Pegasus Mail & Mercury

I have Transfilters set on From  but they only work on the SMTP envelope.  It would also be handy to filter on the e-mail From.  Spamers are using an outside address to get through SMTP and then a local address to get whitelisted.

Mercury 4.41c

Rob:

If you check the MercuryS log files, you can see entires where an IP address has been added to the short term blacklist. For example, I have a DNSBL check titled "Spamhaus Zen - Reject". When a transaction arrives that returns a positive on the Zen list, the following entry is made in the MercuryS log file:

E  20070529  004133  4640efe8  Host (IP.Address) blocked by Spamhaus Zen - Reject - dropped and blocked.

Thank you for the that Rob. I'm wanting to watch what's going on, to both understand the process, and satisfy myself that it's working correctly.

I assume you are refering to the MercuryS general log, as opposed to the session logs as I imagine that in the case of a rejected connection, no session would ever get started.

Does the  rejection text get sent back to the remote host, so they know why they are being refused?

 Richard

Richard:

Does the  rejection text get sent back to the remote host, so they know why they are being refused?

Yep. Whatever diagnostic is defined in the Mercury RBL definition is returned as a 500-level error to the connected client. If the connected client is a real mail server, it will report that error in the delivery failure notification it sends back to the originator.

Cheers!

-- David --

David Harris:

One of the simplest things you can do to reduce the amount of spam your system has to process is to add a couple of simple MercuryS transaction filtering rules that detect spam zombies.
....

Here are a few simple tests you can do: I've been using them for a long time as part of my spam-defeating strategy, and they work well for me - they may work well for you too.

1: Check the HELO parameter to see if the connecting host is identifying itself as you.  This may sound idiotic, but an awful lot of spam zombies don't seem to be able to do domain name resolution properly, and instead simply use your domain name or address in the HELO greeting. This one is an absolute guarantee that the connecting client is bogus, and you can use it to form reliable blacklists. So, if your mail server's hostname is mail.example.com, any time you see a connection issue the command HELO mail.example.com or EHLO mail.example.com, you can drop the connection and blacklist the host. The MercuryS transaction filtering rule that does this might look like this:  H, "*mail.example.com*", RS, "554 Format of command not acceptable here". Similarly, the zombie may attempt to pass your own IP address to you in the HELO line: this is another easy and utterly foolproof test: assuming your mail server's IP address is 190.140.4.4, you could use a MercuryS rule like this: H, "*190.140.4.4*", RS, "554 Format of command not acceptable here".

....-

 
I just found an example where this rule failed. Our DSL router has the ability to log some of the traffic through it, and can be configured to email the log. I wanted to use that feature, and set it up to send the logs to abuse@mail.example.com. Guess what, the router's built-in SMTP client generates a "HELO mail.example.com". Clearly, the router's firmware is broken, but it's something to keep in mind.

 

subelman:

I just found an example where this rule failed. Our DSL router has the ability to log some of the traffic through it, and can be configured to email the log. I wanted to use that feature, and set it up to send the logs to abuse@mail.example.com. Guess what, the router's built-in SMTP client generates a "HELO mail.example.com". Clearly, the router's firmware is broken, but it's something to keep in mind.

In v4.5 (which is now finally out), you should be able to work around this fairly easily by adding an ACL (connection control entry) indicating that your router's IP address is exempt from transaction filtering. Of course, if you're using NAT, that might be problematic, because *all* incoming mail will probably appear to be coming from your router... Hmm. Not quite sure how you'd deal with that.

Cheers!

-- David --

I use my honeypot addresses to train spamhalter.  Looking at the headers of my spam I can see that alot of the exact same stuff comes in but from all different ips.  Once spamhalter has it marked, I don't have to worry about where it comes from at all

 

Jim Banks

 

 

 

my honeypot address is bjones@apmgroup.com don't send email to it.  I'm just posting it here, hoping it gets picked up by a bot.

An ACL should work, even if you use NAT. When you use NAT, Mercury still knows the originating IP of the connection - that's how it checks DNSBLs.

In the meantime, I configured Mercury to handle an extra domain with an invalid TLD (e.g. aiewdnc.xyz). Only my router knows that me@aiewdnc.xyz even exists, so I don't need to use transaction filtering for HELO aiewdnc.xyz.

I’m new here, but maybe I can help somebody with following suggestion. I’m owner of a com domain "xxxx.com" Most of spammers is connecting to my SMTP server sending mail from "somenames@xxxx.com".  To stop a huge amount of mails from 3000 to 5000 pr hour I created rule like this:
M, "*xxxx.com*", RS, "554 Fraudulent MAIL FROM rejected.". 

Jacek

jacekza:

I’m new here, but maybe I can help somebody with following suggestion. I’m owner of a com domain "xxxx.com" Most of spammers is connecting to my SMTP server sending mail from "somenames@xxxx.com".  To stop a huge amount of mails from 3000 to 5000 pr hour I created rule like this:
M, "*xxxx.com*", RS, "554 Fraudulent MAIL FROM rejected.". 

