[OT] HELP!!! mail attack

Craig White craigwhite at azapple.com
Wed Mar 26 15:00:34 UTC 2008


On Wed, 2008-03-26 at 09:39 -0430, Patrick O'Callaghan wrote:
> On Wed, 2008-03-26 at 06:35 -0700, Craig White wrote:
> > On Wed, 2008-03-26 at 23:06 +1030, Tim wrote:
> > > On Wed, 2008-03-26 at 05:12 -0700, Craig White wrote:
> > > > My first 'defense' is greylisting, run as a policy in postfix.
> > > 
> > > Though do so with the knowledge that it may mean some mail never gets
> > > delivered/accepted.  Greylisting, for both cases of rejecting spam and
> > > accepting ham, requires the services sending to you to work in certain
> > > way [1], and they don't all do that [2].
> > > 
> > > 1. They reject the initial attempt, tell the sender to resend later, and
> > > accept the resend.
> > > 
> > > 2. Some senders never resend, causing mail to get lost permanently.
> > > Some resends come from a different server, and that can get rejected,
> > > too - causing long delays, or permanently lost mail.  Some resend
> > > attempts come after a very long delay, which can be annoying or business
> > > destroying, or can cause another reject.
> > > 
> > > I've experienced all of the above bad scenarios.
> > ----
> > I had heard that before I set it up but I have been running this same
> > setup on servers for 7 separate businesses and besides the initial
> > complaints of delays, it has been completely a non-issue. Few delays
> > have ever been longer than 30 minutes.
> > 
> > On the other hand, my setup has completely lightened the mail load.
> > 
> > And for an amusing side note to this...
> > 
> > My boss forwarded an e-mail to me which was a newsletter that he gets
> > via e-mail. I asked him what he expected me to do with it and he pointed
> > out to me a paragraph about their upcoming changes and that subscribers
> > should alter their 'filters' to be sure that they receive it.
> > 
> > I pointed out to him that on our network, I don't know of a single user
> > that has had to implement 'user level filters' for spam because so few
> > spam messages get through (I get about 5 a week and I am a very heavy
> > e-mail user). I pointed out that my methodology at the server level has
> > been so effective that I have no 'whitelisted' senders, no 'special
> > handling rules' at all beyond the high scoring spamassassin filter that
> > each user automatically inherits.
> > 
> > He replied back - never mind and later expressed to me that yeah, he
> > never gets spam and manages to get all of his e-mail.
> > 
> > Greylisting has been a very effective tool for me and I have had NO
> > complaints about it at all. There's actually a way around it in a
> > crunch...I've put a 5 minute window. The sender need only wait 5 minutes
> > and send the e-mail again which ultimately means that 2 copies show up
> > but the second one is delivered immediately and the first one is
> > delivered when their SMTP server decides to try again which is almost
> > always 15-30 minutes later.
> 
> Greylisting is indeed a very effective and I would say essential tool,
> however we're seeing the effectiveness being reduced as time goes on
> because spammers are getting smarter. This is an arms race and it's not
> going to end in the foreseeable future.
----
ride the wave...agreed on the arms race but so far, greylisting easily
skims about 70% of the useless cruft off the top at a very low
computational cost.

Craig




More information about the users mailing list