[quote]The TRANSFLT.MER file looks like this:

H, "*xxx.xxx.xxx.xxx*", R, "554 Action not allowed."

I'm not sure if you are giving an example of a specific IP address

here.  One useful filter is to put your own IP address in here - nobody

else should be using your IP in a helo greeting.[/quote]

This is indeed my own IP address Paul.

[quote]H, "*GET*", R, "554 Action not allowed."
H, "*AUTH LOGIN*", R, "554 Action not allowed."
R, "*AUTH LOGIN*", R, "554 Action not allowed."
H, "*EHLO windows*", R, "554 Action not allowed."


These are unnecessary as all the examples you have shown have been

blocked by other means. (And the first might be harmful as it blocks

any helo with those three letters in it.)

These are the most useful lines I use:

# just a number
H,"HELO [0-9]+??", RS, "550 Invalid response"
# no dot
H,"*.*", RSN, "550 Invalid response"

The first rejects helos which just consist of digits, and the second rejects those with no dot in it.[/quote]

Thanks for that, I'll remove the last 4 lines and replace them with your useful ones instead. Still weighing up the pro's and con's of Graywall, now I know it's not 'serious' but more annoying and the bandwidth isn't suffering I feel a bit better about it.

Thanks again for taking the time to get back and advise Paul, much appreciated

Regards

Ron 

Hi to all

My first post to the group and I'm sorry to say all spam related.

I have been running Mercury for a few years having learned about it from Pegasus which I have used for a great deal longer. I'm using Mercury/32 v4.62 and it works brilliantly.

For a while now I have been having the usual flooding which, is annoying to say the least, I assume it's a harvester of some kind but I'm no expert. Fortunately I set up Spamhaus, Spamcop and SORBS in the previous version of Mercury and still use them which deal with this problem in the main. My main concern is bandwidth, for example a couple of weeks ago I came home to find 2 hours 20 minuets of continuous attempts only stopped by me  from 2 IP address's. I block these in the SMTP connection control usually blocking the complete range, and I have a pretty long list now, drastic I know, but it works for me! My question on this issue is, is there a way of dropping the connection if there are more than say 3 attempts of this manner?

Another thing that has started over the last 9 or 10 months is the following taken from the SMTP server connection history:

Connection from 91.186.236.15, Fri Aug 20 18:31:16 2010
EHLO windows
AUTH LOGIN
QUIT
7 sec. elapsed, connection closed Fri Aug 20 18:31:23 2010

Again this sometimes has several 10's of attempts. Any ideas again on stopping this?

Finally, a new phenomena if thats the right word is this:

Connection from 194.44.245.243, Tue Feb 15 09:23:45 2011
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) Ap
Host: xxx.xxx.xxx.xxx
Connection: Close
554 Too many bad or unrecognized SMTP commands - terminating connection.
0 sec. elapsed, connection closed Tue Feb 15 09:23:45 2011

Same question as above but what is it? (host is the mail server address by the way)

I hope someone can help out and my apologies if the question(s) is/are a bit long.

Kind regards and thanks in advance

Ron

 

[quote user="rt2010"]

Hi to all

My first post to the group and I'm sorry to say all spam related.

I have been running Mercury for a few years having learned about it from Pegasus which I have used for a great deal longer. I'm using Mercury/32 v4.62 and it works brilliantly.

For a while now I have been having the usual flooding which, is annoying to say the least, I assume it's a harvester of some kind but I'm no expert. Fortunately I set up Spamhaus, Spamcop and SORBS in the previous version of Mercury and still use them which deal with this problem in the main. My main concern is bandwidth, for example a couple of weeks ago I came home to find 2 hours 20 minuets of continuous attempts only stopped by me  from 2 IP address's. I block these in the SMTP connection control usually blocking the complete range, and I have a pretty long list now, drastic I know, but it works for me! My question on this issue is, is there a way of dropping the connection if there are more than say 3 attempts of this manner?[/quote]

First I doubt these attempts are doing much on your connection bandwidth - they may look busy, but there is very little data transferred.

There are ways - it depends on the actual connection attempt.  Have you looked at the Compliance tab and also the TRANSFLT.MER file?

[quote]Another thing that has started over the last 9 or 10 months is the following taken from the SMTP server connection history:

Connection from 91.186.236.15, Fri Aug 20 18:31:16 2010
EHLO windows
AUTH LOGIN
QUIT
7 sec. elapsed, connection closed Fri Aug 20 18:31:23 2010

Again this sometimes has several 10's of attempts. Any ideas again on stopping this?[/quote]

A probe from the middle east.

[quote]Finally, a new phenomena if thats the right word is this:

Connection from 194.44.245.243, Tue Feb 15 09:23:45 2011
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) Ap
Host: xxx.xxx.xxx.xxx
Connection: Close
554 Too many bad or unrecognized SMTP commands - terminating connection.
0 sec. elapsed, connection closed Tue Feb 15 09:23:45 2011

Same question as above but what is it? (host is the mail server address by the way)[/quote]

Web connection to your mailserver possibly from an iPhone in Ukraine.  Strange but not unusual.

