DevHeads.net

using 521 responses instead of default 554 -- why NOT use them for all "known" spam?

Reading Postfix's docs re

Disconnect suspicious SMTP clients
<a href="http://www.postfix.org/STRESS_README.html#hangup" title="http://www.postfix.org/STRESS_README.html#hangup">http://www.postfix.org/STRESS_README.html#hangup</a>

in the example there it says

"To hang up connections from blacklisted zombies, you can set specific Postfix SMTP server reject codes for specific RBLs ... We'll use zen.spamhaus.org as an example ... their documents say that a response of 127.0.0.10 or 127.0.0.11 indicates a dynamic client IP address, which means that the machine is probably running a bot of some kind."

and uses in a restriction

1 /etc/postfix/main.cf:
2 smtpd_client_restrictions =
3 permit_mynetworks
4 reject_rbl_client zen.spamhaus.org=127.0.0.10
5 reject_rbl_client zen.spamhaus.org=127.0.0.11
6 reject_rbl_client zen.spamhaus.org

then sets up a 521-response reply map to override the usual 554 responses.

That's clear and I understand how it works.

When you read the spamhaus docs for those reponse codes @ <a href="http://www.spamhaus.org/faq/section/DNSBL%20Usage#202" title="http://www.spamhaus.org/faq/section/DNSBL%20Usage#202">http://www.spamhaus.org/faq/section/DNSBL%20Usage#202</a> it says

DNSBL Zone to Query Returns Contains
SBL sbl.spamhaus.org 127.0.0.2-3 Static UBE sources, verified spam services (hosting or support) and ROKSO spammers
XBL xbl.spamhaus.org 127.0.0.4-7 Illegal 3rd party exploits, including proxies, worms and trojan exploits
PBL pbl.spamhaus.org 127.0.0.10-11 IP ranges which should not be delivering unauthenticated SMTP email.
ZEN zen.spamhaus.org 127.0.0.2-11 Combined zone (recommended) Includes SBL, XBL and PBL.

My question is about usage.

Is there a reason NOT to simply use the 521 hangup coes for ALL the spamhaus hits from 127.0.0.2-11 ? It seems to me like all of those would be good candidates.

Before I go ahead I wanted to ask in here from somebody with more epxerience maybe.

Comments

Re: using 521 responses instead of default 554 -- why NOT use th

By lists@rhsoft.net at 01/04/2015 - 19:58

Am 05.01.2015 um 00:43 schrieb ... at proinbox dot com:
frankly use postscreen with scoring which is *much* safer and always
rejects with "550 5.7.1 Service unavailable; client [xx.xx.xx.xx]
blocked using" and so you no longer need to think about the reject code
which don't matter anyways, only 5xx is important

postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_sites =
b.barracudacentral.org=127.0.0.2*7
dnsbl.inps.de=127.0.0.2*7
bl.mailspike.net=127.0.0.2*5
bl.mailspike.net=127.0.0.[10;11;12]*4
dnsbl.sorbs.net=127.0.0.10*8
dnsbl.sorbs.net=127.0.0.5*6
dnsbl.sorbs.net=127.0.0.7*3
dnsbl.sorbs.net=127.0.0.8*2
dnsbl.sorbs.net=127.0.0.6*2
dnsbl.sorbs.net=127.0.0.9*2
zen.spamhaus.org=127.0.0.[10;11]*8
zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*4
zen.spamhaus.org=127.0.0.2*3
wl.mailspike.net=127.0.0.[18;19;20]*-2
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].2*-4
list.dnswl.org=127.0.[0..255].3*-5

Re: using 521 responses instead of default 554 -- why NOT use th

By Bill Cole at 01/05/2015 - 12:08

The problems with just hanging up on listed IPs (whether in smtpd or
postscreen) are:

1. Different sorts of spam senders react differently to different styles
of rejection & error codes. A 521+hangup is much more likely to be
interpreted as a general server failure than is an accurate 554 5.7.1
reply which is clearly an expression of policy, and *SOME* spammers do
eventually give up on servers that persistently send such expressive
responses.
2. Even Spamhaus makes mistakes.
3. The "probably" of the documentation hides the fact that on a fairly
regular basis, people with entirely innocent intent attempt to send mail
which is absolutely not spam from IPs that are on the PBL for entirely
proper reasons. There is a benefit in giving those people the clearest
sort of rejection possible and one which their MUAs are mnost likely to
interpret correctly.
4. There's a reason for this to be documented in STRESS_README. If you
are not under significant connection stress, you don't gain much by
dropping connections with a 521 rather than sending the proper rejection
response and doing a normal shutdown.

Re: using 521 responses instead of default 554 -- why NOT use th

By Noel Jones at 01/05/2015 - 11:50

On 1/4/2015 5:43 PM, <a href="mailto: ... at proinbox dot com"> ... at proinbox dot com</a> wrote:
The 521 response code is a fairly recent invention.

It's possible a "real" mail server will not recognize the 521 code
as a permanent failure, and continuously retry delivery of the
unwanted mail. This isn't a problem with fire-and-forget bots that
never retry regardless of the response.

I don't know if you'll actually see this behavior, but that's the
reason for the suggestion in the docs. Feel free to try it for
yourself.

-- Noel Jones