# $OpenBSD: antispam_check_rules.example,v 1.3 2001/01/28 19:34:34 niklas Exp $ # # example smtpd_check_rules file. If you compiled smtpd with # CHECK_ADDRESS=1, this file goes in etc/smtpd_check_rules in your # smtpd chroot directory. This DOES NOT GET USED unless you compile # with CHECK_ADDRESS=1. # # example antispam file. Modify to suit your needs. # This example assumes NS_MATCH and USE_REGEX were both set to 1 when # smtpd was built, to allow for matching by nameserver, and using # regular expressions. # # This example does two things: 1, it prevents unauthorized relaying, # 2), it blocks incoming SPAM from the major SPAM domains. To keep # an eye on the current worst offenders, check out http://spam.abuse.net/ # # If you really dislike SPAM, you can try compiling with NOTO_DELAY # set to some (relatively small) value, and changing the "noto" rules # in this file to "noto_delay" rules. # # This file assumes that our domains are "mydomain.com" and "otherdomain.com". # assumes our dns servers are "dns1.mydomain.com", etc. etc. # you will need to edit this file for your own use. # First, allow us to relay outgoing mail from our hosts. If we have # JUINPER_SUPPORT, we'd probably do it like this: #allow:TRUSTED:ALL:ALL # otherwise, we'd do it like this: allow:*mydomain.com *otherdomain.com:ALL # don't allow people to use %hack to relay off of me. noto:ALL:ALL:*%*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. noto:ALL:ALL:*!*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. noto:ALL:ALL:*@*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. # First, the exceptions. # "I'll have your spam dear, I love it!" # # These people love spam. They love Spamford Wallace. # They have requested that all mail be let through to them with no # filtering for SPAM, and we accomodate them here. # allow:ALL:ALL:ALL@hormel.mydomain.com spamboy@otherdomain.com # Block any connections from host in the MAPS rbl at rbl.maps.vix.com # Beware that this can throw the baby out with the bathwater. noto:RBL.rbl.maps.vix.com:ALL:ALL:550 Mail refused from host %I in MAPS RBL, see http%C//maps.vix.com/rbl/ # Block any connections from a host or connecting address who uses a # nameserver for which the address is in the MAPS rbl at rbl.maps.vix.com. # Note that this can *really* throw the baby out with the bathwater, # be sure you understand the implications before using the two below. noto:NS=RBL.rbl.maps.vix.com:ALL:ALL:550 Mail refused due to nameserver for %H(%I) in MAPS RBL, see http%C//maps.vix.com/rbl/ noto:ALL:NS=RBL.rbl.maps.vix.com:ALL:550 Mail refused due to nameserver for %F in MAPS RBL, see http%C//maps.vix.com/rbl/ # block anyone who uses a major SPAM provider as a nameserver or MX. either # on a connection from one of their hosts, a connection from a host they act # as a nameserver for, or a connection with a FROM: address that uses # a nameserver or MX from a them. #cyberpromo.com noto:205.199.212.0/24 205.199.2.0/24 207.124.161.0/24 204.137.221.0/24:ALL:ALL