fight spam on my server

Dev Shed Forums Sponsor:

October 13th, 2004, 08:21 AM

dba_frog

cave painting, the 1st Opn Src

Join Date: Jun 2003

Posts: 394

Time spent in forums: 18 h 55 m 5 sec
Reputation Power: 6

fight spam on my server

Some jag off is starting to probe my server for exploitable email addresses. I'm not sure if this is for spamming or to probe for address to send spam::

Quote:

Hi. This is the qmail-send program at mail.xxxxxxxxxx.com.
I tried to deliver a bounce message to this address, but the bounce bounced!

<dennisweaver@recyclermail.com>:
Sorry, I couldn't find any host by that name. (#4.1.2)
I'm not going to try again; this message has been in the queue too long.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 5529 invoked for bounce); 4 Oct 2004 19:22:57 -0000
Date: 4 Oct 2004 19:22:57 -0000
From: badmail@mail.xxxxxxxxxxx.com
To: dennisweaver@recyclermail.com
Subject: failure notice

Hi. This is the qmail-send program at mail.xxxxxxxxxx.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<webmaster@xxxxxxxxxxx.com>:
Sorry, no mailbox here by that name. vpopmail (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <dennisweaver@recyclermail.com>
Received: (qmail 5526 invoked by uid 508); 4 Oct 2004 19:22:55 -0000
Received: from unknown (HELO HOME) (80.232.252.14)
by mail.xxxxxxxxxxx.com with SMTP; 4 Oct 2004 19:22:55 -0000
Message-ID: <027094871039674820045.932fahnx3229969fdx@msn.com>
Received: from 14.68.20.72 by w29-vr7.ktjj744.msn.com with DAV;
Tue, 05 Oct 2004 18:01:32 +0400
Reply-To: "Theron Allison" <billyargile@dbzmail.com>
From: "Theron Allison" <walterp@asheville.com>
To: <webmaster@xxxxxxxxxxxxxxxxxx.com>
Subject: Re: about your web site...
Date: Tue, 05 Oct 2004 11:01:32 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--385775470365750896"

----385775470365750896
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

How, or where do I rip this header apart to block the original sender?
the return path ::

Quote:

Return-Path: <dennisweaver@recyclermail.com>

? or do I need to dig deeper?

Then...Where can I place the IP info to block this guy from getting any requests to my server? My gut sez the deny.host file but I'm not sure.

Lastly, how can I automate this process and can I tag bad bounces to say ' GO AWAY ~ You no stay here, You been here 4 hour, you scare the other customers' { props to louie anderson for the greatest food buffet quote EVER !}

thanks...Frog

__________________
Curious by Nature,
Linux by Choice

October 14th, 2004, 07:30 AM

Donboy

The Evil Monkey

Join Date: Apr 2003

Posts: 220

Time spent in forums: 6 h 38 m 10 sec
Reputation Power: 6

You can use the /etc/tcp.smtp file to block ip addresses. His ip address appears to be 80.232.252.14. So you can edit your tcp.smtp file and add the following line...

80.232.252.:deny

Notice I left off the last octet of his ip address. This will block all 255 ips that may originate from his subnet.

Note the above line will reject him without a reason. If you want to give him a nastygram when he tries again, you can do it like this...

80.232.252.:allow,RBLSMTPD="-Go away *** munch!"

When you edit this file, you must run qmailctl cdb or you can run the following commands...

tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
chmod 644 tcp.smtp*

Frankly, I would just deny him without a reason, as most spammers don't bother to read the return messages anyhow. But if you want to be a good professional admin, you should try to give a reason just in case somebody else from his subnet gets blocked from sending you mail.

REF: http://cr.yp.to/ucspi-tcp/tcprules.html

Last edited by Donboy : October 14th, 2004 at 07:38 AM.

October 14th, 2004, 08:04 AM