Skip to main content

Stopping incoming spam with sendmail




I am having an issue due to a "smart" sysadmin that made some choices while I was away for two months: Spam.



I manage probably close to 10,000 web/mail sites. He decided to allow all mail to everyone of those domains go to /dev/null if the user did not exist instead of bouncing it back. Which is OK in some cases but the problem with that is that it says recipient OK for unknown users which makes spammers believe they are hitting a valid address.



So, with all that said I am now seeing TONS of attempted spam coming into all of these sites and I can't figure out a fix on server a by server basis.



Right now they are back to getting a user unknown so bandwidth on the network has dropped a decent amount since the actual content is not being delivered, however since the mail is still making it to me I am losing a good amount of bandwidth on DNS lookups per message as well as my inital bounceback. Doesn't seem like it would take a lot but with the volume of sites we are talking about it is relatively significant.




I am using sendmail on CentOS 5. I have full root access to the machines and I am really comfortable with IPTables, tcpdump, kernel modifications, sendmail modifications as well as access list and such on my core routers.



The catch, the company has not purchased a global antispam service. Ideally if there was a way I could configure sendmail to not do a DNS lookup if mail is sent to an unknown user that would be a start.


Answer



I'm assuming that bandwidth is the problem you are facing and the solution you are looking for. Please correct me if there is a different problem.



Is this all in one homogenous internal network or is it a bunch of independent sites/data centres? I'm wondering if it's feasible to run your own caching DNS resolver to cut down on the bandwidth caused by DNS lookups. If not a central one for all mail servers, maybe local caching nameservers at all sites would be feasible.



Another plan would be to block any IP address at the firewall from hitting port 25 that has caused more than 90% unknown user response (minimum of 10 send attempts). You could likely use fail2ban for this purpose.




Can you cut down on the size of your bounce messages?





Other things you should do:




  • Start measuring. See if you can measure how much bandwidth is "wasted" due to spam and at which point in the SMTP conversation it is happening. How much are the DNS lookups contributing? How much is the HELO? How much is headers? How much is the bounce messages? How much does all of this bandwidth cost?


  • Get a spam filtering service. Once you know how much the bandwidth costs and how much of it should be reduced if you had no spam, you can justify the cost of a spam filtering service. If you have measured the bandwidth and you can't reduce it any more, you're going to be paying the money anyway. Change who you pay it to and put one more problem on the "fixed" pile.




Comments

Post a Comment

Popular posts from this blog

iLO 3 Firmware Update (HP Proliant DL380 G7)

The iLO web interface allows me to upload a .bin file ( Obtain the firmware image (.bin) file from the Online ROM Flash Component for HP Integrated Lights-Out. ) The iLO web interface redirects me to a page in the HP support website ( http://www.hp.com/go/iLO ) where I am supposed to find this .bin firmware, but no luck for me. The support website is a mess and very slow, badly categorized and generally unusable. Where can I find this .bin file? The only related link I am able to find asks me about my server operating system (what does this have to do with the iLO?!) and lets me download an .iso with no .bin file And also a related question: what is the latest iLO 3 version? (for Proliant DL380 G7, not sure if the iLO is tied to the server model)
Post a Comment
Read more

linux - Awstats - outputting stats for merged Access_logs only producing stats for one server's log

I've been attempting this for two weeks and I've accessed countless number of sites on this issue and it seems there is something I'm not getting here and I'm at a lost. I manged to figure out how to merge logs from two servers together. (Taking care to only merge the matching domains together) The logs from the first server span from 15 Dec 2012 to 8 April 2014 The logs from the second server span from 2 Mar 2014 to 9 April 2014 I was able to successfully merge them using the logresolvemerge.pl script simply enermerating each log and > out_putting_it_to_file Looking at the two logs from each server the format seems exactly the same. The problem I'm having is producing the stats page for the logs. The command I've boiled it down to is /usr/share/awstats/tools/awstats_buildstaticpages.pl -configdir=/home/User/Documents/conf/ -config=example.com awstatsprog=/usr/share/awstats/wwwroot/cgi-bin/awstats.pl dir=/home/User/Documents/parced -month=all -year=all...
Post a Comment
Read more

linux - How can I get my mediawiki to stop thinking I have cookies disabled?

I've searched half a day for how to resolve this issue, and can't figure it out. Shortly after I made my wiki a simple private wiki according to the instructions at Mediawiki's website, it started giving me this weird login error message: Wiki uses cookies to log in users. You have cookies disabled. Please enable them and try again. If I remove those private wiki settings, the error disappears, even if I try logging in. But I need it to be a private wiki for only my team. So what do I do? Here's what I've done so far. Just to be safe, after ever change, I try rebooting Apache using: sudo /etc/init.d/apache2 restart In my php.ini file, I have the following set: session.save_path = "/var/lib/php5" session.cookie_secure = secure session.cookie_path = /tmp session.cookie_domain = my server's internal URL (should I even set this? this field was blank before, but not commented out) session.referer_check = Off I ran the following to ensure that the fold...
Post a Comment
Read more