Dan Barker wrote:
Dan, I have to agree with Matt here. Greylisting is the way to go. I recently implemented greylisting under the following conditions:I guess rnaiewno.com is the HELO or some such, because it sure isn't a name from 66.0! I guess I'm just screwed. We went from 2k emails a day (1900 spam) to 4K with the latest worm, and SA doesn't appear to be able to help at all. Sigh.
Dan
1. Sending host uses IP address in HELO 2. Sending host uses my domain name in HELO 3. Sending host's address fails reverse DNS 4. Sending host's address is in APNIC or LACNIC
Doing this has utterly decimated the number of spams and viruses we have to deal with. For instance, I hear that some companies have seen lots of viruses over the last couple of days. Yesterday, out of almost 3000 incoming emails, only 33 had executable attachments. Meanwhile, greylisting blocked almost 800 emails from being recieved. There's no way of knowing how many of those 800 were spam versus virii, but the number for the same day last week was only 540 so I think it is safe to say that there were hundreds of virii in that figure. Remember as well that since you are implementing this on the MTA before the data is sent, you are saving tons of bandwidth as well as processing and storage resources. It's enough to make a sysadmin dance a little jig just thinking about it.
Kevin
