>>>>> "JL" == John L <[EMAIL PROTECTED]> writes:
JL> Does anybody have a good list of SPAMMER IP's they'd like to share for JL> blocking at the firewall? JL> We have one mail server we're hosting that is just getting crushed JL> running SA. The best strategy is to reduce what gets sent to SA, and then to rate limit the number of simultaneous SA processes running. For reducing what gets in, there are quite a few things you can do in your MTA, before the message enters your system: 1) reject mail for non-existent addresses. do not accept then bounce them. 2) reject mail FROM non-existent domains. these messages are a) non-bounceable, and b) non-replyable. 3) reject mail if the remote server claims to be you. eg, if your host name is foo.example.com and your IP is 10.10.10.9, then if the HELO greeting is either one of them, reject the mail. Naturally, exempt your local host from this test. If you're a bit more bold, try these: 4) reject mail if the HELO name in the SMTP transaction is not FQDN or is an IP address. 5) use a DNSBL such as DSBL. This only lists open relays/proxies, and there is pretty much never a good reason to accept mail from these sources. 6) consider using the SBL at the MTA level. it is fairly conservative, but they do occasionally list things you may not agree with. they are not as much the shoot first, never ask questions type of list, but they still tend to shoot first ;-) 7) implement a gray-listing mechanism: temporary reject the initial connection from any IP address, then allow it after some period of time. whatever passes these tests can then be accepted into your system and scanned by SA. with these simple rules, I *reject* nearly 75-90% of the mail attempted to be sent to my servers daily. Most of the rejects are to bogus addresses (ie, dictionary attack) and/or with bad HELO greeting claiming to be me. I end up scanning just a few thousand messages per day. One more thing you may wish to do is bypass scanning of mailing list mail. For me, this reduces scanning load by nearly 50%, since most of my mail is list mail. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D. Khera Communications, Inc. Internet: [EMAIL PROTECTED] Rockville, MD +1-240-453-8497 AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/ ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk