I agree that there are lots of compromised ".edu" accounts, and that some students like to cause trouble. But, when I say I never *see* spam from ".edu" domains, I mean, if there is any, it gets filtered out by other means, not that my MTA never receives any.
Also, in the past I *have* corresponded with ".edu". For example, I was using a Stratum 1 NTP server at MIT (it being nearby, and my being an MIT grad), and had to communicate with the guy running it. The only TLDs I currently block are some of the weird new ones, like 'accountant', 'bid', 'club', 'cricket', 'date', 'download', 'men', 'stream', 'top' and 'xyz', as I have no evidence that anything *but* spam ever comes from them. P.S. I often look at our mail logs (for our tiny domain), and ".edu" does not stand out at all. As far as IPTABLES logs, I don't remember seeing probes from IP addresses which PTR-resolve to ".edu", but I don't do that a lot (and I certainly don't log every dropped SYN). On Sun, 18 Jun 2017 18:23:32 +0100 (BST) "G.W. Haywood" <cla...@jubileegroup.co.uk> wrote: > Hi there, > > On Sun, 18 Jun 2017, Paul Kosinski wrote: > > On Fri, 16 Jun 2017 17:22:53 +0100 (BST) "G.W. Haywood" wrote: > > > >> ... We just outright reject all mail from the '.edu' TLD ... > > > > Why do you reject *all* email from ".edu". > > Because all connections we see from .edu are either from compromised > accounts sending spam or from irresponsible juveniles who think it's > clever/cool/whatever to try to hack into other people's computers. > > > Doesn't that cut you off from lots of useful technological info? > > Not in the least. There's a reasonable scientific press, for example. > > > (I don't think I *ever* see spam from ".edu".) > > That seems strange to me. Generally speaking we have no reason to > correspond with .edu domains, but even so, apart from hack attempts > we never see anything else. Do you actually look for it? I mean, > you know, read the logs? :) > > There's an important point here. Well over 90% of the attacks we see > are defeated by preventing connections from the sources of the attacks > simply because they are known sources of attacks. It's not the only > technique we use, but even on its own it's more effective, in terms of > both success rate and processing overhead, than scanning for malicious > characteristics - which of course we do as well, but only after the > bulk of the dross has been dropped using a number of other techniques. > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
