Rich Freeman on 24 Oct 2016 13:47:44 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Postscreen (another tool for helping to minimize the effect of spam)


On Mon, Oct 24, 2016 at 4:36 PM, ac <ac@main.me> wrote:
> On Mon, 24 Oct 2016 16:25:18 -0400 (EDT)
> "Keith C. Perry" <kperry@daotechnologies.com> wrote:
>
>> Two questions...
>>
>> 1) "higher overhead"
>>
>> In terms of what specifically.  Memory, cpu, etc...  I can't see a
>> whitelist cheap being that intensive relative to the full check the
>> main mail server does.
>>
> in terms of throughput, if you have to do X  (eg dns lookup)  before
> doing Y, and what your throughput is. Some mail clusters handles
> millions of emails, etc. etc

That is one of the big appeals of postgrey.  You're doing a lookup of
a host+from combination I believe and checking its timestamp, then you
either pass on the connection or drop it with a temp failure.  There
is almost no overhead on the recipient's side.  There is a little more
overhead on the sender which needs to re-queue the mail, but of course
the sender doesn't have to deal with spam.

>> 2) "...somewhat less effective these days as bots also deal with
>> delays now."
>>
>> When you say "deal with",  How so?  Postscreen sounds like it does
>> for mail what my iptables rule do for my entire net- that is to say,
>> prevent spammers from over running the server.  I guessing the
>> Postscreen delay is configurable but are you saying there is some way
>> around that?
>>
>
> the delays - spam as everyone knows, comes from many different sources.
> The source that postscreen was really good at defending, the botnets
> was mostly due to the delay happening at the end/last but the bots have
> become more sophisticated and these days they spawn/wait/come back
> some of these new bots & controllers are tracked here:
> http://spamid.net

I think greylisting must be fairly ubiquitous at this point, which of
course drives the arms race further.

However, greylisting will always have one added value: it does impose
an absolute delay on the delivery of spam.  Even if that delay alone
doesn't filter any spam like it used to, it does give the blacklists
time to catch the new threat.  Historically blacklists had trouble
keeping up with spam bots - if you have a botnet with 100k hosts and
they each can send 100k emails before the blacklists are updated then
that is a LOT of mail that gets through.  On the other hand if you
impose a 15min delay on all of them and a few emails get caught by
honeypots then the blacklist rules are updated before the botnet
actually reaches any real hosts, and now all that email gets killed
before it is accepted.

I'll have to play around with the new tool when I get a chance.  I
will say that I've fond greylisting to be very effective.  Most of my
spam comes in via my gentoo.org address, unfortunately.  I suspect
most of it is tagged by spamassassin, but very little leaks through my
gmail spam filters so I tend not to notice it anyway.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug