Re: [PLUG] spamassassin help: create a rule to score by sender TLD

Rich Kulawiec on 21 Oct 2016 13:40:32 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] spamassassin help: create a rule to score by sender TLD

From: Rich Kulawiec <rsk@gsp.org>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] spamassassin help: create a rule to score by sender TLD
Date: Fri, 21 Oct 2016 16:40:26 -0400
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mutt/1.5.23 (2014-03-12)

On Fri, Oct 21, 2016 at 06:04:09PM +0200, ac wrote:
> congratulations on your book on mail systems defense, i truly hope you
> are not also suggesting, in a book, that people should block entire
> tld, like .me (for example about.me and so many SF startups use .me)
> like you have advocated here (and are doing yourself)

I suggest, as I pointed in my long message, that people analyze and
understand their own operational needs, and block everything that they
don't need/want.  I happen to block .me *here* because careful, detailed
analysis showed that mail traffic arriving *here* from .me was almost
all spam.  To five and a half 9's.  I don't block it elsewhere because
careful, detailed analysis there didn't show the same thing.  The same is
true of (nearly) every rule in the mail system configuration: they're all
customized based on analysis -- well, and an enormous amount of
personal experience with mail servers of many sizes and descriptions
and purposes.  *This* server has the entire country of China firewalled
out -- not just SMTP, but all IP traffic.  Another server I run has none
of it firewalled.  And another one maintains a separate MX solely for
traffic from China, which is treated differently than other traffic.
(Why?  Because they need it, but they've been frequently phished.
So it's special-cased in order to minimize the risk.  Not that hard
to do for a one-off, would be tedious if there were 50.)

So I'll say it one more time: analyze your logs.  You have to know
what your mail server is doing (or not doing) in incredible detail along
with what you *want* it to be doing in order to get it to actually
conform to your requirements.  But we are WAY past the time when
"allow everything and try to sanitize it" is workable, and frankly,
very few operations actually need it anyway.  (If you're GMail: sure.
If you're Bob's Donuts in Dubuque: no.)

---rsk

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] spamassassin help: create a rule to score by sender TLD
  - From: ac <ac@main.me>

References:
- [PLUG] spamassassin help: create a rule to score by sender TLD
  - From: Greg Helledy <gregsonh@gra-inc.com>
- Re: [PLUG] spamassassin help: create a rule to score by sender TLD
  - From: Rich Kulawiec <rsk@gsp.org>
- Re: [PLUG] spamassassin help: create a rule to score by sender TLD
  - From: Rich Kulawiec <rsk@gsp.org>

Prev by Date: Re: [PLUG] spamassassin help: create a rule to score by sender TLD
Next by Date: Re: [PLUG] spamassassin help: create a rule to score by sender TLD
Previous by thread: Re: [PLUG] spamassassin help: create a rule to score by sender TLD
Next by thread: Re: [PLUG] spamassassin help: create a rule to score by sender TLD
Index(es):
- Date
- Thread