>Is there anyone on this list who can afford to brag about the >effectiveness of their spam filtering techniques? (With the >exception of Marc Perkel ;)) >
Here's how it works at my place. * All netblocks belonging to the spam spewing ISP's on the first and second page on http://www.senderbase.org/ is blocked in the firewall. Never reaches Exim. * If I have missed to block a range (or if a new block pop up), I have ACL's that captures connecting hosts based on $sender_host_address in acl_smtp_connect. If I get a match on comcast.net for example, drop the connection AND add the IP to a 24h-blocklist so that they cant retry immediately. This blocklist is emptied at 24h every day. * If $sender_host_name seems to indicate this is a dynamic IP, add header for later check in SA. * If HELO name contains no dot (very simple check), then drop and add IP to 24h-blocklist. * If HELO contains any of these ( _ | \ / : ), drop and block. * If HELOing with my own host/domain name, drop and block. * If HELOing with an IP-address AND IP don't match the connecting IP, drop n' block. * If HELOing with a (correct) IP-address, add header to check against later in SA (yes, that could be done directly in SA and without having Exim adding a header, but I feel it's easier this way). * If HELO name contains a few uppercase chars, add header for later check in SA. * Then the usual ClamAV and SA kicks in. SA uses DCC and Razor as well as some SARE rulesets. I have trimmed SA with quite a few own rules, but most of them only applies to my environment, I guess. I'm hosting 2 domains. Total stats for last friday 2006-10-20: Incoming connections (to exim): 14220 Rejected after helo/rcpt: 8193 Scanned by SA: 6027 Rejected after data: 4388 Put in quarantine (5-11 SA points): 319 Delivered to users (less than 5): 1270 (If you sum all rejects and deliveries it won't get exactly 14220. I'm sure the problem is somewhere behind all egrep and awk patterns) Worth noting; I dont use any public blocklist directly from Exim. Only from within SA. The homegrown 24h-blocklist is interresting however. I usually have about 5000 IP-adresses/day in the 24h-blocklist. About 1/3 of them returns and makes a total of 6500 (times 3) connection attempts. Without the 24h-blocklist I would have around 20000 incoming connections each day. Perhaps not so much more spam getting through, but some higher load on the server, and larger log files. -- Andreas -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
