Hi, On Tue, 12 Aug 2003 17:10:15 -0500 Mike Grau <[EMAIL PROTECTED]> wrote:
> on 08/12/2003 02:07 PM Bob Apthorpe wrote: > > > > > Has someone explained to him what a horrible idea this is? Spam is usually > > forged to look like it came from a non-existant or innocent address and > > bouncing the spam just adds to network burden and implicit > > denial-of-service attacks on those whose addresses are forged into the > > mail. > > > > Nah, it's a great idea. As long as by 'bounce' you mean 'reject' > as Bob says. When I say 'bounce' I mean 'reject' and innnocents > aren't hurt by this any more than any reject for any other reason. > You don't accept email addressed to a user that doesn't exists. Urgh. 'bounce' != 'reject'. Misappropriation of verbiage makes my head hurt. But back on topic, here's more confirmation (as of June) that your choices with Postfix + SA are a) accept and deliver, b) accept and discard, or c) accept and generate DSN (bounce): http://msgs.securepoint.com/cgi-bin/get/postfix0306/841/2/1/1.html The trick is to reject the mail as far upstream as possible, noting that SA eats more resources than Postfix. Conservatively, I'd use some DNSBLs (opm.blitzed.org, proxies.relays.monkeys.com, zombie.dnsbl.sorbs.net, dynablock.easynet.nl - you shouldn't see mail from anything listed on these DNSBLs[1]), and turn on reject_unauth_pipelining, reject_unknown_sender_domain, and maybe reject_unknown_client (still far too many mail servers with no rDNS.) Throw in a multiline SMTP banner such as: smtpd_banner = $myhostname ESMTP $mail_name\n By sending mail to this server, you agree to abide by the terms\n and conditions set forth on http://www.example.com/aup/\n Do not send unsolicited bulk mail to this server.\n All transactions are logged and security incidents are reported.\n Please use our mail system responsibly.\n # ^^^^ four tabs and you'll kill off a surprising amount of spam. You may need a very recent (or patched) version of Postfix to make this work. If you can greylist (tempfail) with a 5 minute blackout period, all the better (this too requires a very fresh version of Postfix.) Whatever you do, just don't send the spam back to the apparent sender once you've accepted it. -- Bob [1] Maybe you'll see something legit on the dynablock list once every two years; some poor bastard Linux user in the Upper Peninsula or Nebraska, trapped on the lone and incompetent ISP in the county/province/nation. ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
