Forum Index Search Forum Register Log in

Runs on XP to Win 10

Current

Download 7.0

Download 7.1 Beta5 upgrade



A donation makes a contribution towards the time and effort that's going in to running this site.

Steffen

Contact:
My mail address is
at the top of the paypal form :

Your donations will help to keep this site alive and well.


Update your links !! November 2016 the forum is at www.apachelounge.com/sambar

In the forum there are links to sambarserver.info,
replace "sambarserver.info" with "apachelounge.com/sambar"
Filtering techniques on SMTP

 
Post new topic   Reply to topic    Sambar Forum Index -> How-to's & Documentation & Tips
View previous topic :: View next topic  
Author Message
Spikecity



Joined: 04 Aug 2004
Posts: 123

PostPosted: Fri 17 Mar '06 14:02    Post subject: Filtering techniques on SMTP Reply with quote

Having a lot of dirt being thrown at our domain I started playing with the various .flt filter options.

One of the most efficient ones is undoubtably reject.flt as it simply drops the smtp connection based on content immediately.

I know most of you have spambombers connecting to your smtp server often 8 to 10 simultanious connections and mailing to non existing users in your domain.

If you look carefully at the addressed users all of them have exactly 15 lowercase characters in front of your domainname like e.g. this one: TO:<lpkaxxwaroshunv@*************.nl> and they take up a lot of your free threads running (on average I have 45-50 smtp connections all at once).

Adding this rule to reject.flt (in mail/mbox and if it does not exist, create it) will kick out these bombers instantly if they are not already identified by the blacklists.

^T(O|o).*\<([a-z]{15})\@yourmaildomain.com\>

The only time this filter will kill valid mails is if you have a user mail address with exactly 15 characters only (without numbers, dots, dashes or underscores)

In your smtp.log succesfull filter hits look like this:

[2006-03-17 15:08:47] FAILED [32343536] [217.98.71.16] [DATA] [325 B] ... {BAD-MAIL identified by reject rule ^T(O|o).*\<([a-z]{15})\@*************.nl\>}

It dropped our simultaneous smtp connections from 50 to 3 avg Wink

One you almost certain can add to the reject.flt too is the abused domainname verizon.net in the from field (unless you expect valid mails from that domain.)

^From.*verizon.net

Enjoy,

Ron
Back to top
View user's profile Visit poster's website
holziusa



Joined: 08 Jun 2004
Posts: 221
Location: thanks4yourfeedback, donate to this site!!

PostPosted: Wed 03 Jan '07 6:10    Post subject: Reply with quote

hi Spikecity & all sambarians,
hope everyone survived the holidays(-:
Q: recently i am bombarde with fiticious undeliverable..failed email messages
thinking about filtering headers and ban undeliverable,etc. words but
dont think its ideal included a sample any thoughts:
"X-UID32: 1152558440
X-DATE: 1167801153
Return-path: null
Received: from 62.225.177.9 by mail.netmail.ws (SMTPD);
id s20070102221231.37; Tue, 02 Jan 2007 22:12:31
Return-Path: <>
Received: from SKD05MR1.pzd-kdn.de ([10.7.1.18] [10.7.1.18]) by SKD03NS2.pzd-kdn.de with ESMTP for woepgh@xxxx.com; Wed, 3 Jan 2007 05:56:25 +0100
Received: from tgex.lra-to.de (tgex.lra-to.de [10.1.14.90]) by skd05mr1.pzd-kdn.de with ESMTP for woepgh@xxxx.com; Wed, 3 Jan 2007 05:56:25 +0100
Received: from mail pickup service by tgex.lra-to.de with Microsoft SMTPSVC;
Wed, 3 Jan 2007 05:56:25 +0100
Thread-Topic: Undeliverable: We're back to mug shots and license photos again.
thread-index: Accu84VYAAz/FRwTTy2KuUc5NGYOOw==
From: "System Administrator" <administrator@lra-to.de>
Sender: "System Administrator" <postmaster@lra-to.de>
To: <woepgh@contracttech.net>
Subject: Undeliverable: We're back to mug shots and license photos again.
MIME-Version: 1.0
Content-Type: multipart/report;
report-type=delivery-status;
boundary="----=_NextPart_000_38384_01C72EFB.E71F84E0"
Content-Class: urn:content-classes:dsn
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Message-Id: <TGEXRJDhTD5Hx4or6X900001c73@tgex.lra-to.de>
X-OriginalArrivalTime: 03 Jan 2007 04:56:25.0512 (UTC) FILETIME=[85814280:01C72EF3]
Date: 3 Jan 2007 05:56:25 +0100"
Back to top
View user's profile
Spikecity



Joined: 04 Aug 2004
Posts: 123

PostPosted: Tue 16 Jan '07 11:02    Post subject: Reply with quote

You could filter on Return Path = null as this is an illegal value according to RFC.
This means every mail where there is no reply address filled out will be bounced.
Back to top
View user's profile Visit poster's website

Post new topic   Reply to topic    Sambar Forum Index -> How-to's & Documentation & Tips
Page 1 of 1