noto:ALL:NS=205.199.212.0/24 NS=205.199.2.0/24 NS=207.124.161.0/24 NS=204.137.221.0/24:ALL noto:NS=205.199.212.0/24 NS=205.199.2.0/24 NS=207.124.161.0/24 NS=204.137.221.0/24:ALL:ALL #erosnet noto:205.82.252.0/24 205.134.162.2 205.134.162.209 205.134.190.4:ALL:ALL noto:ALL:NS=205.82.252.0/24 NS=205.134.162.2 NS=205.134.162.209 NS=205.134.190.4:ALL noto:NS=205.82.252.0/24 NS=205.134.162.2 NS=205.134.162.209 NS=205.134.190.4:ALL:ALL #prime data worldnet systems noto:ALL:NS=207.15.68.253 NS=207.15.68.251:ALL noto:NS=207.15.68.253 NS=207.15.68.251:ALL:ALL #nancynet noto:205.199.4.0/24:ALL:ALL noto:ALL:NS=205.199.4.0/24:ALL noto:NS=205.199.4.0/24:ALL:ALL # quantcom.com, iemmc noto:204.213.176.0/24:ALL:ALL noto:ALL:NS=204.213.176.0/24:ALL noto:NS=204.213.176.0/24:ALL:ALL # gatewayfin.com, globalfn.com - "Global Financial Services" noto:ALL:NS=206.31.38.79 NS=204.137.161.89:ALL noto:NS=206.31.38.79 NS=204.137.161.89:ALL:ALL #mailermachine.com noto:208.144.211.131/25:ALL:ALL noto:ALL:NS=208.144.211.131/25:ALL noto:NS=208.144.211.131/25:ALL:ALL #all-domains.net noto:204.157.168.0/24:ALL:ALL noto:NS=204.157.168.0/24:ALL:ALL noto:ALL:NS=204.157.168.0/24:ALL #onlinebiz.net - another agis spamhaus from the look of it noto:205.164.68.0/24:ALL:ALL noto:NS=205.164.68.0/24:ALL:ALL noto:ALL:NS=205.164.68.0/24:ALL #llv.com - login las vegas - yaash (yet another agis spamhaus) noto:205.254.164.0/24:ALL:ALL noto:ALL:NS=205.254.164.0/24:ALL noto:NS=205.254.164.0/24:ALL:ALL #cscent.net - yaash noto:206.85.231.0/24:ALL:ALL noto:NS=206.85.231.0/24:ALL:ALL noto:ALL:NS=206.85.231.0/24:ALL #tnlb.com - "the national letter bureau" and "mako marketing" - yeesh.. noto:206.101.40.0/24 206.101.58.0/24 208.230.127.0/24:ALL:ALL noto:NS=206.101.40.0/24 NS=206.101.58.0/24 NS=208.230.127.0/24:ALL:ALL noto:ALL:NS=206.101.40.0/24 NS=206.101.58.0/24 NS=208.230.127.0/24:ALL #c-flash.net - yaash noto:205.199.166.0/24:ALL:ALL noto:NS=205.199.166.0/24:ALL:ALL noto:ALL:NS=205.199.166.0/24:ALL #directsend.com - Former Nancynet customer, now yaash noto:206.84.21.0/24 207.201.213.0/24:ALL:ALL noto:NS=206.84.21.0/24 NS=207.201.213.0/24:ALL:ALL noto:ALL:NS=206.84.21.0/24 NS=207.201.213.0/24:ALL noto:206.84.21.0/24:ALL:ALL noto:NS=206.84.21.0/24:ALL:ALL noto:ALL:NS=206.84.21.0/24:ALL #we-deliver.net - yaash noto:206.62.151.0/24:ALL:ALL noto:NS=206.62.151.0/24:ALL:ALL noto:ALL:NS=206.62.151.0/24:ALL #savoynet.com - yaash noto:204.157.255.0/24:ALL:ALL noto:NS=204.157.255.0/24:ALL:ALL noto:ALL:NS=204.157.255.0/24:ALL #taizen.com - "grandbikes.com" and other spammers. No response to complaints. noto:208.219.218.0/24:ALL:ALL noto:NS=208.219.218.0/24:ALL:ALL noto:ALL:NS=208.219.218.0/24:ALL #edgetone.com and cyberserverscentral.com noto:208.223.114.0/24 208.223.112.0/24 204.178.73.192/25:ALL:ALL noto:NS=208.223.114.0/24 NS=208.223.112.0/24 NS=204.178.73.192/25:ALL:ALL noto:ALL:NS=208.223.114.0/24 NS=208.223.112.0/24 NS=204.178.73.192/25:ALL #icsinc.net and money-group.net noto:151.201.64.0/24:ALL:ALL