> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of j debert > Sent: Thursday, October 16, 2008 11:26 AM > To: postfix-users@postfix.org > Subject: Re: Finally blocking some spam > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Joey さんは書きました: > |> -----Original Message----- > |> From: Jorey Bump [mailto:[EMAIL PROTECTED] > |> Sent: Monday, October 13, 2008 6:09 PM > |> To: Joey > |> Cc: postfix-users@postfix.org > |> Subject: Re: Finally blocking some spam > That's still too simple. You're simply counting connections again. How > many of those connection attempts are hosts retrying (sending the same > mail)? You do not have the data to tell you what is going on. > > To get a more accurate count evaluate the source IP, sender and RCPT > TO. This might also reveal the false positives that you cannot see by > blocking IP blocks at a firewall. > > The method you are using has been tried by others before and has been > discussed here several times before. The problems with this approach > are well known. Mainly, it is generally considered to be bad > behaviour. Among more recent problems that have appeared for sites > doing the same thing is that they become blacklisted. Don't be > surprised to find your domain or at least your IP on blacklists. Sites > that block large swaths of IP address space like this sooner or later > do and it's very difficult, if not impossible to get off them. That > will only reduce legitimate mail, not spam, as sites that subscribe to > such blacklists will not talk to you. > > Get rid of your tainted IP and ensure that your domain is also not > tainted. Once a domain or username is tainted, it seems to stay that > way apparently forever. > Hi Jorey,
In respect to tainted IP, I realized we have an IP less than 2 years old which gets the same if not MORE connections, so I'm thinking the IP change will not be of value, BUT haven't discounted that as an option. You are accurate in saying that it's an unfair method to simply count connections, however what I can tell you is that our servers from maillog are getting over 15K messages per hour, and I am beyond the frustrated point with the resources being wasted, and more so the amount of spam in my mailbox given that we are aggressive at fighting spam. ( and no I can't get rid of my email address, nor can the clients I am supporting ). I need a better solution, but don't have one. RBL's help, fail2ban which was suggested helps ( only in stopping the attempts from the same source that received a 500 error (RCPT from (.*)\[<HOST>\]: 5[0-9][0-9] User unknown (.*)\[<HOST>\]) this does help not going back out to the web for RBL checking etc, but since most spammers come in from an organized multi-pc/server approach the single ip failing 3 times block doesn't cut it. As you can see I invested time in setting up, playing with and learning fail2ban and have tried suggestions from everyone on the list ( which I am very thankful for the list and everyone on it!) I have written some scripts to count connections from IP's compare them and see who is connecting way to many times, but that is tuff, how many connections are legit. Any suggestions you have to help me reduce the load on the servers, and the junk in the mailbox are welcome, and I can assure you I will try just about anything as you can see by my blanketed IP method which for reference has reduced spam by over 75%, and yes blocked a few legit users. Joey
