On Aug 2, 2006, at 2:23 AM, MennovB wrote:
John Andersen wrote:
The very trouble we are in with spam is caused by the fact that
spammers can hide behind several layers of ISPs and forwarders.
The very thing you suggest is the solution IS THE PROBLEM!.
I guess you get different spam then than I get on my mailservers..
Spam from ISP's SMTP servers here is a rarity.
Most of it comes directly from infected pc's at home or small sites.
Sometimes there is a layer of relays in the header but that's almost
always
a fake one.
When it comes form larger sites or even ISP's it's mostly from well
known
spam countries and they are already blocked here at the MTA level.
I have to completely agree with MennovB here.
The _most_ effective anti-spam technique I've implemented so far was:
Blocking addresses which have no PTR, can't verify the hostname in the
PTR has an A record, the A record doesn't resolve back to the
submitters IP address, OR the hostname looks like a dynamic ISP client.
Adding that combination of rejections to my MIMEDefang filter is by
FAR the most effective anti-spam technique I'm using now, and that I've
ever used. (I allow SMTP-AUTH and specified and/or local IP addresses
as an exemption)
More effective than Greet-Pause of 30 seconds. More effective than
SBL+XBL. More effective than just using Spam Assassin. More effective
than all 3 of those used in combination. And, when using all 4 of them
together, I was able to drop the Green-Pause to 3 seconds (basically
only stopping slammers), and didn't even notice a change in "what gets
through to me". 90% of what used to get caught by SBL+XBL now gets
caught by the DNS checks. 90% of what I was catching with the 30
second Greet-Pause is now caught with the DNS checks (and I don't have
to give exceptions for verizon or mac.com now because I was able to
lower it to 3 seconds). And there's now such a small trickle of
messages actually going to SA that my FN rate is about 1/week on a bad
week (so about 1/2000). My FP rate is about what it always has been
(1/month, but usually grouped about 3 together once every quarter ...
so about 1/9000).
Admittedly, this is at home, where I'm usually only getting 300
msgs/day. But, 3 days ago, there was that 2500 messages from one host
(see my note about defeating greylisting), that all got caught by the
DNS checks.
(I'm also testing this set up for possible use in MIMEDefang or
CommuniGate Pro filters at work, where it's more like a .25-.75 million
or so messages a day, depending on day of the week and such, so I can't
guarantee that it'll scale, but my testing and data gathering so far
says it should be just fine)
