Help, I’m under attack by spammers
A while ago, I noted that spammers seemed to have a new trick; since some of them were unconcerned about getting replies to their spam email, just about advertising their product, they’d fake the mail so that it came from an address somewhere else, and that person would get all the bounce messages from dud email addresses and anti-spam complaints from postmasters. This happened to me; because anything at all @kryogenix.org goes to me, with a couple of exceptions, someone spammed from “black” and “mack” at my domain and I got 1100 bounces in under an hour. So, I just blackholed those named addresses, so that my MTA didn’t accept mail for them — add the line “black: :blackhole:” in /etc/aliases, if you’re using Exim as I am on my mailserver.
Now, though, the spammers have come up with an even cleverer trick. The email address seems to be part randomly generated with each mail, so I’m getting bounces returned to “mackqd” and “mackfr” at kryogenix. I can’t blackhole all potential addresses. What I’m looking for here is advice on how to deal with this problem.
Caveat: I do not want to have to specify every potential email address at kryogenix that can receive mail and deny all others, if I can avoid it. However, I don’t mind if I allow certain named addresses plus sil-ANYTHING — I like signing up for a service at FooBar.com with the address sil-foobar so I can tell who has been selling their subscription list to spammers.
While I have been writing this, another 30 mails have come in. Help? Please?
Stuart, You showed me how to have exim filters in a .forward file (on angel) over a year ago. Your mind is going; must be too many vodka’s :)
-17881 seconds later
You can always check your exim configuration before restarting using “exim -bt“, which will tell you exactly what will happen to the specified address.
-17881 seconds later
And, yeah, I need to fix the newlines thing. At some point. I am seriously debating moving to pyblosxom.
-17881 seconds later
Filter files, that works. ~aquarius/.forward on angel now says:# Exim filtertestprint $header_toif $header_to does not contain “sil-” and$header_to does not contain “sil” and$header_to does not contain “stuart” and$header_to does not contain “aquarius” then seen finishendifThat should work fine. I should probably do “begins with” rather than “contains“, but hey. Thanks for the advice, all; Aquarion, I didn’t take your advice because I am scared of fiddling with exim.conf—angel runs mail for about ten domains, and I’m petrified that I’ll break stuff. Are there any simpler MTAs than exim? All I want to do is specify a list of domains and say “put all mail for domain X in mailbox Y” and that’s it, nothing more complex than that.
-17881 seconds later
You can have personal filters, yep – they go in your .forward file. See http://www.exim.org/exim-html-3.30/doc/html/filter.html
-17881 seconds later
Ick. Could you put something on your comments page that says what you do to newlines?That should have been the same as: http://reef.water.gkhs.net/~aquarion/exim.txt
-17881 seconds later
My mailserver, angel, lives out on the net and runs exim, and my home machine, giles, lives on my home network behind the firewall and gets mail from angel by POP3. Although giles also runs exim, I don’t want to run the exim filter on giles because then I waste all that time having the mail on angel and fetching it down to giles first. Can I put an exim filter on angel in the account that receives the mail and have it work?
-17881 seconds later
If you’re using exim4, and you should be, you can set this up fairly easily (We have it for the
gkhs.net addresses, and it means I can give aq+anythinggkhs.net and it works, which is cool).The relivant recipe from our exim.conf is:aggregate:driver = redirectcondition = ${if match{$local_part}{..*(\+|-)..*}{yes}{no}}data = ${sg{$local_part}{^(.*)(\+|-)(.*)$}{$1}}headers_add = X-Envelope-to: $local_partI’ve no idea if that works, ccooke manages exim on gkhs, but if it doesn’t shout and I’ll get him to help ;-)-17881 seconds later
You could use exim filters to select which to let through – block those that contain black or mack, and/or let through those that contain sil, or match on regular expressions… You could even “score” emails and put them in separate folders based on how dubious the address is.
-17881 seconds later
try blocking dialup-ip’s by rbl-blacklist. most of these mails comming from dialup’s and rbl blocks befor accepting the mail and scanning it…
55 weeks later
This is not a good idea because your mail server still accepts mail when using :blackhole:
You should use :fail:
117 weeks later
If you change your alias configuration to use nwildsearch instead of whatever it is now using, a simple one line change that is backwards compatible, then you can put expressions like:
^sil-.*: sil
in your aliases file to have anything sent to sil-_______ go to local user “sil”. This is my preferred way of doing disposable addresses as you’ve described.
I set up explicit lists of permissible localparts in a file. Then I alias, as described above, stuff beginning with those localparts to the localparts. The best part is that it is then easy to :fail: or :blackhole: aliases that have been sold out.
145 weeks later