To whitelist or not...
ssilva at sgvwater.com
Fri Mar 17 17:51:57 GMT 2006
James Gray spake the following on 3/16/2006 9:54 PM:
> On Thu, 16 Mar 2006 12:19 pm, Ugo Bellavance wrote:
>> James Gray wrote:
>>> I've done an experiment. I've created a rule set for the "Use
>>> SpamAssassin" config option and moved a few of the whitelisted addresses
>>> into there with a "no" action. IOW, the "use.sa.rules" file looks like
>>> From: whitelist_add1 at domain no
>>> From: whitelist_add2 at another-domain no
>>> FromOrTo: default yes
>> I think it is reasonable.
>> You may be more secure if you'd add one condition to your ruleset: the
>> IP of their server. This way, you reduce the risk of getting spam with
>> a forged address (using your clients).
> Good point. The problem is some of the senders (like hp.com) have so many
> MTA's that messages come from, it's going to be hard to include them all. It
> *would* be the ideal though. I'll definitely do it for our internal machines
> (all the senders will be in very well defined private subnets).
>> In the end, your users will tell you if it has negative effect on
>> spam-filtering results.
> Indeed they will :)
>> You could use only IP's for e-mail generated from your systems. Of
>> course, if one of your systems gets compromised and start sending spam,
>> you have less chance noticing it.
> True, but the internal machines are fairly well controlled and firewalled
> VM's. So if a machine gets 0wn3d (highly unlikely) we can simply hose the
> image and restore a known working one :) Gotta love virtualisation!
>> There are other means of lowering your load (using rbls, greylisting, etc)
>> but this one may make sense for you and other people.
> Thanks Ugo. I've done a lot of performance tuning on our MailScanner boxes.
> The problem is that they are running on "superseded" hardware - mail
> gateways are very non-glamourous boxes that don't attract a lot of budget
> (mail is merely a tool - not our business focus). We make do, but anything
> to reduce unnecessary load is a Good Thing(tm).
>  Superseded but still server class kit (not PC's or anything dinky like
> that). All are P3/Xeon > 1GHz boxes with lots of ECC RAM and SCSI drives on
> Gigabit links. I'd really like some Sun or Opteron kit though :)
Too bad there isn't an option to whitelist by domain name IF the mail comes
from proper MX servers, or valid SPF records. IE ... From: hp.com and
valid_mx no or something like that.
More information about the MailScanner