Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Nathan Fowler on July 26, 2002, 11:04:24 PM
-
Note this does not work on SME 5.5; SME 5.5 uses Mailfront, not Obtuse SMTPD.
I've been fighting a losing battle with SPAM, as have many people. I often get tired of getting mail from my own domain; the messages have been spoofed. nakedgirls@fundeals.stickit.nu doesn't exist, so why should I get mail from it, especially if I own the domain?
After reading the Juniper smtpd_check_rules documentatation I was able to craft some rules to stop those SMTP hosts and MAIL FROM addresses that are not valid (They do not have a reverse DNS lookup AND do not have a valid MX entry). I'm now going to share some simple changes you can make to your smtpd_check_rules that will enable you to block such spam.
Below are the steps:
mkdir -p /etc/e-smith/templates-custom/var/spool/smtpd/etc/smtpd_check_rules
cd /etc/e-smith/templates-custom/var/spool/smtpd/etc/smtpd_check_rules
pico -w 10NotoSpammers
[Add the following lines to 10NotoSpammers:]
#Deny SMTP hosts that do not have a reverse lookup or MX entry.
deny:UNKNOWN:ALL:ALL:550 Your SMTP server's IP of %I does not have a reverse lookup or MX entry, as a result your message to %T was not delivered. Please contact your mail administrator and inform them of the problem.
#Deny MailFrom addresses that do not have a reverse lookup or MX entry.
deny:ALL:NS=UNKNOWN:ALL:550 Your MAIL FROM address of %F does not have a reverse lookup or MX entry, as a result your message to %T was not delivered. Please contact your mail administrator and inform them of the problem.
[Save the file 10NotoSpammers]
/sbin/e-smith/expand-template /var/spool/smtpd/etc/smtpd_check_rules
[If you are using my pop-before-smtp code be sure you:]
rm -rf /var/pop-before-smtp/IP/*
Rejoice in knowing that you've just help eliminate invalid E-Mails, most of which will be SPAM.
Hope this helped,
Nathan
-
Note the "deny:" lines in the 10NotoSpammers should all be one line. HTML has caused the text to wrap. It is vital that these configuration rules are each on a separate line and do not wrap.
-
Nathan Fowler wrote:
> /sbin/e-smith/expand-template
> /var/spool/smtpd/etc/smtpd_check_rules
Replace the above with:
/sbin/e-smith/signal-event email-update
This is needed to restart all the services and load the new smtpd_check_rules settings.
Regards,
Darrell
-
Actually, changes to the smtpd_check_rules file are seen in real-time, smtpd services do not need to be restarted to activate changes made to that file.
But thanks Darrel :)
-
If you wish to be more restrictive about the root level domain then instead use:
#Deny SMTP hosts that do not have a reverse lookup or MX entry.
deny:NS=UNKNOWN:ALL:ALL:550 Your SMTP server's IP of %I does not have a reverse lookup or MX entry, as a result your message to %T was not delivered. Please contact your mail administrator and inform them of the problem.
as opposed to:
#Deny SMTP hosts that do not have a reverse lookup or MX entry.
deny:UNKNOWN:ALL:ALL:550 Your SMTP server's IP of %I does not have a reverse lookup or MX entry, as a result your message to %T was not delivered. Please contact your mail administrator and inform them of the problem.
Using "Unknown" will attempt to find a DNS entry for the root level domain, NS=UNKNOWN matches the entire FQDN string, and does not attempt to chop until it finds the root domain:
IE:
Using "Unknown" will allow this.is.a.fake.domain.from.yahoo.com to proceed because the DNS entry for the root level domain "Yahoo.com" is present. Using the "NS=UNKNOWN" will not allow this entry because the FQDN does not exist.
Nathan
-
Note that if you use the restrictive set be sure to include "NS=UNKNOWN EXCEPT 127.0.0.1" or your webmail client will have trouble sending mail.
-
Wow this is great !
In the world of spam that we live in....
Thanks man! : )
as long as I donw lose any good e-mail we are good.
-
Nahan,
Quick clarification. The syntax would be:
deny:NS=UNKNOWN EXCEPT 127.0.0.1:ALL:ALL:550 blah blah
Yes?
-jeff
-
Did you tried it on an official 5.5 release to say it don't work ? D. May sais on a previous post that smtpfront works like obtuse smtp, that's why it isn't well documented ???
I would try your howto on me sme 5.5 box, but as it's a procution server...
Best regards
Eric Belhomme
-
I too would be interested in answers to Eric's question here. Runing 5.5 hosting several web sites so I want to keep it funcioning :-)
Craig Jensen
-
SME 5.5 does not support any smtpcheckrules. Obtuse smtpd has been completely replaced with mailfront (http://untroubled.org/mailfront/). Mailfront currently supports qmail validation only (http://untroubled.org/mailfront/qmail-validate.html).
If you need smtpdcheckrules, stick with SME 5.1.2 and upgrade only the individual packages you need from 5.5.
Darrell
-
deny:UNKNOWN:ALL:ALL:550
Too bad my home server can't send to my work server when that is enabled(as well as a few other servers I know of). I use dyndns and it rejects my home ip address when I send mail. Just FYI.
-
Guys (Esp Nate), remember you can use the EXCEPT rule to add those mail servers or clients that need access to the box:
IE:
deny:UNKNOWN EXCEPT 192.168.0.1,127.0.0.1:ALL:ALL:550 Blah blah, you eat bugs.
I've had to add several IP's to the EXCEPT ruling, and the reason why I haven't replied to these emails is that the forum mail server for e-smith does not have a reverse DNS, so the messages have been bouncing back, hah!
216.191.234.126 is the E-Smith forum smtp server, so be sure to add this to the exception list.
Darrell, thanks for your help in answering this stuff while I was out.
Thanks,
Nathan
-
Nathan, I am trying to fight the spammers myself. Here's what I have in my smtpd_check_rules on my SME 5.1.2 server:
deny:UNKNOWN EXCEPT ...:ALL:ALL:550 blah blah...
deny:ALL:NS=UNKNOWN:ALL:550 blah blah...
deny:NS=UNKNOWN EXCEPT 127.0.0.1:ALL:ALL:550 blah blah...
Is this right? See any problems?
Tom
-
I have put all of the above in place....
Thanks for the great ideas...
now....do the results of the rejected mails get logged anywhere to see what is happening ?
I'm not sure if it is functioning correctly.
-
Steven, hang tight, I've got another thread you'll want to check out. Give me until tomorrow morning.
12/03/2002 8:24 PM CST
Nathan