spam being sent using my domain

Ryan Simpkins plug at ryansimpkins.com
Fri Jan 19 00:48:45 MST 2007


On Thu, January 18, 2007 22:04, Doran Barton wrote:
> Unfortunately, until the whole world standardizes on some kind of relay
> validation system there will always be some spam that seeps out disguised as
> being from someone at your domain.

I got away with using a catch-all on my domain for years (since 2000). Last year the
spammers finally got me. One day I woke up to thousands of
<random-user>@ryansimpkins.com bounce backs. My luck had run out.

So I added an SPF record. That didn't seem to have an real benefit. At least not a
measurable one. Next I removed my catch-all. That presented a problem. With six
years worth of sending out <companyname|random>@ryansimpkins.com addresses I no
longer new which were valid and which weren't. I did this so I could find out who
was selling my contact information.

So I threw together a little bash one-liner in a few seconds to help me find which
addresses were being sent to that I didn't have a specific entry set up for. I use
sendmail virtusertables. It might be useful to someone:

for x in `cat /var/log/maillog | perl -ne '$_ =~ m/\b(\w+)\@(ryansimpkins).*/; print
"$1\n";' | sort | uniq`; do if ! grep -q $x /etc/mail/virtusertable; then echo "$x
NOT FOUND"; fi done

To use it just replace 'ryansimpkins' with your catch-all domain. Using this
one-liner I was able to very quickly identify all the legitimate e-mail addresses I
receive e-mail to (about 30 in total). Of course, now when I add a new e-mail
address I have to add an entry to virtusertable. But a quick script made that much
easier.

Finally I added multiple-layers of protection to my inbound e-mail stack.
RBL->SPF->clamav->dspam. I still probably get 60-80 spam a day past RBL and SPF, but
98.478% of it is filtered by dspam before it hits the inbox.

Good luck,
-Ryan



More information about the PLUG mailing list