Re: [exim] rogue connections to broadcast addresses

Inizio della pagina
Delete this message
Reply to this message
Autore: Alan J. Flavell
Data:  
To: Exim users list
Oggetto: Re: [exim] rogue connections to broadcast addresses
On Sun, 3 Oct 2004, Chris Edwards wrote:

> Consider subscribing to bogon-announce.
>
> Quoting http://www.cymru.com/Bogons/


By all means. Or a cron task executing conditional wget, and
taking appropriate action when the file has changed. But in either
case, this only becomes effective when the collators of the Bogons
list have received and acted on information about new assignments.
(Which is not in any way to criticise them - merely to express a
point about the logic of how this works).

The aggregated bogons list includes two kinds of blocked IP ranges:
those which are by definition blocked by rule (RFC1918 etc), and will
not (normally) ever change; and those which are currently not
assigned, but this changes over time. Some users of a bogons list
might decide to handle the two kinds differently. In any case, I can
only echo what it says on the cited documentation page:

In short, there is rarely a "one size fits all" solution in
networking. It comes down to understanding the business and technical
requirements of your network, and knowing how to verify that those
requirements have been met. Please do not blindly apply any filters
or blocks to your network without carefully considering the
ramifications of such filters.

So much for that issue...


Perhaps I should have spelled out in more detail the benefits of
putting that ignore_target_hosts statement into the router
configuration:

1. It stops one from trying to send mail -to- these bogus mail domains
(which is what was asked about on this thread); -and-

2. If verify=sender is enforced (no /callout necessary) then it will
refuse mail whose envelope sender is in one of these bogus mail
domains, thus defeating a popular spammer trick.


As some may have noticed in my posted snippet, we extend this
mechanism somewhat by adding a locally-maintained file called
ignore_spammers , into which go the CIDR address ranges of some
career-spammers who have proven to be a nuisance here /and/ who are
typically registered at SPEWS or SBL. Don't get me wrong: we don't
block outright on either of those blacklists - but when an
envelope-sender domain gets to be a nuisance, and turns out to
correspond to an IP which is blacklisted as a career-spammer, then
into this list they go; and then they can change their envelope-sender
domain names as much as they like (and some of them have vast numbers)
- so long as the names correspond to a blacklisted IP, the
verify=sender test will pretend that they are unreachable, and so
we'll refuse their mail.

There -are- more subtle ways of handling this, but the above kludge
is working for us.

hope that helps.