[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 620
  • Last Modified:

sendmail block "Received from friend"

Anyone have an example of how to block the following:

Received: from friend (2Cust82.VR2.NYC4.broadband.uu.net [63.13.135.82])

which seems to be a zombied box or or dynamic ip address which just changes if you try to block in hosts.deny

but the second line is usually 'from friend' for these stupid drug dealers and I'd like to block any such from whom

0
GinEric
Asked:
GinEric
  • 6
  • 6
  • 2
2 Solutions
 
kamichieCommented:
Cant you just block *.uu.net, I mean unless you get a lot e-mail from that domain.
0
 
kamichieCommented:
0
 
Tim_UtschigCommented:
Blocking specific hosts/domains is a never ending task, that's why in the 21st Century we use RBLs.

Install SpamAssassin and enable the RBL rules.

http://spamassassin.apache.org/
http://www.google.com/search?q=spamassassin+sendmail+howto
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
GinEricAuthor Commented:
I was looking for something specific, such as this:

The milter specific tags can have all the same values as their Sendmail counter parts (Connect:, From:, To:). Positive values like OK or RELAY white-list, negative values like REJECT or ERROR mandate processing for content milters or black-list for policy milters, and SKIP stops the lookup and continues processing.

* In the case of Spam: tags, the values FRIEND or HATER are recognised.

ยง Unlike their Sendmail counter parts, the values of the milter specific tags support an enhanced syntax that allows for an optional list of white space separated pattern/action pairs followed by an optional default action:

( '/' regex '/' action? | '!' pattern '!' action? | '[' network '/' cidr ']' action? )* default-action?
The /regex/ uses POSIX extended regular expressions, while the !pattern! uses a simple pattern matching with two basic wildcards: * matches zero or more of any character and ? matches any single character. The !pattern! form is faster, but less expressive that the /regex/ form. The [network/cidr] form allows for finer granularity specification of netblocks

from: http://www.snertsoft.com/sendmail/milter-sender/

because no one sending ads for viagra are anyone's "friend."

0
 
GinEricAuthor Commented:
kamichie,

Ray's Filter looks pretty close to what I want to do.


Tim_Utshig,

SpamAssassin either refuses to build on this system, or, sendmail already has the functionality to do what SpamAssassin does as an addon, usually both.  I am tied up enough with dependencies of of addon software, for example, installing some component of MySQL5 and PHP5 requires that I compile GNU's GCC 4.1, that's about a two week job with no guarantee that it will work after it's all done and MySQL5, Apache2, Perl6, PHP5, and SSL1 are also cross-compiled and installed.  I did not expect to have to recompile my entire Linux system just to get MySQL to play nice with PHP5 and everybody else.  i appreciate the tip Tim, these links are closer for me:

http://www.Musics.com/sendmail/
http://www.Musics.com/HOWTO/Sendmail+UUCP.html
http://www.Musics.com/HOWTO/Spam-Filtering-for-MX/index.html

I'm no longer in the 21st Century, I'm at "The Restaurant At The End Of Time."
0
 
Tim_UtschigCommented:
More than likely you have absolutely no need for the latest-and-greatest of anything, and you are just making trouble for yourself.    Is there any good reason you're not using the packages included with the distribution you are using?
0
 
GinEricAuthor Commented:
Yes there is a reason why I'm not using just the packages included with the distribution, in addition to being a software developer, we are a Digital Distributor, music and movie people, financials industry, and constantly under attack from exploits of everything that is current, including both Linux and Windows.

We actually do use the packages supplied, but in adapting to new conditions on the Internet we find that almost none of them are adequate to Securities & Exchange required real security, neither Linux nor Windows, currently.

I know a lot of people will disagree, however, we see both the Free Software Foundation and Microsoft concentrating entirely too much on bells and whistles and not enough on security.  It's really that simple.

Then there is transaction speed, ease of integration of new hardware and software, restructuring the network, and keeping an eye on things while providing absolute privacy to our artists and public.  We thoroughly test all hardware and software before it goes to production environment.  Too many facets of our industry require more than "out of the box" solutions.

We use the usual packages, but when they fail or allow some exploit to query the system, such as the latest phpBB2 bots bouncing off of Google to get past and post on our forums, then we need a solution and not a bandaid.  So, we either write the software or get it from someone who has already solved the problem.

Spam has become a headache because, mostly, it's being ignored by software instead of being effectively dealt with, i.e., being prosecuted.  We intend to prosecute and eliminate spam.
0
 
Tim_UtschigCommented:
The arguments mentioned above seem to me a good argument for *not* using the latest-and-greatest, and going with something like Debian stable (currently 3.1 "sarge").
0
 
GinEricAuthor Commented:
But it's the "stable" distributions that have the security problems, not the latest and so called "greatest' ones.  Understand that once a distribution is tarballed as a binary, then every hacker in the world knows where everything is, can get his own copy, and find all the holes in it quite easily.  The portability of software is non-existent, even though everyone keeps insisting that "Linux" is portable, it is not.  Everyone who tries to compile to custom directories or on distributions that are not in the "developers collective" of pet distributions, gets the same old errors.  Requests for developers to incorporate Apache Runtime Portable Libraries [APR's] result in only "snob" answers, such as 'use the ./configure --help to find out how to do everything;we're too imporant to consider changing our way of thinking.'  And if the main guy gets sick and falls behind, RedHat, Debian, and the others leave you in the dust like so much roadkill.

