# $OpenBSD: example.antispam,v 1.3 2002/06/14 21:34:58 todd Exp $ # example antispam file. Modify to suit your needs. # # This file goes in /var/spool/smtpd/etc/smtpd_check_rules # once you have modified it appropriately for your site. # # This example does two things: 1, it prevents unauthorized relaying, # 2), it blocks incoming SPAM from the major SPAM domains. To keep # an eye on the current worst offenders, check out http://spam.abuse.net/ # # If you really dislike SPAM, you can try compiling with NOTO_DELAY # set to some (relatively small) value, and changing the "noto" rules # in this file to "noto_delay" rules. # # This file assumes that our domains are "mydomain.com" and "otherdomain.com". # assumes our dns servers are "dns1.mydomain.com", etc. etc. # you will need to edit this file for your own use. # First, allow us to relay outgoing mail from our hosts. allow:*mydomain.com *otherdomain.com:ALL:ALL # don't allow people to use %hack to relay off of me. noto:ALL:ALL:*%*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. noto:ALL:ALL:*!*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. noto:ALL:ALL:*@*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. # First, the exceptions. # "I'll have your spam dear, I love it!" # # The people below have requested that all mail be let through to them # with no filtering for SPAM, and we accommodate them here. # allow:ALL:ALL:ALL@hormel.mydomain.com spamboy@otherdomain.com # Block any connections from host in the MAPS rbl at rbl.maps.vix.com # Beware that this can throw the baby out with the bathwater. # this one line will mimic the usual sendmail behaviour when using the MAPS RBL noto:RBL.rbl.maps.vix.com:ALL:ALL:550 Mail refused from host %I in MAPS RBL, see http%C//maps.vix.com/rbl/ # Block any connections from a host or connecting address who uses a # nameserver for which the address is in the MAPS rbl at rbl.maps.vix.com. # Note that this can *really* throw the baby out with the bathwater, # be sure you understand the implications before using the two below. #noto:NS=RBL.rbl.maps.vix.com:ALL:ALL:550 Mail refused due to nameserver for %H(%I) in MAPS RBL, see http%C//maps.vix.com/rbl/ #noto:ALL:NS=RBL.rbl.maps.vix.com:ALL:550 Mail refused due to nameserver for %F in MAPS RBL, see http%C//maps.vix.com/rbl/ # block anyone who uses a major SPAM provider as a nameserver or MX. either # on a connection from one of their hosts, a connection from a host they act # as a nameserver for, or a connection with a FROM: address that uses # a nameserver or MX from a them. As an example, we use the old cyberpromo # netblocks below. You should not use a rule such as below unless you are # sure the netblock *currently* belongs to a spamhaus. #cyberpromo.com #noto:205.199.212.0/24 205.199.2.0/24 207.124.161.0/24 204.137.221.0/24:ALL:ALL #noto:ALL:NS=205.199.212.0/24 NS=205.199.2.0/24 NS=207.124.161.0/24 NS=204.137.221.0/24:ALL #noto:NS=205.199.212.0/24 NS=205.199.2.0/24 NS=207.124.161.0/24 NS=204.137.221.0/24:ALL:ALL # dump things with a bogus rhs to a FROM: addresses. usually spammers # This drops any message where the FROM: address is given as # anything@bogus, where "bogus" is # 1) not resolvable as a hostname. # 2) not resolvable as an NS or MX record # In other words, this basically tosses anything that gives a FROM address # in the smtp dialogue that you would probably have no hope of replying # to via smtp. # You can may wish to use a 450 (which invites the sender to retry) # rather than a 550 that won't in order not to lose real mail that has # no resolution due to temporary DNS problems. However be warned that # if you do lots of SPAM may get retried a lot. I've had varying # success with using 450 depending on how busy the site is. noto:ALL:NS=UNKNOWN:ALL:550 Your FROM address (%F) doesn't seem to resolve to a host, domain, or MX record. Please mail to %T from a valid e-mail address. # dump bozos with all digit addresses. almost always spammers. noto:ALL:/^[0-9]+@.*$/:ALL ############################################## # otherwise, allow untrusted connections with mail to anywhere we MX # this should do it nicely: allow:ALL:ALL:NS=dns*.mydomain.com # An alternative is to allow by domain, below. allow:ALL:ALL:*mydomain.com *otherdomain.com ############################################## # don't relay mail to other places from other connections, so # we don't get used as a spam relay noto:ALL:ALL:ALL:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.