Log in

No account? Create an account
Spam count from 9am yesterday - noon today. - Adventures in Engineering
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2009-11-09 12:55
  Subject:   Spam count from 9am yesterday - noon today.


I'm thinking it's about time I dusted off the old whitelist script again, that bounces any email sent to me from an email address that's not pre-approved...

On another note: How do spammers get my email address? I never type it into web forms (that's what mailinator.com is for), I don't have it published in text form anywhere...

Edit: I first made a backup copy of, then edited my /etc/postfix/main.cf. Then used /etc/init.d/postfix restart to restart the mail system. Upon attempting to send an email from an outside domain, the following DNSBLs were dead and had to be removed from the .cf: relays.ordb.org, opm.blitzed.org, list.dsbl.org, multihop.dsbl.org.

My final config line liked like this:

smtpd_recipient_restrictions =
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net

Also I changed smtpd_helo_required = no to smtpd_helo_required = yes as recommended.


Post A Comment | 8 Comments | | Link

  User: nickhalfasleep
  Date: 2009-11-09 21:21 (UTC)
  Subject:   (no subject)
I was thinking about black-holing every class B we get spam from on the server, see if that would put a dent in it. I need to graph the offending addresses in my spam folder.
Reply | Thread | Link

  User: nickhalfasleep
  Date: 2009-11-09 21:26 (UTC)
  Subject:   (no subject)
We could also enforce SPF, however I better make sure my own SPF is correctly configured ;P
Reply | Parent | Thread | Link

Ben Cantrick
  User: mackys
  Date: 2009-11-10 00:27 (UTC)
  Subject:   (no subject)
> We could also enforce SPF, however I better make sure my own SPF is correctly configured

That'd be great, but frankly you sound like you've got more important things to do. If you really want to, awesome. But don't feel like it's a high priority.

Also, I'd be happy to help - up to and including doing it all myself. Though, you may not want me touching the mail system at all, considering how badly I screwed said mail system up the last time I attempted to play sysadmin. ;]
Reply | Parent | Thread | Link

Ben Cantrick
  User: mackys
  Date: 2009-11-10 00:29 (UTC)
  Subject:   (no subject)
Tell you what used to work great, before I totally fucked up and destroyed our mail config?


Fantastic stuff. Blacklists only the ip addresses that have recently sent spam.

Let me look into how we can use those. I'll consult with you before I touch the mail system.
Reply | Parent | Thread | Link

Trevor Stone: spam lite
  User: flwyd
  Date: 2009-11-09 22:00 (UTC)
  Subject:   (no subject)
Keyword:spam lite
I think a bunch of spam to my gmail address is from people with my name who think they have my email address. Some kid in Utah set up a MySpace account with it, for instance. One reason I suspect other people is that much of it is directed to trevor.stone, but I only ever use trevorstone.

Of course, the spam I get to my personal domain (where I, perhaps stupidly, wildcard direct everything to me) gets some pretty weird addresses. a1aaa1azzzz1zaaaaa, nffkcq, petgord34truew, johnsmithsvt, and 4531a55a.8060103 (in addition to reasonable guesses like admin and billing) have all received enough spam that I've blocked them. I also get stuff to valid addresses with characters added or removed: 51slashdot, esume, stone, etc. I don't understand how these are sane ways to generate more successful responses.
Reply | Thread | Link

Jon: EFG
  User: j_b
  Date: 2009-11-09 23:31 (UTC)
  Subject:   (no subject)
I too still use a wildcard, and I have 1088 names and counting in the list that
I auto-bounce when it shows up, I only add addresses when they've shown up more
than once. China it seems likes to use my domain ( jb.org ) as a spoofed "From"
address, so I get plenty of bounces from the China equivalents of Hotmail et
al. Sometime I'll go and add those to the bounce list too.

At least I have a clever bounce message though.

Connected to jb.org.
Escape character is '^]'.
220 vincent.jb.org ESMTP Exim 4.63 Mon, 09 Nov 2009 16:30:20 -0700
MAIL FROM:<yourmom>
250 OK
RCPT TO:<joeblow@jb.org>
550-"Five in the first place means / Permanent negative completion reply / It
550-furthers one to be mindful of difficulties / Five in the second place means
550-/ Mail system / It furthers one to apply discipline. / Zero in the third
550-place means / Requested action not taken / Misfortune. / Even if one's
550-socket were to be suddenly cut off, he should still be able to do one more
550-action with certainty if one becomes like a revengeful ghost and shows
550 great determination, though his session is cut off, he should not die."
Connection closed by foreign host.

Reply | Parent | Thread | Link

Ben Cantrick
  User: mackys
  Date: 2009-11-10 06:54 (UTC)
  Subject:   Hehehe.
Very bushido!
Reply | Parent | Thread | Link

Ben Cantrick
  User: mackys
  Date: 2009-11-10 00:24 (UTC)
  Subject:   (no subject)
> I don't understand how these are sane ways to generate more successful responses.

You're badly overestimating both the IQ and ethics of spammers. They really don't care if the addresses they send spam to (or sell to other people, to send spam to) are valid or not.

Most of the business deals over buying, selling and sending to addresses operate on a "so many cents per 1k address" basis. There's no economic incentive for them to use accurate addresses, and possibly a fair bit of economic incentive for them to lie and add random addresses to the pool.
Reply | Parent | Thread | Link

May 2015