[Cialug] damn spammers

Tom Pohl tom at tcpconsulting.com
Wed Nov 7 10:11:07 CST 2007


On Nov 7, 2007, at 9:13 AM, Dave Weis wrote:

> neal daringer wrote:
>> Dave Weis wrote:
>>>
>>> My little mail forwarding experiment is working well. I was going  
>>> through the logs and between Nov 4 at 6 AM and now it's dropped  
>>> 2.4 million emails. There have been a whopping 117 legitimate  
>>> emails forwarded onward.
>
>> what praytell is this experiment? and how does it work?
>
> I have a customer domain that has 3-4 addresses that get forwarded  
> to real people. Someone combined the domain with every possible  
> left hand side of an email address and has been hitting it with  
> spam for a few months. It finally got to the point that the real  
> server was having problems dealing with the load. I had asked for  
> some help a few weeks ago and have postfix tightened up to drop a  
> lot of the junk. A large part of the problem is that it was taking  
> in email and sending an asynchronous bounce instead of an immediate  
> 550 and discarding the message.
>

I used to have load issues until I started dropping SMTP connections  
up front based upon spamhaus' blocklists.  I've found that the PBL  
(Policy Block List) rejects really well for the bot networks running  
from residential broadband users.  Lots of ISPs are listing their  
residential users in the list.  I've found that I'm rejecting about  
50% of incoming SMTP connections immediately easing the load because  
it won't allow the sender to send a message (my average for the past  
24 hours in 10 min avg Allow: 6656.0 Deny: 6353.0).  The biggest  
drawback is that it blocks the sender even before any SMTP AUTH  
attempts, so you need to use an alternate port for users who need to  
relay mail through the server if they're coming from an dynamic ip  
range listed in the PBL.

I used to add huge blocks of IP addresses to my firewall rules, but  
it seems like more and more local companies are outsourcing their  
email to companies who are outside of the US making it harder to  
identify legitimate source ip addresses.

-Tom



More information about the Cialug mailing list