From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <7d775a295395a72f520ebea886c1bdc9@collyer.net> From: Geoff Collyer To: 9fans@cse.psu.edu MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Subject: [9fans] latest smtpd anti-spam Date: Mon, 15 Mar 2004 02:12:23 -0800 Content-Transfer-Encoding: quoted-printable Topicbox-Message-UUID: 2f76d6b2-eacd-11e9-9e20-41e7f4b1d025 If you pull now, you'll get an smtpd with my most recent anti-spam measure in it. It's intended for sites with separate inside and outside networks. If you have a /mail/lib/senders file, the envelope of an incoming message will be checked to verify that mail to particular addresses is coming only from a certain set of domains names or IP addresses. Addresses not mentioned in /mail/lib/senders are not affected by this processing. There's a single system-wide list because implementing per-user lists would require fully resolving recipient addresses to determine which users they correspond to, in smtpd, since we're again trying to keep the spam from being sent. In a trusting environment, I suppose one could make /mail/lib/senders world-writable and append-only. To make use of this, I have added a single rule to /mail/lib/rewrite: # user.* =E2=86=92 user (local!)?([^!.]+)\.[^!]+ alias \2 before local mail delivery but after alias file translation. This means that any incoming mail to geoff.anything gets treated as mail to geoff. I can then invent addresses on the fly when filling out web forms. It's a hook that allows for a number of possible tricks, among them tracking who is leaking your addresses to spammers. sendmail does something similar with user+tag addresses; I like dot in part because it's unshifted and easy to type. This is my /mail/lib/senders; the first column is a recipient address and the second is domain name or IP address of a legitimate sending system for that recipient address. For example, I should only get mail to geoff.9fans from mail.cse.psu.edu (and only ever have, I scanned my mail logs). When given a domain name, we look up the name and compare all the returned IP addresses against our peer's IP. This is safer than reverse mapping the peer's IP since people who control their reverse maps can lie, especially if they run BIND instead of Plan 9's dns. Reverse dns maps are also sometimes accidentally missing or wrong at sites that run BIND. # collyer.net!geoff.buy mail03.rm04.net # collyer.net!geoff.ubc www.bussops.ubc.ca collyer.net!geoff.9fans mail.cse.psu.edu collyer.net!geoff.monster smtp-nat.ma.tmpw.net collyer.net!geoff.monster smtp-nat.in.tmpw.net # for register.com, IP addresses are more stable than DNS names collyer.net!geoff.register 209.67.50.16 collyer.net!geoff.register 216.21.228.13 collyer.net!geoff.register 216.21.229.220 collyer.net!geoff.register 216.32.192.101 collyer.net!geoff.sans 63-100-47-56.sans.org collyer.net!geoff.spamcop vmx1.spamcop.net collyer.net!geoff.std europe.std.com collyer.net!geoff.std smtp.theworld.com collyer.net!geoff.toad new.toad.com collyer.net!geoff.well assassin.well.com collyer.net!geoff.well smtp.well.com Here are a few rejections from /sys/log/smtpd, just within the last few hours. It's a very good bet that every one of the senders is a spammer, since they have no legitimate reason to be sending mail to geoff.9fans, geoff.register, nor geoff.spamcop. cpud Mar 14 21:06:21 Disallowed sending IP of HANMAIL.NET!geoff.9fansgeof= f.9fans (Server.fremantle.juliennepenny.com.au/202.154.89.214) to collyer= .net!geoff.9fans cpud Mar 14 21:44:10 Disallowed sending IP of lawyer.com!btijd (63.192.14= .235/61.173.241.234) to collyer.net!geoff.9fans cpud Mar 14 21:54:30 Disallowed sending IP of dsl-verizon.net!ua.peck (63= .192.14.235/219.95.192.19) to collyer.net!geoff.spamcop cpud Mar 14 22:05:46 Disallowed sending IP of sbprss.com!bTpISwhu (qb3.sb= prss.com/66.54.93.250) to collyer.net!geoff.register cpud Mar 14 23:00:05 Disallowed sending IP of yahoo.com!pwlyutuox (12-215= -216-14.client.mchsi.com/12.215.216.14) to collyer.net!geoff.9fans cpud Mar 15 00:42:43 Disallowed sending IP of netzero.com!vdjrp (218.93.1= 9.82/218.93.19.82) to collyer.net!geoff.9fans cpud Mar 15 01:00:57 Disallowed sending IP of rescueteam.com!pthregmkobe = (pd950f731.dip.t-dialin.net/217.80.247.49) to collyer.net!geoff.9fans