HPE Community
Operating System - Linux
1830734 Members
1807 Online
110015 Solutions
New Discussion

Re: problems with RBL domains

 
SOLVED
Go to solution
'chris'
Super Advisor

‎05-04-2004 10:35 PM

‎05-04-2004 10:35 PM

problems with RBL domains

hi

I have a serious problem
I have setup at my SPAM software
according to: http://www.declude.com/Articles.asp?ID=97
following RBL domains:

3y.spam.mrs.kithrup.com
abuse.rfc-ignorant.org
bl.csma.biz
bl.spamcannibal.org
bl.spamcop.net
bl.starloop.com
bl.technovision.dk
blackhole.securitysage.com
blackholes.easynet.nl
blackholes.intersil.net
blackholes.uceb.org
blacklist.spambag.org
bogusmx.rfc-ignorant.org
cart00ney.surriel.com
cbl.abuseat.org
dialups.mail-abuse.org
dnsbl.ahbl.org
dnsbl.antispam.or.id
dnsbl.jammconsulting.com
dnsbl.net.au
dnsbl.njabl.org
dnsbl.sorbs.net
dnsbl.wpbl.pc9.org
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
dsn.rfc-ignorant.org
dul.maps.vix.com
dynablock.njabl.org
flowgoaway.com
ipwhois.rfc-ignorant.org
l1.spews.dnsbl.sorbs.net
l2.spews.dnsbl.sorbs.net
lbl.lagengymnastik.dk
list.dsbl.org
multihop.dsbl.org
no-more-funn.moensted.dk
opm.blitzed.org
orbs.dorkslayers.com
postmaster.rfc-ignorant.org
query.bondedsender.org
query.senderbase.org
rbl.maps.vix.com
rbl.rangers.eu.org
relays.bl.kundenserver.de
relays.mail-abuse.org
relays.orbs.org
relays.ordb.org
relays.visi.com
rhsbl.ahbl.org
rhsbl.sorbs.net
rss.maps.vix.com
sbbl.they.com
sbl.csma.biz
sbl.spamhaus.org
sbl-xlb.spamhaus.org
spamsources.fabel.dk
t1.dnsbl.net.au
unconfirmed.dsbl.org
vox.schpider.com
whois.rfc-ignorant.org
xbl.spamhaus.org
ybl.megacity.org

and now I get at the firewall log a lot
of the following entries:

22788 05/05/04 12:17:02 y spamscreen[159] query #15447 to 10.41.1.10:53 for 4.136.12.62.dnsbl.net.au: timed out -- resending
22798 05/05/04 12:17:02 y spamscreen[159] query #15448 to 10.41.1.10:53 for 4.136.12.62.dnsbl.njabl.org: timed out -- resending
22808 05/05/04 12:17:02 y spamscreen[159] query #15449 to 10.41.1.10:53 for 4.136.12.62.dnsbl.sorbs.net: timed out -- resending
22818 05/05/04 12:17:02 y spamscreen[159] query #15450 to 10.41.1.10:53 for 4.136.12.62.dnsbl.wpbl.pc9.org: timed out -- resending
22828 05/05/04 12:17:02 y spamscreen[159] query #15451 to 10.41.1.10:53 for 4.136.12.62.dnsbl-1.uceprotect.net: timed out -- resending
22838 05/05/04 12:17:02 y spamscreen[159] query #15452 to 10.41.1.10:53 for 4.136.12.62.dnsbl-2.uceprotect.net: timed out -- resending
22848 05/05/04 12:17:02 y spamscreen[159] query #15453 to 10.41.1.10:53 for 4.136.12.62.dnsbl-3.uceprotect.net: timed out -- resending
22858 05/05/04 12:17:02 y spamscreen[159] query #15454 to 10.41.1.10:53 for 4.136.12.62.dsn.rfc-ignorant.org: timed out -- resending
22868 05/05/04 12:17:02 y spamscreen[159] query #15455 to 10.41.1.10:53 for 4.136.12.62.dul.maps.vix.com: timed out -- resending
22878 05/05/04 12:17:02 y spamscreen[159] query #15456 to 10.41.1.10:53 for 4.136.12.62.dynablock.njabl.org: timed out -- resending
22888 05/05/04 12:17:02 y spamscreen[159] query #15457 to 10.41.1.10:53 for 4.136.12.62.flowgoaway.com: timed out -- resending
22898 05/05/04 12:17:02 y spamscreen[159] query #15458 to 10.41.1.10:53 for 4.136.12.62.ipwhois.rfc-ignorant.org: timed out -- resending
22908 05/05/04 12:17:02 y spamscreen[159] query #15459 to 10.41.1.10:53 for 4.136.12.62.l1.spews.dnsbl.sorbs.net: timed out -- resending
22918 05/05/04 12:17:02 y spamscreen[159] query #15460 to 10.41.1.10:53 for 4.136.12.62.l2.spews.dnsbl.sorbs.net: timed out -- resending
22928 05/05/04 12:17:02 y spamscreen[159] query #15461 to 10.41.1.10:53 for 4.136.12.62.lbl.lagengymnastik.dk: timed out -- resending
22938 05/05/04 12:17:02 y spamscreen[159] query #15462 to 10.41.1.10:53 for 4.136.12.62.list.dsbl.org: timed out -- resending
22948 05/05/04 12:17:02 y spamscreen[159] query #15463 to 10.41.1.10:53 for 4.136.12.62.multihop.dsbl.org: timed out -- resending
22958 05/05/04 12:17:02 y spamscreen[159] query #15464 to 10.41.1.10:53 for 4.136.12.62.no-more-funn.moensted.dk: timed out -- resending
22968 05/05/04 12:17:02 y spamscreen[159] query #15465 to 10.41.1.10:53 for 4.136.12.62.postmaster.rfc-ignorant.org: timed out -- resending
22978 05/05/04 12:17:02 y spamscreen[159] query #15466 to 10.41.1.10:53 for 4.136.12.62.query.bondedsender.org: timed out -- resending
22988 05/05/04 12:17:02 y spamscreen[159] query #15467 to 10.41.1.10:53 for 4.136.12.62.query.senderbase.org: timed out -- resending
22998 05/05/04 12:17:02 y spamscreen[159] query #15468 to 10.41.1.10:53 for 4.136.12.62.rbl.maps.vix.com: timed out -- resending
23008 05/05/04 12:17:02 y spamscreen[159] query #15469 to 10.41.1.10:53 for 4.136.12.62.rbl.rangers.eu.org: timed out -- resending
23018 05/05/04 12:17:02 y spamscreen[159] query #15470 to 10.41.1.10:53 for 4.136.12.62.relays.bl.kundenserver.de: timed out -- resending
23028 05/05/04 12:17:02 y spamscreen[159] query #15471 to 10.41.1.10:53 for 4.136.12.62.relays.mail-abuse.org: timed out -- resending
23038 05/05/04 12:17:02 y spamscreen[159] query #15472 to 10.41.1.10:53 for 4.136.12.62.relays.orbs.org: timed out -- resending
23048 05/05/04 12:17:02 y spamscreen[159] query #15473 to 10.41.1.10:53 for 4.136.12.62.relays.ordb.org: timed out -- resending
23058 05/05/04 12:17:02 y spamscreen[159] query #15474 to 10.41.1.10:53 for 4.136.12.62.relays.visi.com: timed out -- resending
23068 05/05/04 12:17:02 y spamscreen[159] query #15475 to 10.41.1.10:53 for 4.136.12.62.rhsbl.ahbl.org: timed out -- resending
23078 05/05/04 12:17:02 y spamscreen[159] query #15476 to 10.41.1.10:53 for 4.136.12.62.rhsbl.sorbs.net: timed out -- resending
23088 05/05/04 12:17:02 y spamscreen[159] query #15477 to 10.41.1.10:53 for 4.136.12.62.rss.maps.vix.com: timed out -- resending
23098 05/05/04 12:17:02 y spamscreen[159] query #15478 to 10.41.1.10:53 for 4.136.12.62.sbbl.they.com: timed out -- resending
23108 05/05/04 12:17:02 y spamscreen[159] query #15479 to 10.41.1.10:53 for 4.136.12.62.sbl.csma.biz: timed out -- resending
23118 05/05/04 12:17:02 y spamscreen[159] query #15480 to 10.41.1.10:53 for 4.136.12.62.spamsources.fabel.dk: timed out -- resending
23128 05/05/04 12:17:02 y spamscreen[159] query #15481 to 10.41.1.10:53 for 4.136.12.62.t1.dnsbl.net.au: timed out -- resending
23138 05/05/04 12:17:02 y spamscreen[159] query #15482 to 10.41.1.10:53 for 4.136.12.62.vox.schpider.com: timed out -- resending
23148 05/05/04 12:17:02 y spamscreen[159] query #15483 to 10.41.1.10:53 for 4.136.12.62.whois.rfc-ignorant.org: timed out -- resending
23158 05/05/04 12:17:02 y spamscreen[159] query #15484 to 10.41.1.10:53 for 4.136.12.62.xbl.spamhaus.org: timed out -- resending
23168 05/05/04 12:17:02 y spamscreen[159] query #15485 to 10.41.1.10:53 for 4.136.12.62.ybl.megacity.org: timed out -- resending