Neither of these addresses are listed in spamhaus, but I would install Graywall - it will cut out most of this stuff.

Thanks for taking the time to reply Paul.

"First I doubt these attempts are doing much on your connection

bandwidth - they may look busy, but there is very little data

transferred.

There are ways - it depends on the actual connection attempt.  Have

you looked at the Compliance tab and also the TRANSFLT.MER file?"

 A snapshot from the MercuryS logfile looks something like this:

T 20110214 182413 4d596e0f Connection from 91.200.215.157
T 20110214 182413 4d596e0f EHLO [91.200.215.157]
T 20110214 182414 4d596e0f MAIL FROM:<rt@bigfix.co.uk> SIZE=1016 BODY=7BIT
E 20110214 182414 4d596e0f Host 91.200.215.157 blocked by Spamhaus - zen - message rejected.
T 20110214 182414 4d596e0f RSET
T 20110214 182414 4d596e0f MAIL FROM:<raavy@rentnoje.se> SIZE=1016 BODY=7BIT
E 20110214 182414 4d596e0f Host 91.200.215.157 blocked by Spamhaus - zen - message rejected.
T 20110214 182414 4d596e0f RSET
T 20110214 182415 4d596e0f MAIL FROM:<robert.clerke@glqlaw.co.uk> SIZE=1016 BODY=7BIT
E 20110214 182415 4d596e0f Host 91.200.215.157 blocked by Spamhaus - zen - message rejected.
T 20110214 182415 4d596e0f RSET
//snip//
T 20110214 182749 4d596e0f MAIL FROM:<<overactingfraudgroup@hsbc.co.uk>,
E 20110214 182749 4d596e0f Host 91.200.215.157 blocked by Spamhaus - zen - message rejected.
T 20110214 182749 4d596e0f     <owenwilliams@hsbc.co.uk>,
T 20110214 182749 4d596e0f     <nline-accountreminder@hsbc.co.uk>,
T 20110214 182749 4d596e0f     <nline.customerservice@hsbc.co.uk>,
T 20110214 182749 4d596e0f     <nlinenotification@hsbc.co.uk>> SIZE=1016 BODY=7BIT
T 20110214 182749 4d596e0f RSET
//snip//
T 20110214 182750 4d596e0f Connection closed with 91.200.215.157, 217 sec. elapsed.

In the Compliance tab I have:

Require clients to use ESMTP SIZE declaration = not selected
Max number failed RSPRs = 3
Max number relay attempts = 3
Enable short term blacklisting = yes
Enable transaction-level expression filtering = yes

under the 'Restrictions to apply to message content I only have "Refuse messages that have no 'Date' field" selected (have tried Refuse pure HTML and non-MIME but they stop messages from legitimate users.

The TRANSFLT.MER file looks like this:

H, "*xxx.xxx.xxx.xxx*", R, "554 Action not allowed."
H, "*GET*", R, "554 Action not allowed."
H, "*AUTH LOGIN*", R, "554 Action not allowed."
R, "*AUTH LOGIN*", R, "554 Action not allowed."
H, "*EHLO windows*", R, "554 Action not allowed."

... I know the last 4 are long shots but I thought i may give them a try. From the continued influx of the above mentioned it had no impact whatsoever! Oh well [:(]

As some of the probes you mention in my second question and the possible iPhone connections in my third question come in I simple add the complete IP range (using ARIN,RIPE, APNIC etc.) to the list (depending location) of banned ranges in 'Connection control'. Like I say, a bit drastic but common sence kicks in in the main, for example, I know nobody in the middle east or Ukraine.

Regarding Graywall/Greywall I looked at that today and am weighing up to advantages over disadvantages mentioned.

Thanks again Paul

Kind regards

Ron
 

[quote user="rt2010"] The TRANSFLT.MER file looks like this:

H, "*xxx.xxx.xxx.xxx*", R, "554 Action not allowed."[/quote]

I'm not sure if you are giving an example of a specific IP address here.  One useful filter is to put your own IP address in here - nobody else should be using your IP in a helo greeting.

[quote]H, "*GET*", R, "554 Action not allowed."
H, "*AUTH LOGIN*", R, "554 Action not allowed."
R, "*AUTH LOGIN*", R, "554 Action not allowed."
H, "*EHLO windows*", R, "554 Action not allowed."
[/quote]

These are unnecessary as all the examples you have shown have been blocked by other means. (And the first might be harmful as it blocks any helo with those three letters in it.)

These are the most useful lines I use:

# just a number
H,"HELO [0-9]+??", RS, "550 Invalid response"
# no dot
H,"*.*", RSN, "550 Invalid response"

The first rejects helos which just consist of digits, and the second rejects those with no dot in it.