KDE won't listen, MySQL won't listen, and quite a few others simply don't care what others say, they are going to do it "their" way.  Consequently, none of their programs install "out of the box" and wont' compile "out of the box" with reasonable security either.  KDE was the main cause of worms and viruses spreading on Linux servers in the last 5 years and the founder of KDE simply refuses to listen to anyone other than the voices in his head.

Their security is weak.  Dropdown bells and whistles, wows and bow-wows, instead of fixing the executeable permissions in /tmp.  Apache had to fix the problem for them.  Instead of tracking down hackers, developers at Google and phpBB simply set some patch to ignore the attacks, but only after they've been successfully attacked.  Afterwards, they have "attitude" when the subject is brought up.

None of them has any configure.example included with their software, nor an explanation of why they included what options they elected.  Nearly all of their documentation skips the basic steps and what to do when you can't successfully complete step one of any install, the install itself.  They opt nearly always to blame the other software, like so many dependencies.  Thus, KDE blames X, but buddies up to its QT which may be the real culprit, phpBB blames PHP, and so on.  Until, eventually, they all begin to look like any other glob bureaucracy.

Which, of course, forces us to address the problems.  The assumption that the "21st century" is better simply because it's a higher number is not really valid.  My house, for example, was built in the 19th century; it is far better built and will last a thourand years, something that cannot be said of houses built in the 21st century.  New is not always better.  Popsicle stick houses made of pine 2X4's and SOB board don't last the length of the mortgage, but sell at half a million dollars.  A collision at 70 mph of a 1972 Bonneville and a 2006 Lexis means only one thing: the Lexis people are all dead and the plastic car is totaled, whereas the 1972 Bonneville needs only some body work and perhaps some replacements of axles and such, but all the people in the Bonneville are alive and well.  New is not better by definition.

Thus, RBL's and other block lists are about the same as the 2006 Lexis: illusion.  They look good, but eventually they will get totaled.  They are a good temporary measure, but only if you then develope something to actually deal with the problem and not just put up a barricade that eventually will be breached.

I just got back from fixing a nephew's computer with Windows XP SP2.  The firewall was effective, until some advertiser got around it.  Then, it basically became a useless zombie box.  Again, instead of going after the false advertisers and others with "free download this spam blocker now!" Microsoft too has become dependent upon block and punt techniques, instead of a good offense.  Some child had removed the Firewall I put in, which was AVG and not Windows, and boom!  The box was owned.  Next time permissions will be set so that they cannot access or see or disable the firewall.

And everyone seems loathe to admit that it is the New York City advertising industry that is actually writing this hacker, spam, and breakin spyware; well, from our evidence in numerous logs, it's all coming out of New York City, Madison Avenue to be specific.  Who else has the money to pay high priced scriptkiddies turned ad execs?  We have tons of evidentiary logs to back that up 100%.

So, I'm going to close the question and award points.  The links and advice were helpful from Kamichie Tim_Utshig.  SpamAssassin remains a failure though.

Thanks.
0
 
Tim_UtschigCommented:
> But it's the "stable" distributions that have the security problems

Only if the distribution was abandoned, or poorly supported by its creators.  Part of the install process in Debian is downloading the latest security updates.  If you don't keep it up to date afterwards, you only have yourself to blame.
0
 
GinEricAuthor Commented:
"Only if the distribution was abandoned, or poorly supported by its creators.  Part of the install process in Debian is downloading the latest security updates.  If you don't keep it up to date afterwards, you only have yourself to blame."  Sounds a lot like Microsoft to me; add a bandaid, hope it works.

You can't install over the Internet if you can't connect.  Sounding more and more like Micorsoft approach, automated and unreliable.

Patches are okay for temporary solutions, but not the long term.  en stabilo est en stagnato.

Still waters stagnate quickly.

?
0
 
Tim_UtschigCommented:
> You can't install over the Internet if you can't connect.

The Internet is not the only way to move data.

> Sounding more and more like Micorsoft approach, automated and unreliable.

Actually it's manual unless you set up a cron script yourself.

What I do is just subscribe to bugtraq, and the security mailing lists for each distribution I run, and I handle issues as they arise.

You sound like you're completely against patches.  What would you suggest people do if they don't want to patch their systems?

> Still waters stagnate quickly.

Quick moving waters slap you against rocks ;-)
0
 
GinEricAuthor Commented:
I'm not against patches at all; why do people say such things?  I do know about getting slapped against rocks by rapids, and slam dunked onto the bottom of the ocean floor by big moving waves!  If I survive, I love it!  Don't know what it's like not to survive yet.  [actually, I do, but I do not want to talk about coming back from the dead here, it's far to lengthy an explanation and a sort of "personal" experience]

I thought slapt-get and spt-get were calling cvs for the latest versions?  I also thought that meant a live Internet connection.

We did notice a big drop in spam emails after some recent busts of various spam rings.

Back to the surf . . .
0
 
Tim_UtschigCommented:
> I thought slapt-get and spt-get were calling cvs for the latest versions?  I also thought that meant a live Internet connection.

apt-get can use several types of package sources.  HTTP and FTP are just two of them -- and even those don't necessarily have to go out to the Internet (see: apt-proxy, apt-cacher, apt-move, ...).

You can just as easily do and apt-get update && apt-get upgrade off updated versions of the CD/DVD-ROMs.

Anyway, I'll cease straying off topic now.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now