Hello,

Some of you out there might not totally get this little wrinkle but I am seeing it.

Scenario ..

Customer buys a business class ADSL .. (No Blocking Of Port 25)

Customer then buys a business class hosting account with one of us .. lets say 100 to 1000 e-mails. 100 to 1000 winbots .. He ran out of money for a decent antivirus solution .. Or maybe has a doof as a sys admin ..

Customer gets bagle virus on winbot network .. and guess where all the mail gets routed out through .. through all the winbot machines

Yep you got it .. Your servers ..

Scary world out there huh ??? .. Just thought I might want to throw out this Really happening to a Client of mine scenario.

Regards,

Lady Linux :)

Hello,

Wanna know a way to eliminate this .. Ok Mitigate the results ..

Have qmail listen on a diff port .. and make your customers connect to that ..

Somehow ?? .. Its a voluntary thing you know .. Since you can't shut off port 25 ..

Lady Linux

If you had authsender switched on and spamguard - this would protect to an extent wouldn't it?

This problem would be if the from address would be random addresses from the valid domain name (for authsender) in which case we should probably re-write spamguard to work on a domain basis rather then email addresses basis?

If you had authsender switched on and spamguard - this would protect to an extent wouldn't it?

Yes .. But do you want that overhead of calling all your winbot customers who I would guess 60% are infected ..

I am mostly throwing this out .. There are a lot of ways to block it .. But not many ways to keep your sanity .. and support load down ..

Regards,

Lady Linux

An IDS/IPS system or even a network-based antivirus system would probably help enormously, dropping the packets containing the Bagle payload before they ever hit your mail server.

Andrew

Hello,

Want another fix ..

No more 25 outbound on client winbot machines ..

Firewall would so that .. Zone Alarm is free ..

You know how much spam would go buh bye right there ???

Then ISP's would just say hey you .. Customers ??? .. Use this port to send mail through me ..

Then it would take some sort of per customer domain blocking of port 25 on the ISP's side to shutoff non compliant machines ..

Port 587 works right now .. Although SPF is not totally done on PSOFT's side ..

Lady Linux

Hello,

An IDS/IPS system or even a network-based antivirus system would probably help enormously, dropping the packets containing the Bagle payload before they ever hit your mail server.


Still not really answering the support issue .. Lots of ways to shut em off .. Little way to allow winbots to send mail safely with zero or near zero admin support at the ISP.

And heck .. Most servers here at at DC's .. with almost zero of those types of features ..

It is a good point Andrew .. But heck .. Most people here cant have access to that ..

Regards,

Francesca

It'll be interesting to see how things shake out with SPF. The current paradigm of having people relay their mail through their ISP may be shifting as a result. Which makes me think the burden of containing clients spam problems may be shifting away from the ISP's to the 3rd party email/hosting providers. Personally I think that's a bad thing -- ISPs seem to me to be in the best position to do something about it since they have the ability to stop it before it leaks out of their network...but then they haven't exactly done a stellar job of it up to now anyway...

Andrew

Andrew,

but then they haven't exactly done a stellar job of it up to now anyway...

Most want it that way on purpose (No Comment Needed But Most You Understand What I Am Talking About) ..

Its the old saying

I have met the enemy .. and the enemy is me ..

Lady Linux

The biggest Problem you will get for yourself is the crying customer cause he has to do some "different" config.

I setup a small but fast Exim Mail-In and Mail-Out gateway on 2 VPS machines.

I did some config adjustments to get rid of most spambots:

- Strict RFC Checks - you dont send 100% RFC Compatible = you dont send any mail at all over it.
- Greylisting - all but our own domains get greylisted = causes 95% of the spambots to go crazy and abort.
- Selective Bounces only - no Bounces to yahoo / msn / hotmail / $freemailer
- Rate Limit on the Firewall - no more than 5 Connects / sek per IP to Port 25
- Only SMTP-Auth no Timeframe Solutions with POP before SMTP, you have to Auth for every Mail you want to send out.

any chance of you posting your config?
the greylisting and RFC Checks sound interesting.

hi,

ill post them once im back home.

but beware you need an external machine (vps is enough in my environment) to act as the mail-hub. my settings are for exim only not for qmail which hsphere uses.

that isn't a problem at all, building mail systems has been my job for the last 4 years I am just interested in seeing your techniques.

heres some sniplets,

im using exim4 with vexim to lookup account data from mysql.

apt-get install greylistd (worked good for me)

/etc/exim4/vexim-acl-check-rcpt.conf
(used to check those who get incoming mail)

i added



# Greylisting added

# accept authenticated users immedialtely
accept
authenticated = *

accept
hosts = ${if exists {/etc/mail/greylistd/whitelist-hosts} \
{/etc/mail/greylistd/whitelist-hosts} {} }
domains = +local_domains : +relay_to_domains

# Consult "greylistd" to obtain greylisting status for this particular
# peer/sender/recipient triplet.
#
# Note that we do not greylist messages with NULL sender, because
# sender callout verification would break (and we might not be able
# to send mail to a host that performs callouts).
#
# Also note that because the recipient address has not yet been
# verified. If you do not want to perform greylisting for non-existing
# recipients, but rather skip this statement to allow for a 550 (reject)
# response below, uncomment the "verify = recipient..." condition.
#
defer
message = $sender_host_address is not yet authorized to deliver mail \
from <$sender_address> to <$local_part@$domain>. \
Please try later.
log_message = greylisted.
!senders = :
domains = +local_domains : +relay_to_domains
# verify = recipient/callout=20s,defer_ok
set acl_m9 = $sender_host_address $sender_address $local_part@$domain
set acl_m9 = ${readsocket{/var/run/greylistd/socket}{$acl_m9}{5s}{}{}}
condition = ${if eq {$acl_m9}{grey}{true}{false}}


so even RCPT TO : gets greylisted

/etc/exim4/vexim-acl-check-content.conf [ checking content, so no emails with NULL data i.e. CPS-Request@verisign.com spams pass our system w/o greylisting]


# accept authenticated users immedialtely
accept
authenticated = *

defer
message = $sender_host_address is not yet authorized to send \
delivery status reports to <$recipients>. \
Please try later.
log_message = greylisted.
senders = : postmaster@*
set acl_m9 = $sender_host_address $recipients
set acl_m9 = ${readsocket{/var/run/greylistd/socket}{$acl_m9}{5s}{}{}}
condition = ${if eq {$acl_m9}{grey}{true}{false}}




no mail is received locally at all, its all passed on to the internal MX trough smarthost setting. i just kept the vexim settings so all exim boxes have similar configuration layout.

as for RFC i require mails to be sent in format :

<user@[mailserver.domain.tld]>


if the mail adress isnt in < > it wont be accepted. so far i had no complaints from any customer about lost mail.

reverse dns has to exist. otherwise no go.

next thing im looking into is SPF but didnt bother much with it as all major isps in germany didnt bother yet aswell.