?

Log in

No account? Create an account
DHCP users - brad's life — LiveJournal [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

DHCP users [Jul. 17th, 2004|10:44 pm]
Brad Fitzpatrick
I followed tydel's advice and setup danga.com's postfix to not accept mail from DHCP addresses. If you try to send mail to me or anybody @danga.com now from your home DHCP server, you'll get:

554 DHCP Pool clients should use their ISP's mail server

Tailing my mail.log, it sure is rejecting a shitload of messages!

But really, you shouldn't be running an MTA on your DHCP address anyway. I know this will block some geeks who just want to run their own mail server, but they should be smarthosting it elsewhere.

Next step: ClamAV? That's the one you recommended, right scsi?
LinkReply

Comments:
[User Picture]From: scsi
2004-07-17 11:10 pm (UTC)
Right!

If you're running debian stable on danga, add this to your sources.list

# ClamAV
deb http://people.debian.org/~sgran/debian woody main

Here is my /etc/clamav/clamav.conf

vadept:~# more /etc/clamav/clamav.conf
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket
User qscand
ScanMail
ScanArchive
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ArchiveMaxFileSize 10M
ScanRAR
ReadTimeout 180
MaxThreads 5
MaxConnectionQueueLength 15
StreamSaveToDisk
LogSyslog
LogFile /var/log/clamav/clamav.log
LogTime
LogFileMaxSize 0
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav/
SelfCheck 3600

I'm running qmail-scanner, so you'll have to set the 'User clamd' to the user that has write/read access to the incoming mail.. I have no idea in postfix who this is.,, I havent read my postfix book yet.. :)

If you want, i can send you my spamassassin rules too.. It knocks out about 99% of the spam, and so far i've gotten about 1 legit email blocked (in about 6 months time, which is pretty good)
(Reply) (Thread)
From: snej
2004-07-17 11:15 pm (UTC)
How do you detect DHCP servers/clients?
(Reply) (Thread)
[User Picture]From: brad
2004-07-18 12:00 am (UTC)
Few pages of regular expressions for all the big ISPs and how they do their DHCP hostnames.
(Reply) (Parent) (Thread)
[User Picture]From: cleversimon
2004-07-18 10:46 am (UTC)
So DHCP emails sent through smaller ISPs would sneak through?
(Reply) (Parent) (Thread)
[User Picture]From: brad
2004-07-18 11:03 am (UTC)
But the point is there are much less of those.
(Reply) (Parent) (Thread)
[User Picture]From: cleversimon
2004-07-18 11:05 am (UTC)
Indeed.

I don't know DHCP from a hole in the ground; I'm just trying to understand the broad strokes. :)
(Reply) (Parent) (Thread)
[User Picture]From: gaal
2004-07-17 11:23 pm (UTC)
How does postfix tell an address was allocated by DHCP?
(Reply) (Thread)
[User Picture]From: brad
2004-07-18 12:00 am (UTC)
Few pages of regular expressions for all the big ISPs and how they do their DHCP hostnames.
(Reply) (Parent) (Thread)
[User Picture]From: gaal
2004-07-18 01:16 am (UTC)
Ew!
(Reply) (Parent) (Thread)
[User Picture]From: scsi
2004-07-18 12:06 am (UTC)
Hey brad! How do you tell postfix to block DHCP.. er....... heh nevermind..
(Reply) (Thread)
[User Picture]From: jc
2004-07-18 12:45 am (UTC)

Boom boom.

Still not sure though what benefit blocking mail from DHCP hosts has, unless it's to curb a crapload of spam coming directly from infected boxen rather than ISP mail servers.
(Reply) (Parent) (Thread)
[User Picture]From: brad
2004-07-18 11:04 am (UTC)
So much spam (and viruses) comes directly from infected Windows machines, rather than going through their ISP's mail servers (where the ISP might, maybe, presumably filter or raise alarms)
(Reply) (Parent) (Thread)
From: (Anonymous)
2004-07-18 12:33 am (UTC)

surbl

the most effective anti-spam measure i've found recently uses surbl (http://www.surbl.org/) list. it blacklists based on the urls included within the spam.
(Reply) (Thread)
[User Picture]From: brad
2004-07-18 11:05 am (UTC)

Re: surbl

Thanks for that link! I heard about that recently... one of the Seattle Perl guys was talking about [starting] it and I couldn't remember the name.
(Reply) (Parent) (Thread)
[User Picture]From: mart
2004-07-18 05:29 am (UTC)

I'm currently running my own MTA on a dialup connection! (in fact, for historical reasons my outgoing mail actually goes through two MTAs on my LAN before it hits the smarthost!)

Fortunately, I'm not stupid enough to have it try to deliver directly. However, whenever I move to a new location I always forget to change the smarthost and my mail all goes missing for at least a few days. I'd like it much better if I could just deliver directly, but that would require a much-less-broken mail system, and my mail isn't that important anyway.

(Reply) (Thread)
[User Picture]From: kvance
2004-07-18 06:29 am (UTC)
I've been smart relaying since the comcast mail server stopped accepting mail from its own members, but I still hate it on principle. It's like The Man came down and said "ah ah, mail is only for us grown-ups; now run along to ebay!"
(Reply) (Thread)
[User Picture]From: brad
2004-07-18 11:10 am (UTC)
I've had a good server and good connection for almost as long as I can remember, so I'm more on the Comcast side of things.

Get a real connection! :P
(Reply) (Parent) (Thread)
[User Picture]From: matthew
2004-07-18 08:42 am (UTC)
I use this service to obtain the same effect:

http://www.us.sorbs.net/

They list DHCP pools, zombied machines and known spammers. Cut my spam load in half when I enabled this one. :)
(Reply) (Thread)
[User Picture]From: grumpy_sysadmin
2004-07-18 08:48 am (UTC)
Assuming you're using Postfix 2.1 (which you may not be, it's kind of newish), try using the before-queue filter stuff described here. It, along with amavisd-new, will let you reject spam and viruses with a 55x at SMTP time too (instead of ever claiming that you'll deliver mail which would have just gotten filtered anyway).
(Reply) (Thread)
[User Picture]From: brad
2004-07-18 11:13 am (UTC)
I'm using Postfix 2.1.

But from the page you linked:
WARNING WARNING WARNING

The before-queue content filtering feature described in this document is suitable only for low-traffic sites. See the "Pros and Cons" section below for details.
I read the rest, though... good in principle. Seems like on a high-traffic site you could just load balance and still do before-queuing.
(Reply) (Parent) (Thread)