Mike Cardwell <exim-users@???> said, in message
470AA1DE.2040400@???:
>
> I might be missing the point, or several points, here, but why don't
> you just set up a wildcard MX record for *.aber.ac.uk to point at
> your real MX? I know that's not much use for the rest of your
> tarpitting/portscanning stuff but it should solve your main problem,
> no?
Hi Mike,
The main problem isn't actually the fact that mail gets queued before
being bounced when the Aber user has typed an incorrect address. It's
the one that affects legit mail, yes, but we've not had any complaints.
For a couple of years I've had a little script tied into our firewall
that looks for blocked port 25 connect attempts and adds the source IP
to a local blacklist. This works pretty well (you wouldn't believe the
number of hits we get on hosts in the A record for aber.ac.uk rather
than the MX record, for example) and the blacklist now stands at nearly
300,000 IP addresses. We get very few false positives on matches
against this list and it's a fairly lightweight test before we start
dropping stuff into spamassassin. The false positives come in those
rare cases above, where someone fools a legitimate server into trying
to connect to an illegitimate host. To address this we wanted to try to
retain tractability (i.e. know what people were trying to conenct to)
whilst detecting the false positives.
We looked at wildcard MX records, but they appeared to have problems
that we didn't want to get into handling. For example,
http://www.unix.org.ua/orelly/networking/sendmail/ch21_03.htm
says the following:
> One compelling weakness of wildcard MX records is that they match any
> hostname at all, even for machines that don't exist:
>
> ; domain is sub.dc.gov
> *.dc.gov. IN MX 10 hostB.dc.gov.
>
> Here, mail to foo.dc.gov will be forwarded to hostB.dc.gov, even if
> there is no host foo in that domain.
>
> Wildcard MX records almost never have any appropriate use on the
> Internet. They are often misunderstood and are often used just to
> save the effort of typing hundreds of MX records. They do, however,
> have legitimate uses behind firewall machines and on non-Internet
> networks.
Another alternative (MX record for every existing machine) but that
would double the size of our DNS and I'd have to rewrite a whole pile
of code.
Also, bouncing all connects records onto the main mail servers could
well have increased our scanning load by actively collecting extra
spamming attempts we'd never have seen otherwise.
Putting a dummy server on our site firewall sounded an elegant answer
and gives us a chance at spotting the spammers before they hit our real
servers.
The redirect is working fine, and my question was really to be sure
that I wasn't missing anything in trying to detect what IP the other
end was *trying* to connect to.
I mentioned last night that I'd have a bash at wrapping getsockname()
with a shared library. This appears to work, so a slightly modified
exim startup script will do what I want. I'm going to do some more
testing - if that works I'll put it up on the web, just in case it's
useful to anyone else.
Cheers,
Alun.
--
Alun Jones auj@???
Systems Support, (01970) 62 2494
Information Services,
University of Wales, Aberystwyth
