On 05/01/2016 07:20 AM, jaso...@mail-central.com wrote:
I'm clear this has been asked a gazillion times; feels like I've now read half
the posts.
For incoming mail that matches with high-confidence a known bot/mass-mailer
restriction, is it 'best' to
DISCARD or REJECT?
If the IP is on a blacklist I use, I just let the blacklist deal with it
via reject. I'm somewhat conservative with the blacklists, many of them
are too aggressive with adding IP addresses that aren't actually
spammers, and that's bad in my opinion.
Unfortunately that means I still get a lot of spam.
If the IP is not on a blacklist but I have received multiple spam from
it in short period, I just block the IP the firewall - but only for
three days. If it happens again then I firewall that IP for a week.
I prefer firewall because if an IP is acting badly, it may be hacked and
may try compromising other services I run.
Everything else I just let SpamAssassin assign a score to and let the
user receiving it filter how they see fit.
That's the way I handle it, may not be best
-=-
Interestingly, I have one server fairly recently set up that breaks the
rules by only allowing TLS connections.
So far that has done an amazing job at preventing these mass mailers
from even connecting, with only a few legitimate connections rejected
(stuff like some wordpress blog notifications set up to use qmail with
no TLS have been rejected)
Of course it probably won't be too long until the mass mailers start
using TLS, but I'm enjoying the lower spam volume in the present ;)
-=-
For restrictions that are not IP based - I believe reject is better on
the off chance that the filters are wrong and it is false positive.
That way the sender can notify me of a problem. With just discard, they
don't know it never got to where it is going.
> But, for bots that are sending nasty -- and sometimes large --
> attachment payloads, is is wise/safe to let that attachment etc. onto
> my server at all? even if it's gonna get trashed?
It's just data, it can't act by itself, so yes it is safe to accept the
whole thing and trash it.
You can't scan the payload with your malware checker if it isn't there,
but if you are so confident an IP is sending you bad stuff like that -
just firewall the IP to prevent it from trying to exploit other services
you have running.
In my opinion. Which others may have valid disagreements with.
