[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: again.. how to stop spam relaying?

To: TrevorPaquette@mcc.net (Paquette Trevor)
Subject: Re: again.. how to stop spam relaying?
From: mea@nic.funet.fi
Date: Tue, 10 Feb 1998 12:30:12 +0200 (GMT)
Cc: zmailer@nic.funet.fi
In-Reply-To: <C925EB174777D111BAA50060083DB80E0CFB98@A01EX001.mcc.net> from "Paquette, Trevor" at Feb 9, 98 06:20:58 am

> We just got 'replay spammed' again.. Some looser is using us to relay to
> mcimail.com.
> How can I stop this???? This ties up our mail system for hours on end.
> This guy tries to pump about 10000 mail messages ever few days through
> us.

	Sorry, replying to this slipped thru my "do a bit latter, but
	do soon" buffer -- a buffer overflow most likely.

> > -----Original Message-----
> > From:	Paquette, Trevor [SMTP:TrevorPaquette@mcc.net]
> > Sent:	Monday, January 26, 1998 9:15 AM
> > To:	'zmailer@nic.funet.fi'
> > Subject:	how to stop spam relaying?
> > 
> 	Using 2.99.49p9 patch 1, I have setup some anti-spamming rules
> in my smtp-policy files, but it
> > looks like someone was actually able to use my system as a spam relay:
> > 
> > Here are the logs:
> > 
....
> > 3049r   MAIL FROM:<guhio71@msn.com>
> > 3049w   250 2.1.0 Sender syntax Ok
> > 3049r   RCPT TO:<2001199@mcimail.com>
> > 3049w   250 2.1.5 Recipient address syntax Ok
> > 3049r   RCPT TO:<2001198@mcimail.com>
> > .....
> > 3049r   RCPT TO:<2001101@mcimail.com>
> > 3049w   250 2.1.5 Recipient address syntax Ok
> > 3049r   RCPT TO:<2001100@mcimail.com>
> > 3049w   250 2.1.5 Recipient address syntax Ok

	Gee, generated addresses.  No doubt the  msn.com user
	is fake too.

> > 3049r   DATA
> > 3049w   354 Start mail input; end with <CRLF>.<CRLF>
> > 3049w   250 2.6.0 S.omabe421802 message accepted
> > 3049#   S.omabe421802: 6960 bytes
> > 3049r   QUIT
> > 3049w   221 2.0.0 gate.mcc.net Out
> > 
> > I have setup the following files to try to stop this:
> > 
> > smtp-policy.relay:
> >   (List of IPs that can use us as an outgoing smtp relay)
> > 
> > smtp-policy.mx:
> >   (all of the domains that we are the mail exchanger for)
> > 
> > I then run $ZMAILER/bin/policy-builder.sh to create the database
> > files, and the policydb parameter in smtpserver.conf is set to:
> > 
> > PARAM  policydb   ndbm  /apps/zmailer/db/smtp-policy
> >
> > According to the contents of the above files, what happened in the
> > logs above, should never have happened.
> > Am I missing something obvious?

Hmm.. Perhaps..

I did issue "DEBUG" command, and then "MAIL FROM:<foo@msn.com>", and 
got following tail-part of the report:

  DEBUG: 4/DOMAIN/'.'
  checkaddr(): domain of '.'
  Key: 4/DOMAIN/'.'
    query failed
  Results: rejectnet . freezenet . rejectsource . freezesource . relaycustomer . relaycustnet . relaytarget . acceptifmx . acceptifdns . senderokwithdns . acceptbutfreeze . sendernorelay . test-dns-rbl . message . localdomain . 
  250 2.1.0 Sender syntax Ok

which means, it can't read the database for some reason.
(Because there SHOULD be a fall-back tag of "." in the smtp-policy.src file
 to provide default values..)

What is the $DBTYPE in your  /etc/zmailer.conf file (your location
may vary, of course) ?  Is it  ndbm ?

The type on "PARAM policydb" entry must match that of the system default
database type, because the  policy-builder.sh  uses $DBTYPE..
(Although, the autoconfig builds  proto/smtpserver.conf  with this set
 to correct value, so unless you have altered it after installing, this
 detail should be ok.)

Oh yes, is the database file readable by everybody ?
At the time of the db open the euid is "daemon", if I recall correctly,
and thus getting access to the db file(s) may become a bit restricted
when compared to "euid==root", and especially if your default umask is
stricter than 022 while generating the db file.
(... but in this case the system should cry out loudly for a major failure..)

It must be about a problem in the   smtp-policy.src  boilerplate then.
Here is my standard-issue boilerplate as it is in the source tree:

#|-----------
#|
#| Default handling boilerplates:
#|
#|   "We are not relaying between off-site hosts, except when ..."
#|
# -- 1st alternate: No MX target usage, no DNS existence verify
# .			relaycustomer - relaytarget -
# [0.0.0.0]/0		relaycustomer - relaytarget -
# -- 2nd alternate: No MX target usage, DNS existence verify
# .			relaycustomer - relaytarget - senderokwithdns +
# [0.0.0.0]/0		relaycustomer - relaytarget - senderokwithdns +
# -- 3rd alternate: MX relay trust, DNS existence verify
.			relaycustomer - acceptifmx - senderokwithdns +
[0.0.0.0]/0		relaycustomer - acceptifmx - senderokwithdns +
# -- 4th alternate: Sender & recipient DNS existence verify
#.			senderokwithdns - acceptifdns -
#[0.0.0.0]/0		senderokwithdns - acceptifdns -
#|
#|  Also you may add   'test-dns-rbl +'  attribute pair to [0.0.0.0]/0
#|  to use Paul Vixie's  http://maps.vix.com/ MAPS RBL system.
#|
#| These rules mean that locally accepted hostnames MUST be listed in
#| the database with  'relaytarget +' attribute.
#|

In your case you propably should be using the first alternate pair.


> > Trevor Paquette              | MetroNet Solutions |Work:(403)543-2355
> > TrevorPaquette@mcc.net       |4300, 150 6th Ave SW| Fax:(403)543-2854
> > http://www.mcc.net           |Calgary, AB, Canada
> > |ICBM:51'03"N/114'05"W
> > Senior Unix Network Architect|       T2P 4K9      |Mind:In the Rockies

/Matti Aarnio <mea@nic.funet.fi>

References:
- again.. how to stop spam relaying?
  - From: "Paquette, Trevor" <TrevorPaquette@mcc.net>

Prev by Date: again.. how to stop spam relaying?
Next by Date: multiple servers ETRNing ?
Prev by thread: again.. how to stop spam relaying?
Next by thread: RE: again.. how to stop spam relaying?
Index(es):
- Date
- Thread