Re: [courier-users] SPAM over SMTP

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 2023-01-26 at 19:31 +0300, Alexey Ivanov via courier-users
wrote:
> Hi,
>  
> Recently I have started to receive SPAM from mail.governorsperic.xyz
> The porblem is, that that MTA allows to smbd may be to the owner
> to send emails like from (in my case) my domain, which won’t work
> otherwise
> over IMAP. I have banned that domain in my local DNS, but it didn’t
> help.
> ge.net/lists/listinfo/courier-users

Rather than banning based on domain name, I block on the basis of
originating IP addresses. A look at the Received headers will give you
the information re. the source IP of your spams.

I have a python script which maintains a file in
/etc/courier/smtpaccess and runs makesmtpaccess to block address
blocks, generally either /24 or /16 (for massive offenders). These
blocks are referenced from a database which keeps track of what's been
reported. The first offense gets a 7 day block, and subsequent offenses
are blocked for 31, 90 or 365 days. Each re-offense after a timeout
bumps the sentence!

This is much more effective than basing blocking on DNS, since many
spammers engage in what's called "domain tasting" from registrars for
new TLDs. Some registrars will give out free domain registrations on
many of the new TLDs for a limited time, after which the registrant has
to pay or give up the name. So spammers will simply abandon a DN after
it's no longer free and get a new one.

You'll find that using IP addresses will help you identify spam-
friendly SMTP services which will often have a number of related source
addresses, mostly within the same /24 group, and you'll also notice, if
you keep track, that a few such services have a LOT of IP addresses at
their disposal. If they end up with a collection of /24 groups, I block
the /16 which (usually) contains all of their /24 groups.

It used to be (and may still be) that you can block on the basis of
nameservers associated with spamming domain names since only a few
services would offer NS resolution to spammers, but this approach
involves some programming skill. NS resolution providers are rather a
choke point in the spam distribution process.

It's always a whack-a-mole game no matter what technique you use.
Today's effective spam block is useless tomorrow!

-- 
Lindsay Haisley       | "Never expect the people who caused a problem
FMP Computer Services |  to solve it."  - Albert Einstein
512-259-1190          |        
http://www.fmp.com    |