| gabriel rosenkoetter on 30 Apr 2004 11:58:02 -0000 |
|
On Thu, Apr 29, 2004 at 12:21:39PM -0400, Magnus Hedemark wrote: > 1) Use some of the well maintained blacklists to stop the mail from ever > hitting the server. "Well maintained blacklists" is an oxymoron in my experience. > 2) Use software on the mail server to block this from ever getting to > Mailman. This should be comprised of both antivirus software and antispam > software. The PLUG mail server doesn't have the horsepower to do this. It's enough of a strain keeping up with list mail. Please to be filtering your own spam, thanks. > In the absence of that on the Mailman server here, you're on your own. I > had been whitelisting PLUG traffic but I'm forced to rethink that now. I don't understand why, but I don't really care. On Fri, Apr 30, 2004 at 12:20:26AM -0000, Greg Sabino Mullane wrote: > I set a limit on the message size and reject HTML emails. Catches just > about everything. That's a very practical suggestion that MCT should consider. On Thu, Apr 29, 2004 at 09:26:08PM -0400, sean finney wrote: > yeah, look at the Recieved header of this email :) Yes, let's do: > Received: from unknown (HELO seanwashere) (66.92.235.189) > by mail.netisland.net with SMTP; 30 Apr 2004 01:24:33 -0000 You can spoof the HELO/EHLO name. You can't spoof the IP address that any sane MTA also records unless you've done arp spoofing to the router directly upstream from that MTA. That would be... difficult. Oh, you might want to upgrade your OpenSSH version, Sean, unless Debian's pulled the 3.7 patches back to its 3.6. But you can certainly send your spam through an open mail relay that *also* sends legitimate mail (and, thus, would be wrong to have in an RBL, even though they frequently are), relay mail through a random Windows PC infected with some virus (which won't be at the same IP address for long, so adding it to an RBL doesn't actually do much good unless you want to block the whole netblock, in which case you may block mail from responsible users who choose not to use their ISP's SMTP mail relay), or send mail from an Internet cafe (you know the instance I speak of, Sean; it was on /. not too long ago, in which case... you get the idea). RBLs don't actually work, especially when you let other people who you don't know manage them. And doing the checks is indescribably expensive, relative to just accepting the mail, especially at SMTP time, and if you take too long then, legitimate clients may hang up on you. Incidentally, I do know a thing or two about spam and SMTP traffic. See http://eclipsed.net/~gr/spam.log. That's just what my filters catch; i've got about 90% hit rate and <1% false positives (don't think I've had one in two months). I'm about to spend ~$7.5k at work for a system capable of rejecting spam and viruses at SMTP time (that is, issue a 550, rather than ever even claim you'll deliver the mail). It's going to take a dual Xeon and at the very least 2 GB of RAM to do this fast enough to avoid losing legitimate SMTP connections (and mail is never even touching disk on this system). -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpVYKY4WT9pD.pgp
|
|