So my question is: if my system has granted RELAY permission to a system which is in a dnsbl used by the sendmail configuration, does the sendmail RELAY, or does it deny the connection attempt?
Thanks for wading through this completely hypothetical situation.
I think you would be served by doing some googling on backscatter. Any time you have a "backup mx" server that does not do recipient validation for the domains it serves not only is it going to receive a lot of spam, it is going to be producing a lot. This is exactly the type of thing that lands IP addresses in blacklists in my experience. That being said you should be able to whitelist the IP of the blacklisted host before you do the rbl-checking. I know how to do this with postfix but not sendmail. I am not a sendmail user, but there are some sendmail users on the list who may be willing to help there.
My guess is that if you post to the mailing list of the MTA in question you may raise their ire a bit as you seem to be trying to solve a problem further downstream than you should be (idiots on your network).
I would fix your local problem (if you can).
alex
Alex Palenschat wrote:
So my question is: if my system has granted RELAY permission to a system which is in a dnsbl used by the sendmail configuration, does the sendmail RELAY, or does it deny the connection attempt?
Thanks for wading through this completely hypothetical situation.
I think you would be served by doing some googling on backscatter. Any time you have a "backup mx" server that does not do recipient validation for the domains it serves not only is it going to receive a lot of spam, it is going to be producing a lot. This is exactly the type of thing that lands IP addresses in blacklists in my experience. That being said you should be able to whitelist the IP of the blacklisted host before you do the rbl-checking. I know how to do this with postfix but not sendmail. I am not a sendmail user, but there are some sendmail users on the list who may be willing to help there.
My guess is that if you post to the mailing list of the MTA in question you may raise their ire a bit as you seem to be trying to solve a problem further downstream than you should be (idiots on your network).
I would fix your local problem (if you can).
alex
I'm using milter-ahead and Spamhaus on my backup mailserver. Milter-ahead looks to the primary mailserver to see if the user exist before excepting mail for the domain.. unless the primary mailserver is unreachable, at which point it accepts anything. (rare ocassions). Milter-ahead makes use of the mailtable and relay domains to know if it should be dealing with email for our domains.
So many spammers are finding the backup mailservers and sending directly to those, I found this absolutely a must do as backscatter was getting terrible.
Best, John Hinton
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Oct 25, 2006 at 09:01:30PM -0400, John Hinton wrote:
I'm using milter-ahead and Spamhaus on my backup mailserver. Milter-ahead looks to the primary mailserver to see if the user exist before excepting mail for the domain.. unless the primary mailserver is unreachable, at which point it accepts anything. (rare ocassions). Milter-ahead makes use of the mailtable and relay domains to know if it should be dealing with email for our domains.
So many spammers are finding the backup mailservers and sending directly to those, I found this absolutely a must do as backscatter was getting terrible.
I keep all my e-mail users on MySQL, and use database replication for that. Works like a charm, with very low traffic between the servers.
[]s
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
Alex Palenschat wrote:
So my question is: if my system has granted RELAY permission to a system which is in a dnsbl used by the sendmail configuration, does the sendmail RELAY, or does it deny the connection attempt?
Thanks for wading through this completely hypothetical situation.
I think you would be served by doing some googling on backscatter. Any time you have a "backup mx" server that does not do recipient validation for the domains it serves not only is it going to receive a lot of spam, it is going to be producing a lot. This is exactly the type of thing that lands IP addresses in blacklists in my experience.
Backscatter is a fact of life. 99% of the emails in my queues are undeliverable backscatter. 99% of my inbound email is backscatter (since my domain gets used for forging email headers on spam). I'm retiring older systems which just can't deal with the backscatter. It just isn't economically viable to try to fight it any more; life is too short.
That being said you should be able to whitelist the IP of the blacklisted host before you do the rbl-checking. I know how to do this with postfix but not sendmail. I am not a sendmail user, but there are some sendmail users on the list who may be willing to help there.
This brings me to the ultimate point of my response: if you grant the firewall in question ACCESS permission, it does over-ride the dnsbl.
I would fix your local problem (if you can).
Unfortunately there are two other companies in between me and the users (not that I can really identify them with the junk I have to use here) so short of finding another job I'm stuck with the problem.
-- /\oo/\ / /()\ \ David Mackintosh | dave@xdroop.com
Backscatter is a fact of life. 99% of the emails in my queues are undeliverable backscatter. 99% of my inbound email is backscatter (since my domain gets used for forging email headers on spam). I'm retiring older systems which just can't deal with the backscatter. It just isn't economically viable to try to fight it any more; life is too short.
Snip
Unfortunately there are two other companies in between me and the users (not that I can really identify them with the junk I have to use here) so short of finding another job I'm stuck with the problem.
-- /\oo/\ / /()\ \ David Mackintosh | dave@xdroop.com
Have you considered changing your setup to reject emails in the smtp process if they do not have a valid rcpt to? i.e. a valid email address on your machine to accept them?
This will eliminate much of what you are experiencing...
- rh
-- Robert - Abba Communications Computer & Internet Services (509) 624-7159 - www.abbacomm.net
R Lists06 wrote:
Have you considered changing your setup to reject emails in the smtp process if they do not have a valid rcpt to? i.e. a valid email address on your machine to accept them?
This will eliminate much of what you are experiencing...
Well I'm willing to consider it. The problem is that the 'primary' MX for most of the inbound-relayed domains is a barracuda anti-spam device which talks to a Exchange server through a secret-handshake pipe I can't get at from the secondary.
David Mackintosh wrote:
R Lists06 wrote:
Have you considered changing your setup to reject emails in the smtp process if they do not have a valid rcpt to? i.e. a valid email address on your machine to accept them?
This will eliminate much of what you are experiencing...
Well I'm willing to consider it. The problem is that the 'primary' MX for most of the inbound-relayed domains is a barracuda anti-spam device which talks to a Exchange server through a secret-handshake pipe I can't get at from the secondary.
you can do regular pulls of valid email addresses from the Exchange box to your seconday. People have protected Exchange with postfix for example.
-
Alex Palenschat -
David Mackintosh -
Feizhou -
John Hinton -
R Lists06 -
Rodrigo Barbosa