Jacek

 

You should verify that you have turned off relaying in the MercuryS setup.  Both the relaying and strict  boxes should be checked and then you can turn on the AUTH to allow certain people to relay when they have properly authenticated to the server.

 

---

Thomas R. Stephenson
San Jose, California
Member of Pegasus Mail Support Team

You are right, but when marcuryS is running in strict anti-relaying mode, you cannot blacklist the hosts for the next half hour so mercury do not need to search the connection control list on every one connection. It means less CUP usage.

jacekza:

You are right, but when marcuryS is running in strict anti-relaying mode, you cannot blacklist the hosts for the next half hour so mercury do not need to search the connection control list on every one connection. It means less CUP usage.

 

Not sure what you mean.  The host trying to relay are blocked and there is no transaction control required at all and so there is less load on the server.

 

---

Thomas R. Stephenson
San Jose, California
Member of Pegasus Mail Support Team

I configured mercuryS as you suggested and CUP start to use from 10% to 18%. Is because mercuryS start to communicate with spamblocklist servers.  I must tell that I have about 300000 connections pr day.

This way I’m blocking mail from spammers sending as follow:

MAIL FROM blabla@xxxx.com.

Either the address exists or not in a domain xxx.com and it happens before asking spamblocklist servers.

Secondary I have a rule like this, R, "*@xxxx.com*", R, "554 Fraudulent RCPT rejected." This one is to block mails send to not existing addresses.

Explanation:

The spammer is sending mail like this:

MAIL FROM Thomas R. Stephenson@jourdomain.com

RCPT TO blabal@xxxx.com

The server then is sending a mail to you notifying that your mail cannot be deliver to blabla@xxxx.com. In that way spammer is using my server to sending SMTP traffic to your SMTP server

jacekza:

I configured mercuryS as you suggested and CUP start to use from 10% to 18%. Is because mercuryS start to communicate with spamblocklist servers.  I must tell that I have about 300000 connections pr day.

This way I’m blocking mail from spammers sending as follow:

MAIL FROM blabla@xxxx.com.

Either the address exists or not in a domain xxx.com and it happens before asking spamblocklist servers.

Secondary I have a rule like this, R, "*@xxxx.com*", R, "554 Fraudulent RCPT rejected." This one is to block mails send to not existing addresses.

Explanation:

The spammer is sending mail like this:

MAIL FROM Thomas R. Stephenson@jourdomain.com

RCPT TO blabal@xxxx.com

The server then is sending a mail to you notifying that your mail cannot be deliver to blabla@xxxx.com. In that way spammer is using my server to sending SMTP traffic to your SMTP server

 

If you are rejecting mail from invalid local users then the connecting spamming server is getting the bounce not the MAIL FROM: address.   If the mail is in fact sent from a valid server then it should be sending the error message back to the sender so they can correct the error. 

 
The only way the mail may get back to the MAIL FROM: address is if your Mercury/32 server accepts and then Mercury core bounces the message using the data in the RFC 2822 message body.

 

---

Thomas R. Stephenson
San Jose, California
Member of Pegasus Mail Support Team

Thomas R. Stephenson:

If you are rejecting mail from invalid local users then the connecting spamming server is getting the bounce not the MAIL FROM: address.   If the mail is in fact sent from a valid server then it should be sending the error message back to the sender so they can correct the error. 

The only way the mail may get back to the MAIL FROM: address is if your Mercury/32 server accepts and then Mercury core bounces the message using the data in the RFC 2822 message body.

In that way server must read complete mail and write it to a file if I’m right? Virus scanner will start to check the file. Then server will start to deliver the mail back to sender either it exists or not.

Misspelling the address is not the issue. I have only 20 mail addresses on my domain. This is a private server. Of course all existing addresses are on exception list so this mails can be deliver.  

jacekza:

Thomas R. Stephenson:

If you are rejecting mail from invalid local users then the connecting spamming server is getting the bounce not the MAIL FROM: address.   If the mail is in fact sent from a valid server then it should be sending the error message back to the sender so they can correct the error. 

The only way the mail may get back to the MAIL FROM: address is if your Mercury/32 server accepts and then Mercury core bounces the message using the data in the RFC 2822 message body.

In that way server must read complete mail and write it to a file if I’m right? Virus scanner will start to check the file. Then server will start to deliver the mail back to sender either it exists or not.

 

No.  If you have an invalid local user only the  MAIL FROM address is read and then rejected.  However if you are not rejectin gmail from invalid local users then the entire message is read and then core bounces it back to the Sender: address with if=s probably faked if it's spam.

 

Misspelling the address is not the issue. I have only 20 mail addresses on my domain. This is a private server. Of course all existing addresses are on exception list so this mails can be deliver.  

 

Not sure what this means?  Mail delivered to valid users  are not tested for relaying at all.  If the address is valid, mail will be delivered unless yuo are blocking on some other system.

 

 

---

Thomas R. Stephenson
San Jose, California
Member of Pegasus Mail Support Team