Rich Kulawiec on 21 Oct 2016 13:40:32 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] spamassassin help: create a rule to score by sender TLD

On Fri, Oct 21, 2016 at 06:04:09PM +0200, ac wrote:
> congratulations on your book on mail systems defense, i truly hope you
> are not also suggesting, in a book, that people should block entire
> tld, like .me (for example and so many SF startups use .me)
> like you have advocated here (and are doing yourself)

I suggest, as I pointed in my long message, that people analyze and
understand their own operational needs, and block everything that they
don't need/want.  I happen to block .me *here* because careful, detailed
analysis showed that mail traffic arriving *here* from .me was almost
all spam.  To five and a half 9's.  I don't block it elsewhere because
careful, detailed analysis there didn't show the same thing.  The same is
true of (nearly) every rule in the mail system configuration: they're all
customized based on analysis -- well, and an enormous amount of
personal experience with mail servers of many sizes and descriptions
and purposes.  *This* server has the entire country of China firewalled
out -- not just SMTP, but all IP traffic.  Another server I run has none
of it firewalled.  And another one maintains a separate MX solely for
traffic from China, which is treated differently than other traffic.
(Why?  Because they need it, but they've been frequently phished.
So it's special-cased in order to minimize the risk.  Not that hard
to do for a one-off, would be tedious if there were 50.)

So I'll say it one more time: analyze your logs.  You have to know
what your mail server is doing (or not doing) in incredible detail along
with what you *want* it to be doing in order to get it to actually
conform to your requirements.  But we are WAY past the time when
"allow everything and try to sanitize it" is workable, and frankly,
very few operations actually need it anyway.  (If you're GMail: sure.
If you're Bob's Donuts in Dubuque: no.)


Philadelphia Linux Users Group         --
Announcements -
General Discussion  --