Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

checking previous mail server relays against rbls

5 views
Skip to first unread message

eohrn...@gmail.com

unread,
Nov 28, 2005, 3:41:55 PM11/28/05
to
I seem to be getting some spam from a particular mail server. Now I
could easily block that mail server from sending me anything, but that
mail server is also sending valid email. Since this mail server is
relaying email to my sendmail server, it is adding itself to the mail
relay / routing log of each mail message as it should.

Is there a way to configure sendmail rbl capabilities to not only check
the mail server that is directly sending email to it, but check
previous mail relay servers as well?

My thinking is that when an email passes a mail server listed in the
rbl lists, that this email is suspect reguardless if it is relayed by
other mail servers. Id' like my sendmail to check for that. Or is
this a really bad idea?

Rob MacGregor

unread,
Nov 28, 2005, 3:58:03 PM11/28/05
to
eohrn...@gmail.com wrote:
> I seem to be getting some spam from a particular mail server. Now I
> could easily block that mail server from sending me anything, but that
> mail server is also sending valid email. Since this mail server is
> relaying email to my sendmail server, it is adding itself to the mail
> relay / routing log of each mail message as it should.
>
> Is there a way to configure sendmail rbl capabilities to not only check
> the mail server that is directly sending email to it, but check
> previous mail relay servers as well?

Sendmail doesn't, but SpamAssassin can. You've got a number of ways of
integrating it, including MIMEDefang.

> My thinking is that when an email passes a mail server listed in the
> rbl lists, that this email is suspect reguardless if it is relayed by
> other mail servers. Id' like my sendmail to check for that. Or is
> this a really bad idea?

Not necessarily, but you'll be adding some processing overhead, increasing
network traffic and adding a delay as a result. Ensure your hardware (and
network) can cope.

--
Rob MacGregor (BOFH) Oh my God! They killed init! You bastards!
(\_/)
I'm a leaf in the wind. Watch me soar. (O.o)
(> <)

Andrzej Adam Filip

unread,
Nov 28, 2005, 4:00:27 PM11/28/05
to
"eohrn...@gmail.com" <eohrn...@gmail.com> writes:

> I seem to be getting some spam from a particular mail server. Now I
> could easily block that mail server from sending me anything, but that
> mail server is also sending valid email. Since this mail server is
> relaying email to my sendmail server, it is adding itself to the mail
> relay / routing log of each mail message as it should.
>
> Is there a way to configure sendmail rbl capabilities to not only check
> the mail server that is directly sending email to it, but check
> previous mail relay servers as well?

There had been pure sendmail.cf (m4 files) implementation of such
functionality provided by Jan Krüger's extended UBE filter
[check_local]. AFAIK it is no longer maintained, some copies of the last
available version may be available somewhere.

It has never been included into sendmail.org distribution.
Do not ask *me* why the wisdom has been *wasted*.



> My thinking is that when an email passes a mail server listed in the
> rbl lists, that this email is suspect reguardless if it is relayed by
> other mail servers. Id' like my sendmail to check for that. Or is
> this a really bad idea?

SpamAssassin uses such idea. IMHO the best place to implement it would
be milter e.g. MIMEDefang.org miltter (GPL licenced, perl based).

IMHO the best option would be to ask SpamAssassin developers to include
"milter oriented" hooks for use at "RCPT TO:" statge.
[ client ip, helo name, envelope sender, envelope recipient ]

--
[en: Andrew] Andrzej Adam Filip : an...@priv.onet.pl : an...@xl.wp.pl
http://www.sendmail.org/faq/ http://www.sendmail.org/m4/readme.html
http://anfi.homeunix.net/sendmail/ Netcraft Site Rank: 484700

Claus Aßmann

unread,
Nov 28, 2005, 10:44:23 PM11/28/05
to
eohrn...@gmail.com wrote:
> I seem to be getting some spam from a particular mail server. Now I
> could easily block that mail server from sending me anything, but that
> mail server is also sending valid email. Since this mail server is
> relaying email to my sendmail server, it is adding itself to the mail
> relay / routing log of each mail message as it should.

> Is there a way to configure sendmail rbl capabilities to not only check
> the mail server that is directly sending email to it, but check
> previous mail relay servers as well?

If you know the format, you can parse it. Here are some hints how
to do this, you have to check whether it works for you. The basic trick
is to extract the client address and call the appropriate ruleset.

C{KnownRelay}some.other.host
HReceived: $>+CheckReceived
# macro storage map
Kstore macro

SCheckReceived
R$* from $+ ($-@[$+]) by $={KnownRelay} $*
$: <TEMP> $(store {client_addr} $@ $4 $) $>Basic_check_relay [$4] $| $4
R$* from $+ ($+ [$+] (may be forged)) by $={KnownRelay} $*
$: <TEMP> $(store {client_addr} $@ $4 $) $>Basic_check_relay [$4] $| $4
R$* from $+ ([$+]) by $={KnownRelay} $*
$: <TEMP> $(store {client_addr} $@ $3 $) $>Basic_check_relay [$3] $| $3
R<TEMP> $#$* $#$1
R$* from $+ ($+ [$+]) by $={KnownRelay} $*
$: $(store {client_addr} $@ $4 $) $>Basic_check_relay $3 $| $4

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Andrzej Adam Filip

unread,
Nov 29, 2005, 5:40:01 AM11/29/05
to
Andrzej Adam Filip <an...@priv.onet.pl> writes:
> [...]

> IMHO the best option would be to ask SpamAssassin developers to include
> "milter oriented" hooks for use at "RCPT TO:" statge.
> [ client ip, helo name, envelope sender, envelope recipient ]

I have been told politely (in private mail) to remember that

1) at "RCPT TO:" stage headers are not available

I have thought too much lately about related problem of doing parallel
RBL queries (limited to "last hop").
Please forgive me this obvious mistake.

2) spamassassin code is lot lightweight

Spamassassin code will check the message anyway on many installations.
Making SA do "phased checks" with an option to quit after each phase if
"spam score" is high enough is not a bad idea. It may significantly
reduce load on machines which receive more spam than ham.

eohrn...@gmail.com

unread,
Nov 29, 2005, 10:45:09 AM11/29/05
to
Wow! Lot's of good ideas. Thanks!

This is a little Linux machine that sits on my cable modem and is
really not processing email for very many users (2-3 I think), so
processing overhead is not an issue.

The code looks interesting, and I'll have to dig into it to understand
it more. I've never looked at such before. The basic idea is to check
the last previous mail hop against the rbl lists to make sure that it's
not a spammer. That would take care of the issue for me. Like I said.
I'm going to have to educate myself in this language of this code and
put it in, or deal with like 20 spams a month, which is not really a
big deal either.

0 new messages