cut off by spamhaus free use?

Matt Hayes mailscanner at slackadelic.com
Mon Dec 3 20:00:24 GMT 2007


DAve wrote:
> Jeff A. Earickson wrote:
>> On Mon, 3 Dec 2007, Matt Hayes wrote:
>>
>>> Date: Mon, 03 Dec 2007 10:04:27 -0500
>>> From: Matt Hayes <mailscanner at slackadelic.com>
>>> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>>> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>>> Subject: Re: cut off by spamhaus free use?
>>>
>>> Jeff A. Earickson wrote:
>>>> On Mon, 3 Dec 2007, Jeff Mills wrote:
>>>>
>>>>> Date: Mon, 3 Dec 2007 14:22:00 +1100
>>>>> From: Jeff Mills <Jeff.Mills at versacold.com.au>
>>>>> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>>>>> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
>>>>> Subject: RE: cut off by spamhaus free use?
>>>>>
>>>>>
>>>>>>> Yes it happened to one of my installs. Unfortunately, somebody had
>>>>>>> used their domain name in a spam attack, so the server got
>>>>>> thousands
>>>>>>> of extra inbound emails. It was enough for spamhaus to
>>>>>> block the servers.
>>>>>> And it appears that it is an automated process to be blocked,
>>>>>> but only a manual unblock.
>>>>>
>>>>> Yes!
>>>>> One of the things I have done in my servers is move the spamhaus
>>>>> list to
>>>>> the bottom of my list of RBL's.
>>>>> That way, spamhaus is only queried when none of the others match. I
>>>>> find
>>>>> that spamcop gets more than the others.
>>>> I've had false positive problems with spamcop in the past.  I put
>>>> dnsbl.sorbs.net into action in sendmail this morning, appears to be ok.
>>>>
>>>> I had contact with a human at spamhaus, but they aren't very forthcoming
>>>> as to why I got cut off.  It would be nice if they had sent
>>>> postmaster at colby.edu
>>>> a warning, maybe with some numbers attached.
>>>>
>>>> Jeff Earickson
>>>> Colby College
>>> What indications did you all receive that you had been "cut off" other
>>> than timeouts to their servers?  Any other tell-tale signs?
>> The fact that ALL of my inbound email from the Internet was getting
>> tempfailed (400 "try again later" to the sending email servers) for
>> nearly 12 hours.  The fact that my system's sar output showed 2% usage
>> instead of its normal 20 to 40% range.  After 12 hours of tempfails,
>> I had a tsunami of inbound email for a while once I got the problem
>> fixed.
>>
>> Jeff Earickson
>> Colby College
> 
> Do you cache all your responses? Running a simple DNS cache on your mail
> server will greatly reduce your load on RBLs and speed up queries.
> 
> DAve
> 


I can concur with that.  I use BIND for SOA and dnscache for local DNS
caching.  Works great.  Sped up queries nearly 100% and I'm not hitting
outside DNS servers as much.

-Matt


More information about the MailScanner mailing list