Quoting Ned Slider <n...@unixmail.co.uk>:
LuKreme wrote:
On 16-Aug-2009, at 16:55, MySQL Student wrote:
So perhaps instead of adding another RBL, maybe some admins need to
consider adding in some HELO checking / rejection.
Can you explain a bit more here? What are you checking for, that the
host is valid?
<http://www.mail-archive.com/postfix-us...@postfix.org/msg15167.html>
That gives me a 46% rejection rate just on HELO/EHLO and a 47%
rejection rate on unknown users.
I see similar figures and would also recommend using HELO/EHLO
restrictions. I see around a third of spam hit HELO/EHLO
restrictions, a third hits commonly forged non-existent recipient
addresses and a third hits zen.spamhaus.org (checks and rejections
performed in that order).
Although a dns lookup to zen.spamhaus.org probably isn't that
expensive, I'm sure they appreciate reducing the load by two thirds
by pre-filtering as much obvious spam as possible.
Question - in Postfix do "user unknown" rejections still incur a dns
RBL lookup, or does the rejection occur before reject_rbl_client?
That all depends upon how you have Postfix configured. I have a
gateway set up here and do the RBL lookups late in the
smtpd_recipient_restrictions just before the greylist policy. I.e.:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unverified_recipient,
check_recipient_access cdb:/usr/local/etc/postfix/skip_filter,
reject_rbl_client zen.spamhaus.local=127.0.0.10,
reject_rbl_client zen.spamhaus.local=127.0.0.11,
reject_rbl_client zen.spamhaus.local,
reject_rbl_client bl.spamcop.net,
check_policy_service unix:private/YnP0licy,
permit
Overall only a very small proportion of spam ever reaches SA -
typically <1% of rejected mail.
