4.40.5: IPBlock 451 versus 550

Jeff A. Earickson jaearick at COLBY.EDU
Sat Mar 19 12:55:46 GMT 2005 

Y'all,

My IPBlock ruleset for the outside world is almost identical to what is
posted on the FAQ:
http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/239.html

The numbers there are tuned to my site, YMMV.  My internal rules vary
from subnet to subnet (dorms vs offices).  IPBlock has always been more
useful for blocking foreign spam sites, eg Asia/Pacific spammers, than
it has been in throttling runaway machines on-campus.

I get a daily report (small) of numbers that got IPBlocked.  I investigate.
Nearly always spammers.

Yesterday I implemented the conncontrol and ratecontrol FEATURES of
sendmail, so this issue should be more handled upstream by the MTA.

Jeff Earickson
Colby College

On Sat, 19 Mar 2005, Julian Field wrote:

> Date: Sat, 19 Mar 2005 11:47:28 +0000
> From: Julian Field <MailScanner at ECS.SOTON.AC.UK>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: 4.40.5: IPBlock 451 versus 550
>
> I think you've got it exactly right. I primarily intended it to throttle
> flooding from your own users/customers' boxes. So I would specify a low
> limit for your customers IP netblocks, and have a fairly high default
> for the rest of the world.
>
> Rakesh wrote:
>
>> thanks Jeff,
>>
>> test it on real time scenarios and suggest what would help to make
>> things better and easier. Even I have implemented it on my live servers.
>> Probably one thing down the line we have to do is by default maintain a
>> list of some well known outgoing servers of yahoo or other heavy traffic
>> outgoing servers and set them to have a greater connection limit
>> (specify greater limits for them in IPBlock.conf). That we have to see
>> if it would really help others.  What do you think on this ? Julian
>> please let us know your views as well.
>>
>> Rakesh
>>
>> Jeff A. Earickson wrote:
>>
>>> Rakesh,
>>>    Point taken.  I have changed my CustomConfig.pm back to using 451
>>> instead of 550.  I'll see if the problem returns.  Hey, this is
>>> a beta version of MailScanner and those of us who run it should
>>> be willing to test the new features.
>>>
>>> Jeff Earickson
>>> Colby College
>>>
>>> On Thu, 17 Mar 2005, Rakesh wrote:
>>>
>>>> Date: Thu, 17 Mar 2005 18:30:35 +0530
>>>> From: Rakesh <rakesh at NETCORE.CO.IN>
>>>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>>> Subject: Re: 4.40.5: IPBlock 451 versus 550
>>>>
>>>> Jeff A. Earickson wrote:
>>>>
>>>>> Julian,
>>>>>
>>>>> Just curious as to why you changed IPBlock from fatal rejections
>>>>> to tmpfail.  I've had a couple of spammers pounding on my system
>>>>> with crap that would have ordinarily been booted by IPBlock for
>>>>> good.  Now they just keep trying.  I've modified my copy of
>>>>> CustomConfig.pm in 4.40.5 to do the 550 rejections again.
>>>>
>>>>
>>>>
>>>>
>>>> my idea of suggesting Jules for 451 error instead of 550 error code was
>>>> that, unknowingly we do not bounce back some geniune mails just because
>>>> the sending server is sending too many mails to us. For e.g. a yahoo's
>>>> outgoing server might be sending quite a good amount of mails to an MX
>>>> server hosting many domains. So if we just temporarily deny from
>>>> accepting the mail then however i am quaranteed that a good outgoing
>>>> server would definitely try again for delivery which won't be
>>>> applicable
>>>> incase of a 550 rejection and probably some sending out an important
>>>> mail would finally get a bounce back for no good reason. This totally
>>>> different from the greylisting concept in which any server initiating a
>>>> first time connections will have to compulsarily try again later.
>>>>
>>>> However majority spammers use hijacked machines or poor SMTP engines to
>>>> send out spams and asking them to try again later with 451 error code
>>>> wouldnt be of any harm as they don't bother to try again later so the
>>>> spams doesn't come at all. However if they are using someone else's
>>>> server which actually does retry sending the spam, then we can probably
>>>> notify the administrator to checkout his system or atleast have 1 hour
>>>> to block the IP on the firewall.
>>>>
>>>> --
>>>> Regards,
>>>> Rakesh B. Pal
>>>> Emergic CleanMail Team.
>>>> Netcore Solutions Pvt. Ltd.
>>>>
>>>> ========================================================================
>>>>
>>>> "First they ignore you. Then they laugh at you.
>>>> Then they fight you. Then you win."
>>>>                                               - M. Gandhi
>>>> ========================================================================
>>>>
>>>>
>>>>
>>>>
>>>> ----------------------------------------------------------
>>>> Netcore Solutions Pvt. Ltd.
>>>> Website:  http://www.netcore.co.in
>>>> Spamtraps: http://cleanmail.netcore.co.in/directory.html
>>>> ----------------------------------------------------------
>>>>
>>>> ------------------------ MailScanner list ------------------------
>>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>> 'leave mailscanner' in the body of the email.
>>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>> Support MailScanner development - buy the book off the website!
>>
>>
>>
>>
>> --
>> Regards,
>> Rakesh B. Pal
>> Emergic CleanMail Team.
>> Netcore Solutions Pvt. Ltd.
>>
>> ========================================================================
>> "First they ignore you. Then they laugh at you.
>> Then they fight you. Then you win."
>>                                                - M. Gandhi
>> ========================================================================
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>
> --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list