Vincent Jaussaud

Hi Guys !

My company mail server is running Sendmail 8.12.10, on an Linux OS.
I've plugged my Sendmail box with MIMEDefang / SpamAssAssin [with DNSBL]
through libmilter in order to efficiently fight SPAM.

If an email is identified as SPAM, it is bounced at the SMTP dialog level.

While this setup is working pretty smoothly, I'm now facing a problem, which
I think may be a technique from Spammers to bypass spam filters.

I see SMTP connections coming from obvious spammers, starting the SMTP
dialog, including the DATA level. The problem comes from the fact that they
do NOT end the DATA dialog. The DATA dialog is then interrupted because of
sendmail timeout. But since there was a problem delivering the mail, the
sender (who is fake, obviously) is sent a mail, which bounces, back to the
postmaster at my site... that is me :)... without passing through the spam
filer.. Seems like those bastards will never give up inventing new
technics.

So, my postmaster mailbox get filled of such junk (see an instance below),
preventing me from actually seeing legitimate postmaster reports.

First, I'm wondering if my analysis of the problem is actually correct, of
If I am missing something.

Then, what solution, if any, could I implement to prevent this ? I mean, is
it possible to not send notify in these cases without breaking some RFCs ?

Any ideas ?

Thanks in advance for your valuable help !
Regards,

----


Jan 10 13:50:03 smtp sendmail[21212]: NOQUEUE: connect from
user-0cevcfe.cable.mindspring.com [24.239.177.238]
Jan 10 13:50:03 smtp sendmail[21212]: i0ACo35d021212: Milter (mimedefang):
init success to negotiate
Jan 10 13:50:03 smtp sendmail[21212]: i0ACo35d021212: Milter: connect to
filters
Jan 10 13:50:08 smtp sendmail[21212]: i0ACo35d021212: dns yahoo.com.hk =>
202.1.233.111
Jan 10 13:50:08 smtp sendmail[21212]: i0ACo35d021212: dns
mx2.mail.yahoo.com. => 64.157.4.78
Jan 10 13:50:08 smtp sendmail[21212]: i0ACo35d021212: dns
mx1.mail.yahoo.com. => 64.156.215.7
Jan 10 13:50:08 smtp sendmail[21212]: i0ACo35d021212: dns
mx4.mail.yahoo.com. => 216.155.197.63
Jan 10 15:50:14 smtp sendmail[21212]: i0ACo35d021212: timeout waiting for
input from user-0cevcfe.cable.mindspring.com during message collect
Jan 10 15:50:14 smtp sendmail[21212]: i0ACo35d021212:
from=<sucidx@yahoo.com.hk>, size=491, class=0, nrcpts=1,
msgid=<6yao$71915vg$xjav-87hb6ri1@dam.f3>, proto=SMTP, daemon=MTA,
relay=user-0cevcfe.cable.mindspring.com [24.239.177.238]
Jan 10 15:50:14 smtp sendmail[21212]: i0ACo35d021212: Milter accept: message
Jan 10 15:50:14 smtp sendmail[21212]: i0ACo35d021212:
to=<XXX@nospam.kelkoo.net>, delay=02:00:01, pri=30491, stat=timeout waiting
for input during message collect
Jan 10 15:50:14 smtp sendmail[21212]: i0ACo35d021212: i0ACo35e021212: sender
notify: Warning: could not send message for past 1 hour
Jan 10 15:50:16 smtp sendmail[21212]: i0ACo35e021212:
to=<sucidx@yahoo.com.hk>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp,
pri=31515, relay=mx2.mail.yahoo.com. [64.157.4.78], dsn=5.0.0, stat=Service
unavailable
Jan 10 15:50:16 smtp sendmail[21212]: i0ACo35e021212: i0ACo35f021212: return
to sender: Service unavailable
Jan 10 15:50:16 smtp sendmail[21212]: i0ACo35f021212: to=hostmaster,
delay=00:00:00, xdelay=00:00:00, mailer=local, pri=32539, dsn=2.0.0,
stat=Sent
Jan 10 15:50:16 smtp sendmail[21212]: i0ACo35f021212: done; delay=00:00:00,
ntries=1
Jan 10 15:50:16 smtp sendmail[21212]: i0ACo35e021212: done; delay=00:00:02,
ntries=1

--
Kelkoo Security Manager / Networks & Systems Architect
JID: portsentry@jabber.kelkoo.net / Vincent.Jaussaud.AT.kelkoo.DOT.net
Kelkoo.com --- GNU/Linux Powered

Andy

> It's trivial to prevent this: Do not allow "<>" to send mail to
"postmaster".
> Unless you actually send out e-mail from your "postmaster" address,
there's
> absolutely no reason mail from "<>" should ever go to that address.
>
> I do this on my domain (in fact, I do it for _all_ our receive-only
> addresses like "info@", "sales@", etc.). The only thing it breaks is
> a stupid SourceForge filter that insists on checking if
> "postmaster@roaringpenguin.com" exists, using "<>" as the sender
> address.
>
> To get around that bit of idiocy, I bounce mail from "<>" to "postmaster"
> after the end of the DATA phase. All the others get rejected at
> RCPT time.
>
> --
> David.

Interesting! How are you doing this?

bfons

Vincent Jaussaud

Chuck Yerkes wrote:

>
> Again, if the SMTP connection is not completed, and your sendmail
> has not said "OK"after the DATA connection has ended, you shouldn't
> see anything.
>

I agree.

> are you running a sendmail from this decade?
>
Yes, sendmail 8.12.10, and I don't see any particular error in my maillogs.


>> But still, it doesn't solve my problem.
>
>
> no, but we've only seen interpreted abstractions and your theories
> as to the problem. Perhaps your wrong on that and it's something else.

Maybe. But what else could be the origin of this ?

Regards,
Vincent.

--
Kelkoo Security Manager / Networks & Systems Architect
JID: portsentry@jabber.kelkoo.net / Vincent.Jaussaud.AT.kelkoo.DOT.net
Kelkoo.com --- GNU/Linux Powered