noto:NS=151.201.64.0/24:ALL:ALL noto:ALL:NS=151.201.64.0/24:ALL #gil.net and firstgear.com noto:207.100.79.0/24:ALL:ALL noto:NS=207.100.79.0/24:ALL:ALL noto:ALL:NS=207.100.79.0/24:ALL #ultramax.net and friends noto:207.201.213.0/24:ALL:ALL noto:NS=207.201.213.0/24:ALL:ALL noto:ALL:NS=207.201.213.0/24:ALL #t-1net.com noto:208.21.213.0/24:ALL:ALL noto:NS=208.21.213.0/24:ALL:ALL noto:ALL:NS=208.21.213.0/24:ALL #ezmoney.com and pals noto:204.212.245.0/24:ALL:ALL noto:NS=204.212.245.0/24:ALL:ALL noto:ALL:NS=204.212.245.0/24:ALL #mail-response, hitrus, etc. noto:209.136.134.0/24:ALL:ALL noto:NS=209.136.134.0/24:ALL:ALL noto:ALL:NS=209.136.134.0/24:ALL #nevwest - the next generation, via ACSI. noto:209.12.111.0/23:ALL:ALL noto:NS=209.12.111.0/23:ALL:ALL noto:ALL:NS=209.12.111.0/23:ALL #gtwinc, gmds.com - spamhaus noto:207.201.213.0/24 206.98.109.0/24:ALL:ALL noto:NS=207.201.213.0/24 NS=206.98.109.0/24:ALL:ALL noto:ALL:NS=207.201.213.0/24 NS=206.98.109.0/24:ALL #goplay.com, mpx.com - many, many spams noto:199.74.206.0/24:ALL:ALL noto:NS=199.74.206.0/24:ALL:ALL noto:ALL:NS=199.74.206.0/24:ALL #silkspin.com spamhaus noto:151.196.90.0/24 151.196.69.0/24:ALL:ALL noto:NS=151.196.90.0/24 NS=151.196.69.0/24:ALL:ALL noto:ALL:NS=151.196.90.0/24 NS=151.196.69.0/24:ALL #uplinkpro.com noto:206.30.95.0/24:ALL:ALL noto:NS=206.30.95.0/24:ALL:ALL noto:ALL:NS=206.30.95.0/24:ALL #excite.com mailexcite.com noto:198.3.102.0/24 198.3.98.0/24:ALL:ALL noto:NS=198.3.102.0/24 NS=198.3.98.0/24:ALL:ALL noto:ALL:NS=198.3.102.0/24 NS=198.3.98.0/24:ALL # dump things with a bogus rhs to a FROM: addresses. usually spammers # This drops any message where the FROM: address is given as # anything@bogus, where "bogus" is # 1) not resolvable as a hostname. # 2) not resolvable as an NS or MX record # In other words, this basically tosses anything that gives a FROM address # in the smtp dialogue that you would probably have no hope of replying # to via smtp. # You can use a 450 (which invites the sender to retry) rather than a 550 # that won't in order not to lose real mail that has no resolution due to # temporary DNS problems. However be warned that if you do lots of # SPAM may get retried a lot. I've had varying success with using 450 # depending on how busy the site is. noto:ALL:NS=UNKNOWN:ALL:550 Your FROM address (%F) doesn't seem to resolve to a host, domain, or MX record. Please mail to %T from a valid e-mail address. # dump bozos with all digit addresses. usually spammers noto:ALL:/^[0-9]+@.*$/:ALL ############################################## # otherwise, allow untrusted connections with mail to anywhere we MX # this should do it nicely: allow:ALL:ALL:NS=dns*.mydomain.com # An alternative is to allow by domain, below allow:ALL:ALL:*mydomain.com *otherdomain.com ############################################## # don't relay mail to other places from other connections, so # we don't get used as a spam relay noto:ALL:ALL:ALL:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.