better blocking at MTA level (off-topic)

Koopmann, Jan-Peter jan-peter at koopmann.eu
Tue May 29 07:02:55 IST 2007


On Tuesday, May 29, 2007 2:17 AM Andrew MacLachlan wrote:

> That would be a shame, because many non dynamic addresses get caught
> by zen because they have a dynamic-like reverse lookup and the ISP
> refuses to update the reverse... 

I just rechecked. The ISP does not have to update rDNS. They simply have to contact spamhaus and say that direct-mx from those blocks is ok with their policy. Spamhaus just puts those suspicious blocks in the PBL list if they could not contact the ISP or the ISP was not willing/able to participate.

> The correct time to treat dynamic
> addresses with more suspicion is at the SA level by adding points,
> not just killing them at the MTA.   

Actually I believe in the long run the correct place is the MTA. Most spam comes from dynamic adresses. Cutting all direct-mx from dynamic adresses is probably the only solution. Now people will start screaming "I do not want to be forced to route all my mail through the ISPs mail-server". Wake up:

1. The ISP could analyze your traffic transparently if he wishes/is forced to.

2. If you want to deliver directly, get a suitable setup (static IP, well-setup MTA). Not that expensive!


But for reasons I pointed out myself in this thread I agree: At this time PBL is as far as I would go at MTA level and I can understand if you do not want to do this. Blocking all dynamic IPs currently remains a dream of mine. :-)


More information about the MailScanner mailing list