How can MailScanner "push back"?

Steve Freegard steve.freegard at fsl.com
Thu Aug 23 21:12:31 IST 2007 

Hi Leland,

Leland J. Steinke wrote:
> Michael Huntley wrote:
>> Greylisting stopped a terrible mail storm on our system. 
> 
> We've been using sqlgrey for almost 18 months now.  The spammers have 
> adapted.
> 

We've got a modified greylisting implementation in our BarricadeMX 
product which is very different to SQLgrey and has so far proven 100% 
effective against the botnet spam that passes traditional greylistng (no 
extra drawbacks from normal greylisting except for more bandwidth being 
used).  Ping me off-list if you would like to try a demo of it.

> Hugo van der Kooij wrote:
>  > Considering blocking DSL, cable and other 'user' IP ranges. There are
>  > some RBL's focussing on these ranges. It should give you some air.
> 
> We use PSBL and DSBL, in addition to our own RBL.  We are an ISP, so I 
> am loath to use RBLs such as PBL to reject connections, instead using 
> them in SA to jack up spam scores.

I like the DSBL a lot - but you should probably consider adding 
cbl.abuseat.org as it will catch a *lot* of extra stuff missed by your 
existing two.

Instead of using the PBL you could use dynablock.njabl.org and bypass 
any of your own dial-up/DSL ranges.

Also consider adding milter-link into Postfix and rejecting stuff listed 
on multi.surbl.org and black.uribl.com at the MTA level as this will 
help a lot (on the non-botnet stuff anyway).

> Maybe I need to write a postfix policy daemon to query the hold queue or 
> otherwise check the box's status and 450-reject the connection if the 
> box is overloaded...

I really don't think that this will solve your problem as you'll end up 
seriously delaying geniune senders with sane retry intervals whilst the 
bots will continue to hammer away relentlessly whenever you start 
allowing connections again.  It's a problem that will then get 
exponentially worse the more you shut of the port.

It's better to minimise the amount of junk .vs. good message allowed 
into MailScanner from the MTA which is what we (FSL) are pretty good at 
now ;-)

Kind regards,
Steve.

More information about the MailScanner mailing list