On Fri, May 22, 2009 at 9:06 AM, McDonald, Dan <dan.mcdon...@austinenergy.com> wrote: > On Fri, 2009-05-22 at 14:14 +0200, Arvid Ephraim Picciani wrote: >> Greetings. >> I'm thinking of implementing: >> - greylisting > > very effective. I cut my incoming mail by about 80% when we put up > greylisting. I'm using sqlgrey. > >> - honeypots >> - rejecting broken HELO at smtp time (such as "MUMS_XP_BOX") > > We had too many false-positives when I did that. In particular, > Exchange administrators sem to be completely incapable of setting the > HELO name to something sane. >
Although I would agree with that a couple years ago, in the past several months I have been scoring very high on retarded HELO names with good results. I think the tide is turning, more and more admins finally getting a clue and more sites blocking or scoring highly on misconfiguration. I may start blocking at the MTA, the score I'm giving is essentially a block already. >> - rejecting dynamic IPS at smtp time (PBL) >> - firewalling hosts with 100% spam, forever. > > >> I'm getting lots of it from zombies, so i wonder if its legitime to scan >> the sender before accepting. For example if it blocks icmp, its very >> likely a home router. > > Any sane enterprise server administrator will block external icmp. > I would recommend that you use p0f and a tool like BOTNET.pm to detect > zombies - if they have messed up DNS and are running Windows, then it's > a bot... > >> But i have no data on that, and no clue. >> Spamhaus has only about half of the zombies. PBL even lacks half of the >> german dialup ISPs. i'm thinking i need my own techniques to build such >> lists. >> >> thanks. > -- > Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX > www.austinenergy.com >
