From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: To: 9fans@cse.psu.edu Subject: Re: [9fans] upas "open relay" issue From: Geoff Collyer MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Date: Mon, 21 Oct 2002 00:00:06 -0700 Topicbox-Message-UUID: 08af4afc-eacb-11e9-9e20-41e7f4b1d025 We run with "norelay on" on our outside interfaces, but I also took the extra paranoid step of bouncing a@b@c addresses in rewrite.in. They are illegal and if smtpd lets them in, I think it's perfectly permissible to squash them: : cpu; cat /mail/lib/rewrite.in # optimisation; throw mail addressed to the bit bucket away right now (([^@!.]+\.)*collyer\.(net|ca)!)?(nobody|none|/dev/null) | "cat >/dev/null" # reject any address with a % or 2 @s because spammers might try to relay through us. # let route-addrs through, at least for now. .*(%|.@.*@).* | "/mail/lib/haspercent '&' '\s'" # queue msg. for inside iff not spam .* | "/mail/lib/qmail.in '\s' /net/tcp!$site!25 '&'" Coincidentally, our ISP (Pac Bell) blithely told the MAPS (spam cowboy) people on Friday that an entire /12 IP block, including the subnet for our house, was (1) *all* dial-up IP addresses, and (2) therefore should not be permitted to send mail. Of course they didn't bother to tell us, so we found out when mail to aol started mysteriously bouncing. Bzzt! Luckily MAPS quickly figured out that Pac Bell were lying or incompetent (or both) and undid the damage: ``When an ISP submits their IPs/netblocks to the DUL, we can usually assume that the information they give us is correct.''