 |
Examples (cont'd)
H, "*dsl*", BS, "554 resend"
H, "*dial*", BS, "554 resend"
H, "*cable*", BS, "554 resend"
This will block those DSL, cable and dialups but will also block those that have dsl dial or cable in their domain names and use it for HELO command.
H, "*your-*", BS, "554 resend"
The above is indication of spammers using their XP machines to try and dump SPAM on your mail server. There are also some variant of Trojan infected XP machines that exhibit this kind of behaviour of having their machine name in HELO command.
Default installation of Windows XP will have a "your-" in first portion of the machine name so obviously it is a direct connection from a XP client.
R, "*abc@randomly.generated.name*", BS, "554 resend"
This will block any mails sent to the above recipient. Somehow the reason having this option is not very obvious. Could not think of a reason to block certain valid email addresses on your server when you can just remove the email account completely.
S, "*v1agra*", BS, "554 resend"
This will drop any connection halfway through the delivery if the word v1agra is detected in the subject of the mail.
Always change your rule from time to time to make it difficult for the spammers to guess what you have in place. We have also in place a vague 554 response (though not good for the other party's mail admin to troubleshoot problems) so as to keep them guessing what kind of filter we have.
If the option "enable short-term blacklisting for compliance failure" is selected, connecting clients that failed the checks will be blacklisted for 30 minutes. This is useful against abusive clients that utilize automated continuous attempts to relay or send mails.
Below are some common ISP assigned host name for dialup, cable, DSL and fiber connections. There are some typical naming conventions, which can be used for recognizing their connections.
pcp05063170pcs.fairmt01.pa.comcast.net
CPE00d00980716b-CM.cpe.net.cable.rogers.com
ip-pa-jtown-24-158-247-089.charterpa.com
user-12lc6uf.cable.mindspring.com
c-24-1-180-209.client.comcast.net
ool-43570c6d.dyn.optonline.net
cable-66-190-213-12.sli.la.charter.com
cpe-024-211-156-149.nc.rr.com
adsl-64-164-119-69.dsl.mtry01.pacbell.net
adsl-68-126-149-147.dsl.pltn13.pacbell.net
ool-4351f6e0.dyn.optonline.net
c131164.adsl.hansenet.de
200-204-184-233.dsl.telesp.net.br
69.37.10.126.adsl.snet.net
160-235-90.adsl.terra.cl
200-168-86-10.speedyterra.com.br
u210161.ap.plala.or.jp
d206-116-216-222.bchsia.telus.net
bsn-77-225-69.dsl.siol.net
pcp01152034pcs.newhav01.mi.comcast.net
lsanca1-ar11-4-60-111-034.lsanca1.dsl-verizon.net
red-200-74-190-090.manquehue.net
dsl-200-95-48-35.prod-infinitum.com.mx
ayz248.neoplus.adsl.tpnet.pl
qn-82-217-144-235.quicknet.nl
251.Red-80-25-169.pooles.rima-tde.net
p1184-ipbf206kobeminato.hyogo.ocn.ne.jp
CPE000bdbc14992-CM014260031077.cpe.net.cable.rogers.com
82-44-145-130.cable.ubr01.haye.blueyonder.co.uk
adsl-69-208-212-38.dsl.emhril.ameritech.net
adsl-69-104-64-210.dsl.irvnca.pacbell.net
67-64-144-62.dialup.rcsntx.swbell.net
38-172-89-200.fibertel.com.ar
164.189.171.66.subscriber.vzavenue.net
Notice the amount of "dyn","cable","adsl", "cpe", "dialup" used in the naming convention. These may serve as a starting point for your own filtering.
Other improvements
A lot of work has been done to improve Mercury and thus it would not be right to take this write-up as complete.
Content filtering has been vastly improved to detect SPAM-like messages. A suggestion would be to also sieve out those messages that uses 1 as replacement for I and L, 0 as O.
Attachment can be processed under the Filtering Rules option to filter out filenames that may deem to be harmful or consist of executables, which users may accidentally run.
There have been a lot of improvements done to the Mercury's mailing list too but as we do not use it, we have not done enough testing to provide proper documentation. Mercury's HTTP server is written mainly to address this and to provide web mail access. However, web mail has still not been implemented in version 4.
Another area, which we believe are vastly covered in Mercury version 4, is SSL, which again we have yet to do any proper testing but will update in due course.
|
|
