[63810] in North American Network Operators' Group
Re: New mail blocks result of Ralsky's latest attacks?
daemon@ATHENA.MIT.EDU (Steven Champeon)
Fri Oct 10 11:53:33 2003
X-Received-From: schampeo@habanero.hesketh.net
X-Delivered-To: <nanog@merit.edu>
Date: Fri, 10 Oct 2003 11:42:56 -0400
From: Steven Champeon <schampeo@hesketh.com>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <3F86CD9F.80904@outblaze.com>
Errors-To: owner-nanog-outgoing@merit.edu
on Fri, Oct 10, 2003 at 08:47:51PM +0530, Suresh Ramasubramanian wrote:
> Set up header checks in sendmail / postfix to block all mail with
> Received: headers showing Ralsky IPs. PCRE header checks in postfix
> would be like -
<snip>
Sendmail rulesets to block Ralsky:
KRalsky1 regex -a@SPAM ^.*(\[|\(|\s)211\.158\.[3456789]
KRalsky2 regex -a@SPAM ^.*(\[|\(|\s)218\.70\.1[345]
KRalsky3 regex -a@SPAM ^.*(\[|\(|\s)219\.153\.1[45]
KRalsky4 regex -a@SPAM ^.*(\[|\(|\s)218\.10\.57
KRalsky5 regex -a@SPAM ^.*(\[|\(|\s)218\.70\.1[01]
KRalsky6 regex -a@SPAM ^.*(\[|\(|\s)218\.70\.[89]
KReceivedChecks sequence Ralsky1 Ralsky2 Ralsky3 Ralsky4 Ralsky5 Ralsky6
HReceived: $>check_header_Received
Scheck_header_Received
R$* $: $1 $| $(ReceivedChecks $&{currHeader} $)
R$* $| @SPAM $#error $@ 5.7.1 $: "550 Message rejected; suspected spam signature."
R$* $| $* $: $1
This will not help to block direct SMTP AUTH attacks; but they should block
mail from other compromised servers, provided they don't munge the headers.
I've been running these rules for several weeks without incident.
HTH,
Steve
--
hesketh.com/inc. v: (919) 834-2552 f: (919) 834-2554 w: http://hesketh.com
Book publishing is second only to furniture delivery in slowness. -b. schneier
