This site uses advanced css techniques
The Open Relay Database is a formerly-popular tool in the fight against spam, and it works by allowing system operators to reject traffic from insecure mail servers. These insecure servers are a scourge of the internet, and by rejecting their traffic it reduces spam and motivates the server operators to clean up their acts.
Our experience is that the vast majority of mail rejected by ORDB is actually spam, but occasionally we find "false positives": blocked mail from people we want to interact with. These folks are in fact running insecure mail servers, but here we can at least help them fix them.
ordbscan is a tool to process sendmail logfiles and report on all the mail bounced by ORDB, and a visual scan of the output usually shows the "obvious" candidates for further investigation.
This is not a tutorial on sendmail, but we can highlight the configuration we use to employ ORDB. We always use the normal sendmail ".mc" macros because doing the raw configuration files by hand is madness. Adding ORDB support to sendmail is straightforward: simply add these two lines to the dot-mc file:
FEATURE(`delay_checks')dnl FEATURE(`dnsbl', `relays.ordb.org', `Rejected - see http://ordb.org/')dnl
NOTE: This is for my version of sendmail. You should check your sendmail documentation for the details on yours.
Rebuild the configuration and "kick" sendmail. Now, mail from insecure servers will be rejected and logged.
Note that the delay_checks feature is crucial to using ordbscan. Without it, sendmail will reject mail from open relays very early in the SMTP conversation, before the recipients are known. It's more efficient to reject the traffic early, but by delaying the checks until RCPT time (recipient processing), sendmail logs both sender and recipient. ordbscan relies on this behavior.
ordbscan is run on the command line by providing the names of one or more sendmail logfiles. It scans them in turn, collecting the senders and recipients, and reports them grouped by recipient. This allows for parcelling out the listing by recipient asking "Do any of these senders ring any bells?".
# ordbscan /var/log/maillog Processing /var/log/maillog To: email@example.com firstname.lastname@example.org Jun 25 08:40:01 R=220.127.116.11 email@example.com Jun 25 06:44:35 R=18.104.22.168 firstname.lastname@example.org Jun 25 06:20:05 R=22.214.171.124 email@example.com Jun 24 15:37:12 R=126.96.36.199 <-- false positive jose_kocstone586@Flashmail.zz Jun 23 22:00:17 R=188.8.131.52 To: firstname.lastname@example.org freehghletters@Flashmail.zz Jun 24 18:21:23 R=184.108.40.206
Note: we use the non-domain .zz here so the spambots won't pick up valid email addresses. Each recipient is listed with all senders to that address, and the right columns contain the send date and the mail server used to relay the attempted messages.
Here we observe one "obvious" false positive.
If ordbscan reveals any senders that are "interesting", there are three possible actions to take:
# S. Friedl (added 2002/06/25) 220.127.116.11 OK
This is a simple perl program and should run without change on most UNIX/Linux systems.
• ordbscan.txt - perl source code