spam: block it or tag it?

Mike Kercher mike at CAMAROSS.NET
Fri May 9 04:10:41 IST 2003 

I don't block these bastids at my firewalls.  I'd rather them see in their logs
that their connection to my boxes was explicitly REJECTED...whether it be by one
of the RBL's or just my access file.

Mike


> -----Original Message-----
> From: MailScanner mailing list 
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Jeff A. Earickson
> Sent: Thursday, May 08, 2003 9:37 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: spam: block it or tag it?
> 
> 
> Gang,
>    I don't hesitate to use sendmail RBLs, the Discard mailer, 
> and local IP/domain/spammer sendmail access-deny lists.  I 
> seldom get complaints about legit blocked email.  I've used 
> RBL+ for over two years, spamcop.net for over a year, 
> spamhaus.org for 3 or 4 months. Of these, spamcop is the best 
> and blocks the most spam.
> 
>   This week, I looked thru my syslogs at the email tagged by 
> the Discard mailer.  I seldom add sites to the Discard list, 
> and very judiciously.  Most of the domains in my Discard list 
> have been there for months.  Those sites that have been 
> hitting my machine steadily for the past month got 
> "promoted".  I studied the IP number and/or netblocks of 
> these domains, and then added them to my ipfilter settings as 
> IP-level blocks.  The mailer software at these domains now 
> see my mail server as down -- not a peep of response, no 
> connection, nada. FYI, here are the netblocks that got 
> promoted to ipfilter blockage:
> 
> #---block chronic spam sites
> #---doubleclick.net
> block in quick on hme0 proto tcp from 216.73.80.0/20 to any 
> port = 25 #---mindshare design, mb00.net block in quick on 
> hme0 proto tcp from 216.39.112.0/20 to any port = 25 
> #---flowgo.com block in quick on hme0 proto tcp from 
> 12.129.205.0/24 to any port = 25 #---dartmail.net block in 
> quick on hme0 proto tcp from 146.82.220.0/24 to any port = 25 
> #---sendmoreinfo.com block in quick on hme0 proto tcp from 
> 65.168.206.0/24 to any port = 25 #---crushlink.com block in 
> quick on hme0 proto tcp from 129.250.134.0/24 to any port = 
> 25 #---yourmailsource.com block in quick on hme0 proto tcp 
> from 216.109.73.35 to any port = 25
> 
> May they rot in hell.
> 
> Yes, I also use the spam tagging (score=4) and high-spam 
> discard (score=8) features of MailScanner.  Still, the spam comes...
> 
> --- Jeff Earickson
>     Colby College
> 
> On Fri, 9 May 2003, Steffan Henke wrote:
> 
> > Date: Fri, 9 May 2003 03:09:16 +0200
> > From: Steffan Henke <henker at SHCOM.US>
> > Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: Re: spamassassin 2.53 & MailScanner
> >
> > On Thu, 8 May 2003, Gerry Doris wrote:
> >
> > > don't reject/block messages.  I believe using them with sendmail 
> > > will actually reject the message but that isn't what happens when 
> > > called from MailScanner/Spamassassin. The problem is that some of 
> > > the RBL's are a little suspect and may score a ham 
> message enough to 
> > > have it flagged as spam ie a false positive.
> >
> > Yep, I guess every admin has to figure out which RBL to use 
> and which 
> > to avoid. I've been using list.dsbl.org, sbl.spamhaus.org and 
> > relays.ordb.org for 6 months - so far, I got ONE complaint from a 
> > user. That user had a dial-up-account that was blacklisted 
> as an open 
> > relay. He disconnected, reconnected, got a new IP and could send 
> > emails again.
> >
> >
> > Regards,
> >
> > Steffan
> >
>

More information about the MailScanner mailing list