[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]
RE: sendmail m4 sample request.

From: "Kenneth Goodwin" <kgoodwin datamarktech com>
To: <valhalla-list redhat com>
Subject: RE: sendmail m4 sample request.
Date: Wed, 3 Sep 2003 17:23:14 -0400
>  Thank you very much!  Could you tell me where I can find
>  more detailed
>  information about "your own blacklist" and "public
>  blacklist"?  What is
>  "access To 553 deny
>  spammers"  How to use it?
>
>  I appreciate your help!
>
>  Hongwei


My "own BlackList" consists of /etc/mail/access file entries
such as

wowmail.com           ERROR:5.3.0:553 Email From wowmail.com
Blocked Using UltraSpamKiller
208.196.247.34        ERROR:5.3.0:553 Email From
208.196.247.34 Blocked Using UltraSpamKiller


To the remote Spammer, this generates a reject notice
similiar to those of the DNSBL entries.
It allows me to detect via the "UltraSpamKiller" that the
source of the reject is my own
access list rather than a RBL source. These are derived from
maillog entries and mail headers from
spammers that make it through the RBL's. Eventually, the
source IP's will make it
into my border routers access control lists and they will
bother my sendmail server no more
and can then be removed from the ACCESS database.  The RBL
deny's will also
be added to the border routers ACL's.

You can also setup a DNS server locally and insert the IP
address entries in there
and use a DNSBL feature line to reference your local
blacklists. (google on  blacklists
and whitelists to find out more)

(apologies in advance to the "80 Column or Bust Crew" for
what follows)

My Sendmail MC file contains entries such as -

FEATURE(blacklist_recipients)dnl
FEATURE(dnsbl, `relays.ordb.org', `"Message from
"$&{client_addr}" rejected - Your EMAIL Server is a
Blacklisted Spam Source at <http://ordb.org>"')dnl
FEATURE(dnsbl, `dev.null.dk', `"Message from
"$&{client_addr}" rejected - Your EMAIL Server is a
Blacklisted Spam Source at <http://dev.null.dk>"')dnl
FEATURE(dnsbl, `dnsbl.njabl.org', `"Message from
"$&{client_addr}" rejected - Your EMAIL Server is a
Blacklisted Spam Source at <http://dnsbl.njabl.org>"')dnl
FEATURE(dnsbl, `orbs.dorkslayers.com', `"Message from
"$&{client_addr}" rejected - Your EMAIL Server is a
Blacklisted Spam Source at
<http://orbs.dorkslayers.com>"')dnl
FEATURE(dnsbl, `dynablock.wirehub.net', `"Message from
"$&{client_addr}" rejected - Your EMAIL Server is a
Blacklisted Spam Source at
<http://dynablock.wirehub.net>"')dnl
FEATURE(dnsbl, `spammers.v6net.org', `"Message from
"$&{client_addr}" rejected - Your EMAIL Server is a
Blacklisted Spam Source at <http://spammers.v6net.org>"')dnl
FEATURE(dnsbl, `blackholes.intersil.net', `"Message from
"$&{client_addr}" rejected - Your EMAIL Server is a
Blacklisted Spam Source at
<http://blackholes.intersil.net>"')dnl
FEATURE(dnsbl, `sbl.spamhaus.org', `"Message from
"$&{client_addr}" rejected - Your EMAIL Server is a
Blacklisted Spam Source at <http://sbl.spamhaus.org>"')dnl
FEATURE(dnsbl, `spamguard.leadmon.net', `"Message from
"$&{client_addr}" rejected - Your EMAIL Server is a
Blacklisted Spam Source at
<http://spamguard.leadmon.net>"')dnl
FEATURE(dnsbl, `blackholes.wirehub.net', `"Message from
"$&{client_addr}" rejected - Your EMAIL Server is a
Blacklisted Spam Source at
<http://blackholes.wirehub.net>"')dnl
FEATURE(dnsbl, `korea.services.net', `"Message from
"$&{client_addr}" rejected - Your EMAIL Server is a
Blacklisted Spam Source at <http://korea.services.net>"')dnl
FEATURE(dnsbl, `blackholes.brainerd.net', `"Message from
"$&{client_addr}" rejected - Your EMAIL Server is a
Blacklisted Spam Source at
<http://blackholes.brainerd.net>"')dnl


You can google search for blacklists to find more.

Basic Philosophy - Use Blacklists and Access database
entries to control Known or suspected
spammers. Once you are certain you are not nailing "friends
and family". move the IP addresses
of these confirmed spammers out into the firewall or border
router access control list
to stop them from making any connection to any port. Remove
any corresponding entries from the
sendmail access database. When blocking someone, send them
back a message indicating why.
If you nail a friendly by mistake, you and they will know
why. The real spammers
do not usually care as they are practicing hit and run
tactics.

All of this needs to be backed up with  something like
spamassassin to help
in refining the controls and have your users help in id'ing
new spam sources.

I use a bunch of scripts to extract info out of the mail
logs and generate a spammers
ip list as well as other scripts that id the creeps showing
up as DENY's in my firewall logs
The port scanner crowds etc. These scripts will be used to
build the border router ACL's

Modifying the DNSBL zctions requires deeper sendmail macro
expertise.........

# cd sendmail...../feature
# cp dnsbl.m4 mydnsbl.m4

the dnsbl parameter in the above FEATURE macro call in the
MC file becomes a mydnsbl parameter.

