On Tue, Apr 17, 2012 at 09:13:55PM -0500, /dev/rob0 wrote: > On Wed, Apr 18, 2012 at 04:33:31AM +0300, Henrik K wrote: > > Still, is it too much to ask for looking at > > things from many angles or backing up claims with any kind of > > statistics or science instead of personal gut feelings? > > Where/how would one collect such data?
I guess we would need to have consensus first on what exactly to measure. Maybe I'll do some scripts later so everyone can test on their own logs. To be very clear, let me tell me my basic assumption again. All I've hypothesized is that any server accepting incoming mail is a legimate one. "Any server" meaning those that my users have sent real mail in the past. Domain names and everything else is irrelevant to me, only the IP matters. In fact I just use the whole /24 subnet. And yes I've been doing this already for two years. My reason for whitelisting such servers at the MTA STAGE is that any number of changing reasons might get the server blocked by RBLs, greylisted, PTR might have accidently changed to "bad" etc. You can also use the data for scoring in SA just like you would use any other "reputation" or whitelist thing. One is free to argue that this might or might not have any meaningful "helping" effect. Yet the same could be said for any number of rules and checks that people use. For my use, this brings no overhead or admin costs, so it's a no brainer here. Others might want to keep things extremely simple, or just sadly directly claim things "nonsense". > My mail stream differs from yours, as does my spam problem. The best, > meticulously gathered statistics from one site won't be applicable to > another site. Of course. But you can generalize to some extent using common sense. Let's theorize that dynamic looking IPs send mostly spam. I'm pretty sure it's true for many if not all sites. Naturally the percentages might differ some. > Unfortunately the gut is what we have. My gut feeling is that SPF > lookups are the surest way to make this scheme work without causing > some kind of problem. Yes, my MX is also the outbound relay, but at > bigger sites this is less likely. My gut tells me that what I wish to whitelist using my method might rarely use SPF. ;-) And I don't even care about the domains.. > Another gut feeling: greylisting is past its prime. I do it using > postscreen, but I sometimes consider disabling the deep protocol tests. > The DNSBL scoring system is what blocks most of my spam. Selective greylisting is fine tool. It can reduce your DNS lookups and give time for RBLs etc to catch up etc. Generalizing that it's "past its prime" might not be appropriate, since there are many pros and cons to consider for different scenarios. But please let's not start yet again another unneeded greylisting debate, there has been plenty enough. ;-)
