>>>>> "JL" == John L <[EMAIL PROTECTED]> writes:

JL> Does anybody have a good list of SPAMMER IP's they'd like to share for
JL> blocking at the firewall?

JL> We have one mail server we're hosting that is just getting crushed
JL> running SA.

The best strategy is to reduce what gets sent to SA, and then to rate
limit the number of simultaneous SA processes running.

For reducing what gets in, there are quite a few things you can do in
your MTA, before the message enters your system:

1) reject mail for non-existent addresses.  do not accept then bounce
   them.

2) reject mail FROM non-existent domains.  these messages are a)
   non-bounceable, and b) non-replyable.

3) reject mail if the remote server claims to be you.  eg, if your
   host name is foo.example.com and your IP is 10.10.10.9, then if the
   HELO greeting is either one of them, reject the mail.  Naturally,
   exempt your local host from this test.

If you're a bit more bold, try these:

4) reject mail if the HELO name in the SMTP transaction is not FQDN or
   is an IP address.

5) use a DNSBL such as DSBL.  This only lists open relays/proxies, and
   there is pretty much never a good reason to accept mail from these
   sources.

6) consider using the SBL at the MTA level.  it is fairly
   conservative, but they do occasionally list things you may not
   agree with.  they are not as much the shoot first, never ask
   questions type of list, but they still tend to shoot first ;-)

7) implement a gray-listing mechanism: temporary reject the initial
   connection from any IP address, then allow it after some period of
   time.

whatever passes these tests can then be accepted into your system and
scanned by SA.

with these simple rules, I *reject* nearly 75-90% of the mail
attempted to be sent to my servers daily.  Most of the rejects are to
bogus addresses (ie, dictionary attack) and/or with bad HELO greeting
claiming to be me.  I end up scanning just a few thousand messages per
day.

One more thing you may wish to do is bypass scanning of mailing list
mail.  For me, this reduces scanning load by nearly 50%, since most of
my mail is list mail.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.                Khera Communications, Inc.
Internet: [EMAIL PROTECTED]       Rockville, MD       +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera   http://www.khera.org/~vivek/


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to