[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [rhelv5-list] Black lists and blocked good users - sendmail, SA and MailScanner - problem solved!



Götz Reinicke wrote:
John Summerfield schrieb:
Götz Reinicke wrote:
Hi,

I hope, somewone can point me into the right direction.

Recently I added two blacklist-checks to our sendmail config: spamhaus
zen and the list from the german computer magazin IX.
First. an important distinction. These are not _blacklists_, they are
_blocklists_. You can use those lists to blacklist people.

I used this term: http://en.wikipedia.org/wiki/DNSBL; o.k. spamhaus.org

The quality of Wikipedia depends on the quality of the contributor; it's perfectly possible for me to change that, then I'd be right!

speaks os "Block List" http://www.spamhaus.org/sbl/index.lasso and this
page talks about DNS-Based blacklisting: http://www.technoids.org/dnsbl.html

I think that's not that importend; next time, I'll use only the
abbreviation DNSBL ;-)

That will certainly confuse people.

IP addresses get on the lists because people allege they get spam from
those sources. I suspect that they're mostly infected with malware and
0wn3d by someone else.

Yes, I did know that, but e.g. spamhaus.org/zen uses also "Policy Block
List" - http://www.spamhaus.org/pbl/ -  which block whole providers(!)
ip ranges; e.g. 1und1.de, eplus-UMTS-Dialup IP ranges, arcor.de. And in
this case it dosen't matter which IP you have out of this ranges.

I regularly block IP address ranges, even down to /11 in one case, but most commonly /24: I might block your IAP's user-IP addresses, but probably not the IAP's mail service.


The good news: Spam has been about 70%-80%, now it is about 20%-30%. The
bad news: A lot of our users have problems sendig mails from there dial
up DSL or mobile phone network connections. I'v looked up there IPs and
all where on the Black lists or the PBL from spamhaus. So was my Arcor
IP last night :-)
I'm not assuming anything about your users; their computers might be
infected and be out of their control, or they might have inherited the
bad reputation from someone else. In _your_ position, I'd assume
(without telling users it's their fault) that they are in need of a
safety check. I do assume that they're on the block list for good reason.

The concerned computers including my own are save regarding
firewall/antivirus-software and updates. The problem has been the PBL
from spamhaus and not the SBLs ...

If you fill your email with jargon, few will understand it.

The last time someone told me "My computer is clean," I asked him to run the test anyway. He later confessed to a dozen or so.


The information from spamhaus is, to use SMTP Authentification
(http://www.spamhaus.org/pbl/query/PBL042952).

I thought, we do use TLS and  smtp auth already, so I thought, users
allowed to log in will be allowd to send. But I got the errormessage
using Thunderbird 2, that our mailserver didn't support STARTTLS in
combination with EHLO.
My first suggestion is to require your Windows users to download and run
Microsoft's malicious software removal tool.

You should also require them to not use administrator accounts for
everyday work.

AV software is good too (but I don't use it[1])

My next suggestion is to send your email via your Internet Access
Provider's mail gateway.

Your users' computers also needs to be configured to send mail through a
specific server rather than direct.

There are network administrators who block IP addresses just because
they're used for dynamic IP.

As far as possible, do not use Outlook, Outlook Express or Internet
Explorer. Instead, use Thunderbird and Firefox, or Seamonkey. Regardless
of how good the MS offerings are, viruses are mostly written to target
them, and don't work with the alternatives.


Thanks for the suggestions, which are mostly applied allready. We are an
university with about 1.000 Users and some of your tips can be realised
others can't.

The more users, the more you have to lose with insecure practices, the more important your countermeasures and recovery procedures are.


My problem was the fact, that sendmail checks the DNSBL faster than the
authentification (which workde for about 4 years smoothly), so they
where blocked by the PBL from spamhaus. (Without the PBL check
everything was O.K. - so ...)

Sendmail has a feature, which is used (and is disabled by default in my
Redhat installation) in such situations:

http://www.sendmail.org/m4/anti_spam.html -> FEATURE(`delay_checks').

Uncomment, rebuild sendmail.cf, restart sendmail -> everything is o.k.
again. (And I have working DNSBL-checks now :-) )


/Götz


reading the documentation is always a good first step.




--

Cheers
John

-- spambait
1aaaaaaa coco merseine nu  Z1aaaaaaa coco merseine nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]