On Fri, 2006-09-29 at 11:20 -0400, Michel Vaillancourt wrote: > Ramprasad wrote: > > On Fri, 2006-09-29 at 08:12 -0400, Michel Vaillancourt wrote: > >> Ramprasad wrote: > >>> Why not SPF ?? > >> Over two thirds of the email I receive that is UCE/Spam has an > >> "SPF_PASS" associated with it from SA. All SPF seems to do is make the > >> "stupid" spammers look more stupid. The clever ones aren't affected. > >> > > I have a script that automatically blocks SPF-pass domains sending spam > > consistently. you could make good use of the SPF_PASS too. > > > > Care to share? This would be very handy. > This is a perl script a part of larger module. And not exactly worth sharing. But the idea is very simple
* cronscript on each machine parses the logs for SPF_PASS mails with SA score above 15 and puts the messages log lines in a file in http area * The rbldns server wgets all files from different servers and finds the top sender domains who send spam * Delete all whitelisted domains from the list and those domains who are also sending a lot of ham to correct ids ( I get this from a mysql db query to my reports db ) * Put the remaining into the rbldns blacklist and restart the rbldns server for postfix to use these > >>> What is the point accepting the mail and the entire data and then > >>> scanning for DK when It should have ideally been rejected after > >>> "mail from:" > >>> > >> That would be the exact point of DK at the Postfix/ MTA level. > > > > How. All the while I thought dkfilter helps me block after dataend ? Do > > I have to RTFM again ? > > > My mistake.. this one runs as a content filter. The same author is > working on a DKIM Proxy that would be your first point-of-contact and handle > the "mail from" intercept. I got confused. > > > > >>> So I let SA do the testing .. which catches the spams but eats resources > >>> of my servers. When you receive 3-5 million mails a day you tend to > >>> bother more about resources > >>> > >> I would humbly submit to you that if you move that much traffic, you > >> should be able to justify one more MX machine in the pool and implementing > >> DK. > >> > > We have 8 dual xeons already. for this much traffic. And servers are > > always loaded with all kinds tests enabled in SA > > > I'm curious... what is the RAM/ MHz spec of your machines? 5M mail/day > is 7 mail per second per machine... at a median 8 seconds mail handle time, > that is 57 mail in the pipes at any one time... 50Mb for SA or anti-virus > per message works to about 3Gb of RAM in use. I can see your concern. > However, again, I'd say that even two more machines in the pool would bring > that down to ~2GB of RAM in use per machine, and that should give you the > cycles and memory to run SPF queries as well as DK filters. > 4GB Ram , 3GHz x 2 xeon with HT But I think you too would know mail never comes uniformly at 7/s. There are peak times when my mailservers touch 43k/hour while in the nights they may be sleeping with the rest of us. And at peak times the mail delay starts killing us. ( Thats exactly when I start sending 450 to bad domains ) > I do understand the notion your boss might not be willing to put > another $5K down to deal with the problem. However, as anyone can attest > to, good customer service costs money to provide. >
