[TriLUG] Sendmail question

Sun Jan 23 23:39:23 EST 2005

Based on this advice - Here's what my sendmail.mc file now contains -- 
it seems to have reduced the attacks significantly --

Thanks Jeff and everyone for your help.....

Mark

========SNIP==========
FEATURE(`dnsbl',`sbl.spamhaus.org',`"listed on SBL - see 
<http://spamhause.org/SBL/>"')dnl
FEATURE(`dnsbl',`relays.visi.com',`"Listed on RSL - see 
<http://relays.visi.com/>"')dnl
FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to sending 
server misconfiguration - see http://www.ordb.org/faq/\#why_
rejected"')dnl
FEATURE(`enhdnsbl', `cn-kr.blackholes.us', `"554 Rejected 
"$&{client_addr} " -- We do not accept email from hosts in China or Korea.
"')dnl
FEATURE(`enhdnsbl', `cbl.abuseat.org', `"554 Rejected "$&{client_addr} " 
-- We do not accept email from hosts controlled by known sp
ammers."')dnl
FEATURE(enhdnsbl,`bl.spamcop.net',`',`t',`Spam blocked see: 
http://spamcop.net/bl.shtml?$&{client_addr}Contact postmaster cs montana
 edu with problems. Read http://www.cs.montana.edu/faq/spam.htm for 
help')dnl
FEATURE(enhdnsbl,`in.dnsbl.org', `t',`Spam blocked see: 
http://www.dnsbl.org Contact postmaster cs montana edu with problems. Read h
ttp://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl, `relays.ordb.org',`',`t',`Spam blocked - see 
http://ordb.org/ Contact postmaster cs montana edu with problems. Rea
d http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`relays.visi.com',`', `t',`Spam blocked see: 
http://relays.visi.com Contact postmaster cs montana edu with problems
. Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`blackholes.mail-abuse.org', `t',`Spam blocked see: 
http://www.mail-abuse.org/rbl/ Contact postmaster cs montana ed
u with problems. Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl, `relays.mail-abuse.org', `t',`Spam blocked see: 
http://www.mail-abuse.org/rss/ Contact postmaster cs montana edu w
ith problems. Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`dialups.mail-abuse.org', `t',`Spam blocked see: 
http://www.mail-abuse.org/dul/ Contact postmaster cs montana edu w
ith problems. Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`rbl-plus.mail-abuse.org', `t',`Spam blocked see: 
http://www.mail-abuse.org/ Contact postmaster cs montana edu with
 problems.  Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`blackhole.compu.net', `t',`Spam blocked see: 
http://www.compu.net Contact postmaster cs montana edu with problem s
. Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`pm0-no-more.compu.net', `t',`Spam blocked see: 
http://www.compu.net Contact postmaster cs montana edu with problem
s. Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`flowgoaway.com', `t',`Spam blocked see: Blocked FLOW 
network systems Contact postmaster cs montana edu with proble
ms. Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`spamguard.leadmon.net', `t',`Spam blocked see: 
http://www.leadmon.net/spamguard Contact postmaster cs montana edu
with problems. Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`blackholes.intersil.net', `t',`Spam blocked see: 
http://www.intersil.net Contact postmaster cs montana edu with pr
oblems.  Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`blackholes.wirehub.net', `t',`Spam blocked see: 
http://basic.wirehub.nl/blackholes.html Contact postmaster cs mont
ana edu with problems. Read http://www.cs.montana.edu/faq/spam.htm for 
help')dnl
FEATURE(enhdnsbl,`dynablock.wirehub.net', `t',`Spam blocked see: 
http://basic.wirehub.nl/dynablocker.htm Contact postmaster cs monta
na edu with problems. Read http://www.cs.montana.edu/faq/spam.htm for 
help')dnl
FEATURE(enhdnsbl,`dsn.rfc-ignorant.org', `t',`Spam blocked see: 
http://www.rfc-ignorant.org Contact postmaster cs montana edu with p
roblems.  Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`postmaster.rfc-ignorant.org', `t',`Spam blocked see: 
http://www.rfc-ignorant.org Contact postmaster cs montana edu
 with problems.  Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`abuse.rfc-ignorant.org', `t',`Spam blocked see: 
http://www.rfc-ignorant.org Contact postmaster cs montana edu with
 problems.  Read http://www.cs.montana.edu/faq/spam.htm for help')dnl
FEATURE(enhdnsbl,`in.dnsbl.org', `t',`Spam blocked see: 
http://www.dnsbl.org Contact postmaster cs montana edu with problems. Read h
ttp://www.cs.montana.edu/faq/spam.htm for help')dnl

Jeff Groves wrote:

> No, it is doubtful that someone has taken the domain.  These email 
> worms are tenacious and spam the hell out of your server trying to 
> freak-out the postmaster on the other end.
>
> On a separate note, I noticed that your DISCARD entries are pretty harsh.
>
> What you have now will prevent ANY hotmail.com, pacbell.net, or 
> shawcable.net user from ever getting an email through to you in the 
> future.  Is that what you intended?
>
> Perhaps you might be more happy with implementing some DNS Blackhole 
> lists in your sendmail.mc file?  Here are just two of many that I 
> use.  These two knock-out a LARGE number of spam for me.  The 
> cn-kr.blackholes.us entry rejects pretty much any email that 
> originates from a Chinese or Korean machine.   The cbl.abuseat.org 
> entry is fed by a pretty intense system of spam-traps:
>
> FEATURE(`enhdnsbl', `cn-kr.blackholes.us', `"554 Rejected 
> "$&{client_addr} " -- We do not accept email from hosts in China or 
> Korea."')dnl
> FEATURE(`enhdnsbl', `cbl.abuseat.org', `"554 Rejected "$&{client_addr} 
> " -- We do not accept email from hosts controlled by known 
> spammers."')dnl
>
> Hope this helps,
>
> Jeff G.
>
> Mark Fowle wrote:
>
>> Here's what I've had so far based on what I have been seeing in the 
>> files...
>>
>> Connect:127     RELAY
>> hotmail.com     DISCARD
>> bluebottle.com  DISCARD
>> mailebs.com     DISCARD
>> *.tw            DISCARD
>> hush.ai         DISCARD
>> supernal.net    DISCARD
>> maxinet.net     DISCARD
>> imexo.be        DISCARD
>> pacbell.net     DISCARD
>> shawcable.net   DISCARD
>> FROM: 80.218.224.69     DISCARD
>>
>> Based on the number of times this occurs I would say someone has 
>> taken the domain -  I'm not sure how to get it back....
>>
>> Thanks,
>> Mark
>>
>>
>> Jeff Groves wrote:
>>
>>> Mark:
>>>
>>> Someone/something is doing either an address book scan of your 
>>> machine (not very likely) or a virus/worm has gotten a hold of your 
>>> domain name and is generating fake email address messages that will 
>>> cause false "delivery failure" messages to be default delivered to 
>>> some other target domain postmaster (not you) in the hope that the 
>>> postmaster, usually a privileged user, will open one of the 
>>> attachments and infect their system as well.
>>>
>>> Best bet in my opinion is to put an entry in your /etc/mail/access 
>>> file to discard messages from the IP address/DNS name that is 
>>> generating these messages:
>>>
>>> From:123.123.123.123                    DISCARD
>>> From:infected.machine.bellsouth.net    DISCARD
>>>
>>> This only works if you have:
>>>
>>>   FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access')dnl
>>>
>>> included in your sendmail.mc file when you create your sendmail.cf 
>>> file.
>>>
>>> Jeff G.
>>>
>>> Mark Fowle wrote:
>>>
>>>> Are there any sendmail guru's out there?  I've seen this in my 
>>>> maillogs and I'm not sure what's going on - I have tested the 
>>>> environment for relaying (and it doesn't - except for what's 
>>>> authorized) - plus I have added my SPF records to the zone files....
>>>> ... clip....
>>>> Jan 23 20:15:58 adelie1 sendmail[27321]: j0O1FqAQ027321: 
>>>> <fletcher at thefowles.com>... no
>>>> Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: lost input 
>>>> channel from [222.233.142.168] to MTA after data
>>>> Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: 
>>>> from=<marylou.wigginsel at 163.net>, size=0, class=0, nrcpts=0, 
>>>> proto=ESMTP, daemon=MTA, relay=[222.233.142.168]
>>>> Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <barber at thefowles.com>... no
>>>> Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <battle at thefowles.com>... no
>>>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <barr at thefowles.com>... no
>>>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <benjamin at thefowles.com>... no
>>>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <huber at thefowles.com>... no
>>>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <howe at thefowles.com>... no
>>>> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <houston at thefowles.com>... no
>>>> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <ibarra at thefowles.com>... no
>>>> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> from=<YZUOMGCYA at earthlink.net>, size=0, class=0, nrcpts=0, 
>>>> proto=SMTP, daemon=MTA, relay=96.250.216.81.pite.siwnet.net 
>>>> [81.216.250.96]
>>>> Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: 
>>>> <hurley at thefowles.com>... no
>>>> Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: 
>>>> from=<zbgwfnrgf at telusplanet.net>, size=0, class=0, nrcpts=0, 
>>>> proto=SMTP, daemon=MTA, relay=96.250.216.81.pite.siwnet.net 
>>>> [81.216.250.96]
>>>> ....clip.....
>>>> They don't appear to be getting in.. but the non-exsitent users @ 
>>>> my domain are my concern....   or am I worrying over nothing?
>>>>
>>>> Thanks,
>>>> Mark
>>>>
>>>
>