Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with configuring sendmail to stop spam

Status
Not open for further replies.
spikesnet

spikesnet

Technical User
May 25, 2004
6
US
I've been getting spam to a local address with a From field that matches the To field. This is causing the spam to skip over my filters as it seems to be for me, sent by me.

Is there anyway I can configure sendmail to check to make sure the From field is really coming from the correct server?
 
Sort by date Sort by votes
Although I'm not sure if it will stop the specific issue you mentioned, you may like to try SpamAssasin.

This cut down my spam a lot for a while - but then it started to build up again. Don't actually know why - perhaps the spammers have worked out how to avoid the "points" system used by SpamAssasin.

So now, I have added dnsbl to sendmail, which will check a blackhole list and not accept email from known spam sites. As I just got it running barely an hour ago, I can't say how much it will help, but i'm keeping my fingers crossed!

HTH, Max Hugen
Sydney Australia
 
Upvote 0 Downvote
I already have anti-spam software/filters. The problem is that I allow email from myself, so that I can email myself things.

Spammers are sending me email and making it look like it is coming from me. I need a way to stop this from happening without denying email from myself.
 
Upvote 0 Downvote
SpamAssassin is a great tool but requires tweaking and wite listing. I use it in conjunction with the Spamhaus RBL and it is very very effective. Add this to your sendmail.mc to query the rbl & xbl @ spamhaus.
FEATURE(`dnsbl', `sbl-xbl.spamhaus.org', `"571 ACCESS DENIED to <"$&f"> thru "$&{client_name}" by /spamhaus/ ;Please see
Run thru m4 preprocessor and you're done.

Cogito Ergo Sum - Non Compos Mentis
 
Upvote 0 Downvote
Will adding:

FEATURE(`dnsbl', `sbl-xbl.spamhaus.org', `"571 ACCESS DENIED to <"$&f"> thru "$&{client_name}" by /spamhaus/ ;Please see
to my sendmail.mc file cause sendmail to check to make sure the From address is coming from the correct domain?

That's really all I'm trying to do. My domain is spikes.net. If an email comes in for user@spikes.net from user@spikes.net and the email is coming from somewhere other then a machine in the domain spikes.net I want to reject it.
 
Upvote 0 Downvote
It checks the spamhaus RBL during the intial SMTP conversation for known spammers and rejects any that are found on its RBL.

Cogito Ergo Sum - Non Compos Mentis
 
Upvote 0 Downvote
As per Rhinokiller's post, I'm now also using Spanhaus's SBL-XBL.

For a while spam dropped markedly, but it's been gradually building up again.

Next, I started adding the IPs in the spam header to my access list with the message: "550 Rejected as spam."

It too helped reduce the volume of spam, but I find that I need to add more IPs on a daily basis. :-(

In another post at this forum, I've asked if anyone can advise how I could forward spam to the FTC. Maybe if enough sendmail administrators do this (that is, if it's practical), perhaps more spammers will be prosecuted?

I guess no matter what we do, it will be an ongoing maintenance task, and the best we could hope for might be to keep the volume of spam reaching our users down to a "reasonable" level?

HTH,
Max Hugen
Sydney Australia
 
Upvote 0 Downvote
R U using SpamAssassin in conjunction with Spamhaus ? Vefy effective.

Cogito Ergo Sum - Non Compos Mentis
 
Upvote 0 Downvote
How come I can't just make sendmail look for people spoofing their email addresses? That's all I wanted to do when I started this thread.
 
Upvote 0 Downvote
Sometimes threads go off on a tangent. The idea here is to help everyone.

Cogito Ergo Sum - Non Compos Mentis
 
Upvote 0 Downvote

Which is fine, but I've been trying to get an answer since May 25, 2004. Do I need to open a whole new thread to get back to my problem?
 
Upvote 0 Downvote
Truth is, there's no "sure fire" way to do what you want to do. Rdns is a good start but there are so many badly configured mail servers out there that allow spammers to do what they do. How do you discern a spammer from a legitimate mail system that has not been properly secured ?
I think Microsoft are proposing a Domain White List and some others are talking about digitally signing every piece of email so that it can be traced back to its true origin. Beyond that the debate rages on.

