: <jo...@xxxxx.com>... 
> User unknown
> May 18 15:11:06 mail02 sendmail[22525]: j4I6B6i22525: <sa...@xxxxx.com>... 
> User unknown

This is called a "dictionary attack".  If you search for that and
sendmail, you may find some answers.  It's not specifically a
SpamAssassin question.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/