#edit mydnsbl.m4
divert(-1)
#
# Copyright (c) 1998-2002 Sendmail, Inc. and its suppliers.
#       All rights reserved.
#
# By using this file, you agree to the terms and conditions
set
# forth in the LICENSE file which can be found at the top
level of
# the sendmail distribution.
#
#
dnl 8.13: ifdef(`DNSBL_MAP', `', `define(`DNSBL_MAP',
`dns -R A')')
ifdef(`DNSBL_MAP', `', `define(`DNSBL_MAP', `host')')
divert(0)
ifdef(`_DNSBL_R_',`dnl',`dnl
VERSIONID(`$Id: dnsbl.m4,v 8.28 2002/05/19 21:22:40 gshapiro
Exp $')
define(`_DNSBL_R_',`')
LOCAL_CONFIG
# map for DNS based blacklist lookups
Kdnsbl DNSBL_MAP -T<TMP>ifdef(`DNSBL_MAP_OPT',`
DNSBL_MAP_OPT')')
divert(-1)
define(`_DNSBL_SRV_',
`ifelse(len(X`'_ARG_),`1',`blackholes.mail-abuse.org',_ARG_)
')dnl
define(`_DNSBL_MSG_', `ifelse(len(X`'_ARG2_),`1',`"550
Rejected: " $`'&{client_addr} " listed at
'_DNSBL_SRV_`"',`_ARG2_')')dnl
define(`_DNSBL_MSG_TMP_', `ifelse(_ARG3_,`t',`"451 Temporary
lookup failure of " $`'&{client_addr} " at
'_DNSBL_SRV_`"',`_ARG3_')')d
nl
divert(8)
# DNS based IP address spam list _DNSBL_SRV_
R$*                     $: $&{client_addr}
R$-.$-.$-.$-            $: <?> $(dnsbl
$4.$3.$2.$1._DNSBL_SRV_. $: OK $)
R<?>OK                  $: OKSOFAR
ifelse(len(X`'_ARG3_),`1',
`R<?>$+<TMP>            $: TMPOK',

*** The following two lines which will be expanded by the M4
macro processor
*** need to be changed to do "nothing" instead of spitting
out a 553 ERROR message.
*** This is left as an exercise for the reader..............
*** Go to sendmail.org and download the documentation on how
to write a sendmail
****      CF file macro.

`R<?>$+<TMP>            $#error $@ 4.7.1 $:
_DNSBL_MSG_TMP_')
R<?>$+                  $#error $@ 5.7.1 $: _DNSBL_MSG_

divert(-1)


>
>  ==============Original message text===============
>  On Wed, 03 Sep 2003 2:31:12 pm CDT "Kenneth Goodwin"
wrote:
>
>  a great deal...............
>  They are not equivalent.
>
>  >  Here is my question for expert:
>  >
>  >  What is the difference of the function between
>  >
>  >  FEATURE(`dnsbl', `ztl.dorkslayers.com', `Rejected - We
>  dont accept
>  >   mail from spammers')dnl
>  >
>
>  Looks up incoming email server's source ip address in the
>  ztl.dorkslayers.com Blackhole
>  lists using DNS protocols and Sends  the "reject spammer"
>  message to the source mail server
>  whomever that is.
>
>  >  and
>  >
>  >  ztl.dorkslayers.com DISCARD  in /etc/mail/access ?
>
>  Discards all connections coming in from
ztl.dorkslayers.com
>  Which is NOT going to stop any spam unless it is coming
from
>  ztl.dorkslayers.com
>
>  If you want to be silent, but use the Blackhole lists,
just
>  change the sendmail
>  macro code for the dnsbl function in your sendmail.mc
(.cf)
>  to do a silent drop
>  instead of spitting back the message string at the
sender.
>  Copy it to a new name and
>  modify the copy and then use it in the FEATURE CALL.
(see
>  sendmail.org)
>
>  Personally I prefer to send a message as it allows me to
>  detect whether it is my own blacklists
>  that are erroneously nailing some client of mine or one
of
>  the public blacklists.
>  I use several public blacklists and use access To 553
deny
>  spammers that slip past the blacklists.
>  The 553 makes me look like a blacklist to them. You
should
>  also build deny's into your firewall
>  outside interface access control list for known Spammer
IP's
>
>  The spammers dont even read the message, they just keep
>  sending emails because
>  they usually do this by hijacking someone elses system.
>
>
>  >
>  >  Which one is more efficient? or "better"?  I notice
that
>  >  even I put some
>  >  lines in /etc/mail/access and run
>  >
>  >  makemap hash access.db < access
>  >
>  >  junk mails still come from some of those addresses.
Any
>  >  suggestion?  Thanks!
>  >
>  >  Hongwei
>  >
>  >  ==============Original message text===============
>  >  On Wed, 03 Sep 2003 1:47:53 pm CDT "John Meagher"
wrote:
>  >
>  >  Chris Sechiatano wrote:
>  >
>  >  >What would you suggest?  dnsbl sends a message by
>  default.
>  >
>  >  I put it in the form of a question because I'm not an
>  expert, but it
>  >  doesn't seem reasonable to me to send a spammer a
REJECT
>  for
>  >  everything you are going to throw away.  (Unless you
>  think he
>  >  will take you off the list).  But I think you could
just
>  put
>  >
>  >  ztl.dorkslayers.com DISCARD
>
>  wrong.................
>  >
>  >  in the /etc/mail/access file, and keep the bandwidth
that
>  would
>  >  have been used to reject it.
>  >
>  >
>  >
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]