[wplug-internet] Spam

Vance Kochenderfer vkochend at nyx.net
Thu Jun 26 13:19:41 EDT 2008 

DK <wplug at curlynoodle.com> wrote:
> 
> I received a spam message last night.  It appears to be addressed to
> postmaster at wplug.org.  Whom all receives mail from this alias?

All mail to root goes to those on the internet committee: you,
Mike Semcheski, Dave Ostroske, and Ted Rodgers.  The postmaster
alias (and dozens of others, see /etc/aliases) forward to root.

On the subject of spam control, last month I activated the
pbl.spamhaus.org blocklist on Postfix, but only in warning mode
so it doesn't actually reject messages, it just logs them.  The
initial statistics I collected showed it would only cut down a
small number of spam messages (<20) per day.  If someone wants to
examine the maillog to get an updated picture, have at it.

Here's an example of a spam message that got through, but would
have been rejected by the blocklist:

Jun 26 11:46:10 li18-88 postfix/smtpd[13152]: connect from unknown[84.77.159.234]
Jun 26 11:46:11 li18-88 postfix/smtpd[13152]: NOQUEUE: reject_warning: RCPT from unknown[84.77.159.234]: 554 5.7.1 Service unavailable; Client host [84.77.159.234] blocked using pbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=84.77.159.234; from=<labor at ramones.rootoon.com> to=<events at wplug.org> proto=SMTP helo=<gxoyab.omrzjb.com>
Jun 26 11:46:11 li18-88 postgrey[3467]: action=pass, reason=triplet found, delay=303, client_name=unknown, client_address=84.77.159.234, sender=labor at ramones.rootoon.com, recipient=events at wplug.org
Jun 26 11:46:11 li18-88 postfix/smtpd[13152]: B20EC68417: client=unknown[84.77.159.234]
Jun 26 11:46:12 li18-88 postfix/cleanup[13154]: B20EC68417: message-id=<7054121230.20080626152515 at ramones.rootoon.com>
Jun 26 11:46:12 li18-88 postfix/qmgr[3532]: B20EC68417: from=<labor at ramones.rootoon.com>, size=2525, nrcpt=1 (queue active)

The reject_warning line is the one inserted by the blocklist
(these can be easily found as they are the only ones that contain
pbl.spamhaus.org).  The HELO hostname is obviously fake, so we
know it's spam.  It made it through greylisting, and the queue
active shows it was accepted for delivery.

Note that most spam tagged by the blocklist gets rejected anyway
for other reasons (greylisting is a major reason).  Here's one
that was rejected for being sent to a nonexistent address, so no
benefit is obtained from the blocklist in this instance:

Jun 26 11:27:12 li18-88 postfix/smtpd[13112]: connect from pool-72-79-193-125.spfdma.east.verizon.net[72.79.193.125]
Jun 26 11:27:14 li18-88 postfix/smtpd[13112]: NOQUEUE: reject_warning: RCPT from pool-72-79-193-125.spfdma.east.verizon.net[72.79.193.125]: 554 5.7.1 Service unavailable; Client host [72.79.193.125] blocked using pbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=72.79.193.125; from=<panoramasxv5 at tmomail.net> to=<agilysys.com at wplug.org> proto=ESMTP helo=<pool-72-79-193-125.spfdma.east.verizon.net>
Jun 26 11:27:14 li18-88 postfix/smtpd[13112]: NOQUEUE: reject: RCPT from pool-72-79-193-125.spfdma.east.verizon.net[72.79.193.125]: 550 5.1.1 <agilysys.com at wplug.org>: Recipient address rejected: User unknown in local recipient table; from=<panoramasxv5 at tmomail.net> to=<agilysys.com at wplug.org> proto=ESMTP helo=<pool-72-79-193-125.spfdma.east.verizon.net>
Jun 26 11:27:15 li18-88 postfix/smtpd[13112]: disconnect from pool-72-79-193-125.spfdma.east.verizon.net[72.79.193.125]

I'm not aware of any automated way to parse this information, so
AFAIK you'll have to look through the logs by hand to collect
statistics on how much spam would be rejected by using this.
That's what I did back when I initially got into this.  Especially
when there are several connections going at once, you need to look
at the process ID to track the path of a single SMTP transaction.

Note that for the four or so days I looked at, there were 2 or 3
messages that could have been false positives; that is, from the
log information they were not obviously spam.  Of course, without
being able to see the body of the messages it's impossible for me
to say whether any actually legitimate messages would have been
rejected by using the blocklist.

Vance Kochenderfer        |  "Get me out of these ropes and into a
vkochend at nyx.net          |   good belt of Scotch"    -Nick Danger

More information about the wplug-internet mailing list