Topic: blocking spoofing spammers

[Tom Carroll]

I got some twit hitting my mail server and spoofing his IP address and claiming to be from yahoo.com.  My mail server is having a hay-day with it because it tries to bounce the message back but it then bounces back to me.

I have tried entering a rule to stop the spammer from connecting but it doesn't seem to work in the way I understand it should.  I tried using IP addresses to block him and the domain of yahoo.com but nothing seems to work.

Here's what I get in the e-mail:
-------------------------------------------
Hi. This is the qmail-send program at carrollweb.net.
I tried to deliver a bounce message to this address, but the bounce bounced!

:
64.157.4.85 failed after I sent the message.
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com account (freesoftware-0245w24@yahoo.com) - mta494.mail.yahoo.com

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 13959 invoked for bounce); 17 Aug 2002 19:17:24 -0000
Date: 17 Aug 2002 19:17:24 -0000
From: MAILER-DAEMON@carrollweb.net
To: FreeSoftware-0245w24@yahoo.com
Subject: failure notice

Hi. This is the qmail-send program at carrollweb.net.
I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out.

:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path:
Received: (qmail 13956 invoked by alias); 17 Aug 2002 19:17:23 -0000
Delivered-To: alias-localdelivery-info@datawarecomp.com
Received: (qmail 13953 invoked by uid ; 17 Aug 2002 19:17:23 -0000
Received: from UNKNOWN (200.61.161.17, claiming to be "yahoo.com")
   by owt-207-41-94-221.owt.com with SMTP id smtpdOlmU7C; Sat, 17 Aug 2002 15:17:15 EDT
Reply-To: "Free Software"
Message-ID: <023d64b16e6e$1638a6c1$3ae21dd4@ytetya>
From: "Free Software"
To:
Subject: Send your Information from In-house
Date: Sat, 17 Aug 2002 11:08:32 +0800
MiME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: The Bat! (v1.52f) Business
Importance: Normal


--------------------------------------------
The IP address is different each time, but it always claims to be from yahoo.com.  Here's what I have entered into my 10denylist template fragment:

###############
# /etc/e-smith/templates-custom/var/spool/smtpd/etc/smtpd_check_rules/10DenyList
#
###############
# Block access to the SMTP server from:
noto:ALL:ALL@*etracks.com:ALL:551 Sorry %H (%I), I don't talk to spammers.
noto:ALL:ALL@*stgermain.com.br:ALL:551 Sorry %H (%I), I don't talk to spammers.
noto:ALL:FreeSoft-*@yahoo.com:ALL:551 Sorry %H (%I), I don't talk to spammers.


--------------------------------------------
Any ideas what I can do to stop this idiot?

Thanks!

Tom

[Nathan Fowler]

Tom, how are you doing?

You can add the following rules to your smtpd_check_rules to prevent this type of abuse:

If you notice the host does not have a valid reverse lookup or MX entry, this user is "claiming to be yahoo.com".

The first rule below allows you to deny all SMTP hosts that do not have a valid MX entry or reverse DNS lookup.
The second rule allows you to deny the mailfrom address, if the from address does not have a valid DNS entry or MX record the mail will not be delivered.

Note that smtpd_check_rules is templated so I recommend you create a custom template:

mkdir -p /etc/e-smith/templates-custom/var/spool/smtpd/etc/smtpd_check_rules
pico -w 10NotoSpammers

#Deny SMTP hosts that do not have a reverse lookup or MX entry.
#[allow|deny|noto]:SourceList:FromList:ToList[:XXX message for deny/noto]
deny:UNKNOWN EXCEPT 192.168.0.1,127.0.0.1,216.79.168.196,216.191.234.126,144.86.
1.215:ALL:ALL:550 Your SMTP server's IP of %I does not have a reverse lookup or
MX entry, as a result your message to %T was not delivered.  Please contact your mail administrator and inform them of the problem.

deny:ALL:NS=UNKNOWN:ALL:550 Your MAIL FROM address of %F does not have a reverse lookup or MX entry, as a result your message to %T was not delivered.  Please contact your mail administrator and inform them of the problem.

Be sure to adjust your EXCEPT ruling as needed.

Hope this helped,
Nathan

[Nathan Fowler]

Obviously each rule should be on it's own line, the HTML has wrapped the text.

[Tom Carroll]

Thanks Nathan!  I'm doing pretty good.  Just trying to wrap up a few things before I have to leave the server for a few months.  Just wanted to lock things down a little better.

I will try the template fragment you posted to see if that helps.

While we're at it, I have not upgraded to 5.5 yet.  Does 5.5 offer secure/authenticated smtp?  I thought I saw a post in devinfo about an rpm that allows secure/authenticated smtp.  Any experience with it?  I know you have the pop-before-smtp, so I was wondering if you have looked over that rpm.

Tom

[Nathan Fowler]

5.5 is looking good for CVM SASL thanks to a guy named Damien.  I'm not much use as far as 5.5 is concerned but I've been hearing good things about his RPMs.  I know there is information in the forums about it, if you can't find it via search hit http://www.stickit.nu/pop-before-smtp, I've got a news post with the link to his RPMs.

Glad you're doing well.

Thanks,
Nathan