Hi there, Short subject lines are acceptable. :)
On Tue, 1 Apr 2008 Randal Hicks wrote: > Would anyone else care to share their statistics or how they are > protecting themselves (and thereby others)? Not just mail, but > other vectors as well. Maybe an experience you had where you > learned a lot would be particularly helpful to the group? Protection methods will differ from one installation to another, and what might be appropriate for one might not be for another. Generally the servers that I operate handle low volumes of traffic and I know all the users personally. I imagine most system administrators aren't in that, er, happy position. As we're talking primarily about mail, here's a graph of the number of attempts to send spam per day on what for me is a typical mailserver, handling genuine mail at a rate of a few hundred messages per day: http://www.jubileegroup.co.uk/JOS/misc/port25.gif The genuine messages number less than two percent of average spam attempts. My experience is that if you accept any spam at all then you get more spam from other places, so most attempts to send spam that are detected during the SMTP conversation will cause the TCP connection to be dropped, and the IP/24 to be both blacklisted and firewalled indefinitely unless it's in a range which for some reason has been whitelisted beforehand. This is near the edge of the topical envelope for this list, so I won't ramble on about the Sendmail setup, logging and the scripts which do the work. Here's a brief description: http://lurker.clamav.net/message/20071225.163525.4b0e6929.en.html In the last three months about 5,000 network blocks have been added to the 36,000 that we were blocking in December. Even so, as you can see from the graph, things aren't getting any better. You may have noticed that I said 'most' attempts to send spam cause the IP to be blacklisted. One notable exception at the moment is any phishing mail sent by servers in the orange.fr domain. They're such a nuisance that mail is not rejected until the message has been received in its entirety; it is then both rejected and forwarded by MIMEDefang to (amongst others) the UK Police Anti-Fraud Unit. Unfortunately that seems to have no effect whatever. If there's anyone from orange.fr reading, would you please try to think of reasons why your mailservers might be sending mail which claims to be from NatWest Bank or the Nationwide Building Society? Alternatively you might want to consider finding a large cauldron of boiling oil, and jumping into it. -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
