On 17.03.09 14:02, Michael Hutchinson wrote: > I'm running Spamassassin 3.1.7, with netqmail 1.05, ClamAv etc..
ooooold ! The current SA version is 3.2.5 - upgrade. > We've been subject to being joe-jobbed on one of our domains here at > work. We were lucky as we were able to switch off delivery to the > affected domain and effectively blocked the blowback by refusing E-Mail > from all the Postmasters around the world sending NDR's and so forth to > the now non-existent mailboxes. > This was a far-from-optimal solution, as I'm sure many people will be > wanting to point out already, what if we needed that domain to still > receipt legitimate E-Mail... > We initially tried 'riding out the storm' as it were, but were unable to > keep on top of the load put on the servers by excessive E-Mail messages > requiring scanning by SA. This got so bad that the mailserver had become > unresponsive to our clients. qmail is known for bouncing, instead of rejecting unknown recipients at SMTP leve. You filter unknown recipients? If not, this is your problem. > I removed a bunch of our own site rules (which were going to be whittled > away anyhow) to decrease the average scantime of E-Mails by Spamassassin > - this did work, for about 15 minutes. Then, an average scantime of 4 > seconds was not good enough - clients still denied SMTP (too busy). > I decided (wrongly) to implement the Vbounce plugin. Read the install > doc, got it setup, tested SA with debug and lint, everything appeared to > test OK. Put it into practice by reloading SA and then Wang! Average > scantimes hit the roof: 38 seconds. > Needless to say I disabled the plugin. Although whilst it was running, > it did appear to be doing the job correctly according to my mail logs - > and there were no errors. > So we blocked the domain. > > I am interested to know the following: > Has anyone else had this kind of result when installing the Vbounce > plugin? (largely increased scantimes) I have not, but I use newer SpamAssassin > How might I keep delivery flowing to valid recipients for the domain > (smarthosted (smtproutes) to exchange) but reject the blowback at SMTP > time? So you do NOT reject invalid recipients? Change qmail, or at least its SMTP server. There are afaik some that can do that. And, optionally, consider some rules of rejecting before queeuing - block invalid HELO strings, senders in some reliable blacklists etc. > I was considering convincing the powers to let me setup SPF, but their > requirement would be to have both v1 and v2 spf tags - and I'm not sure > whether Q-Mail is up to both yet, but some kind of SPF implementation > where we check the tags (not necessarily publish them) but I guess > that's an MTA question:) forget SPF v2. Use v1 but don't expect huge results, there's still many SMTP servers not checking the SPF... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