knows someone what's wrong ?
should I be first a member to use these RBL's ?
which of these should I not use ?
0 Kudos
Reply
4 REPLIES 4
Vernon Brown_4
Trusted Contributor

‎05-04-2004 11:25 PM

‎05-04-2004 11:25 PM

Re: problems with RBL domains

A good approach might be to try these one at a time.

Get one of them working then when you are satisfied with that add another etc.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎05-05-2004 02:03 AM

‎05-05-2004 02:03 AM

Solution

Re: problems with RBL domains

You have way to many of these things set up. These services are not really as useful as they once were for the for the following reasons:

A lot of todays spam is sent by machines on cable/dsl systems that have hidden mail relay software installed. This is technically a virus.

Take a look at the headers of where the mail is coming from. Most of it is not from some big spam center. Its coming from individual computers all across the Internert.

I'd pick one of them and then consider a system where you start setting up your /etc/mail/access file to start blocking IP addresses that are pounding you.

I have a bunch of back posts on the subject. Though its a see-saw battle, I've gotten it down to a couple a day.

Take a look at any websites on your box. Get email addresses off of them. I just found my email address in a webpage I use to generate invoices. That deal is going cgi password protected. Right after I hit submit, the email address is being deleted.

SEP

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Roberto Polli
Trusted Contributor

‎05-05-2004 03:03 AM

‎05-05-2004 03:03 AM

Re: problems with RBL domains

SEP,
is it possible to protect in a simply way a imap+postfix server (no apache and other stuffs)?

using a passwd to accesss apache helps to fake spammers or there's a way? (well sure, there's always a way ;-))

Pax, R.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎05-05-2004 04:57 AM

‎05-05-2004 04:57 AM

Re: problems with RBL domains

Reberto,

Yes, though you really should open up your own thread. Its related, because its sendmail.

There is no requirement to have apache on the system to have a sendmail/postfix server.

Actually if you deployed apache on a different box you'd avoid the exploit problems I was having because if apache is an invalid user on the system, spammers can't try port 25 attacks pretending to be the valid user apache.

Putting a password on the apache user does no good. As my thread notes, putting illegal apache user strings such as the following in the /etc/mail/access file will stop the attacks.

apache@servername.domainname.com REJECT
apache@localhost REJECT

What you can't do is this:

apache@domainname.com REJECT

That will break all of your sendmail scripts that send mail via webform. The from address will be <> and the mail simply won't go out.

So there is an obvious vulnerability. If the spammers start using apache@domainname.com as the sender, the mail will go to the MTA.

Two solutions:

1) rename the apache user to something not guessable. Be careful, if you use squirrelmail or othe web based mail products, the configuration file refers to the apache user and you need to change that. I've not fully investigated it, but there are probably lots of other problems as well

2) Your suggestion. A server that does one thing and only one thing. Mail. If the web server is still exposed, you still have the vulnerability problem because port 25 is exposed on the public internet. You still face the formmail abuse problem from the apache server.

Here is an ideal scenario:

A iptables firewall machine. All it does is forward port traffic to other servers and provide NAT services to the network. This could be a linksys/netgear type router, but those don't work with all DSL cable systems. They won't work with covad DSL, I've tried.

A mail server with no apache on it getting all port 25 traffic, even from your web/apache server. Relay configuration should be based on an INTERNAL network. All other servers run sendmail with the DShostname directive to that mail server.

A web server with a carefully configued mail system and strict rules concerning form security.

The more I write about this, the more I want to try it. I don't have enough hardware for it though.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.