Cogito Ergo Sum - Non Compos Mentis
 
Upvote 0 Downvote

Every email that comes in has a header. In that header is the From address and the IP of the senders server.

All sendmail has to do is compare the From address to the IP of the server sending the email and if they don't match dump the damn email.

No white lists, no black lists, no digital signing....just compare a From address to the sending servers IP.

Or... Sendmail could verify with the sending server that it in fact handles mail for the domain in the From field.

Can I do either of these with sendmail?

 
Upvote 0 Downvote
Spikesnet, I think you're missing the point.

Although no-one has been able to suggest a way of dirctly doing what you want, spam is sent from an IP somewhere.

The point to discussing RBLs, access lists, etc, is to block the IPs that are spamming you in the first place.

Thus these methods aren't trying to block an email address, but the source IP.

Not perfect, but it may help... and that's the spirit in which the suggestions were offered.

Max Hugen
Sydney Australia
 
Upvote 0 Downvote
Hello Spikesnet. You might try the sendmail usenet forum and post your question there. See for more information on how to subscribe.

It should be possible to use "Header Checks" to accomplish what you're looking to do.

I don't do this myself for a few reasons. Sometimes legitimate email will come from a user who is using an MTA at(domain A)to send his mail but wants to have replies go to his main email account at (domain B). In this case the user may elect to simply have the From: address be his main email address at domain B even though domain A is used to relay the mail. In my experience it is common for users to have multiple email addresses and even multiple ISPs. When this is the case, the liklihood increases that sometimes they will chose to use a From: address that does not match the domain of their MTA.

Pedantically speaking, this is not correct but it's done so often that I can't justify blocking these emails exclusively on the basis of From: domain mismatch with the MTA domain.

I would suggest using rbl, a spam solution, and some basic anti-spam practices as recommended at to mitigate spam issues.

Hope this helps.
 
Upvote 0 Downvote
Here's my 2 cents, both on the general and the specifc questions:

You are all describing the "spam filter life cycle" - all filters do a decent job at first, but then their performance declines over time.
Why is that? Because spammers use the same filters to test their spam blasts. They just keep trying and trying, until they get past the filter. This is why SpamAssassin and the rest of them are very erratic performance-wise. The same applies for commercial filters - if you can purchase it and install it in house, so can a spammer.

The solution is using a filtering solution which cannot be obtained by spammers. The only such solution is a managed spam service, where the technology, by definition, is not available on the open market, only the filtering service.

For example, one such provider is Electric Mail.

As for the specific problem of spoofing and IP filtering -
The more sophisticated managed spam solutions use the information gathered from all the spam that is going through them to obtain a real-time list of IPs from which spam originates. They analyze data at the protocol level, noting where messages originated from. Header information is taken into account, but is only a part of the decision making process.

Anyhow, this was a long one to type...

Oren
ofriedman < A T > electricmail = d o t = com
 
Upvote 0 Downvote
I've seen this on our server and I took our site out of the whitelist as I felt the -100 score was too much of a negative score and built a filter so that any mail from our site is given a much less - score and that seemed to help significantly. I did this after examining the scores on our legitimate e-mail and didn't see any reason to give them a negative 100 score.

I also have entered into the access list quite a large number of IP addresses that I DISCARD the e-mail from if I know it is a known spammer or comes from a relay from some country that we don't do business with

Norm
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mikheil
  • Locked
  • Question
SMF Forum - sendmail not working
Replies
0
Views
408
Mikheil
Mikheil
kitaman
  • Locked
  • Question
sendmail -bv
Replies
0
Views
380
kitaman
kitaman
gwak1193
  • Locked
  • Question
sendmail smarthost
Replies
0
Views
365
gwak1193
gwak1193
cndgk
  • Locked
  • Question
What might cause local-originated (submit.cf?) mail not to show up in syslog,but incoming mail does?
Replies
0
Views
581
cndgk
cndgk
lolodirezo
  • Locked
  • Question
detect unused sendmail mailboxes in order to delete these boxes
Replies
0
Views
342
lolodirezo
lolodirezo

Part and Inventory Search

Sponsor

Back
Top