Set it and forget it?

Julian Field MailScanner at ecs.soton.ac.uk
Mon Nov 26 23:44:46 GMT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



donald.dawson at bakerbotts.com wrote:
> I can't go along with 1 CPU system handling 1,000,000 message attempts,
> unless you are actually talking about very few being processed by MS/SA.
>   
That's precisely it. Most of the 1m message attempts are aborted very 
early in their SMTP conversation, using dozens of different tricks to 
identify that it's not a real properly-written standards-compliant MTA, 
but a very quick and dirty spam-spitting engine.

Most of the message delivery attempts are abandoned before even the 
message body has been received. You can tell an awful lot about a sender 
just by the way he talks to you.

If you don't believe it, try it free for the 30-day evaluation period 
(fully functional).
It's dead easy to rip out again if you decide not to keep it.

Jules.

P.S. The post by Steve was not intended as an advert, but as a genuine 
suggestion of a very good solution to the original poster's problem.

> We have 4 dual-core server-grade systems running MS and SA (no virus
> checking) and we can barely handle spam checking 500,000 emails.  Total
> emails and attempts are close to 1,000,000 but that is spread over 4
> servers.
>
> Log starts:		Nov 24 00:07:08
> Log ends:		Nov 26 00:00:17
> ****************************************************************
> 519,762 received messages totaling 2651 Mbytes (Avg Size: 5.22 Kbytes)
> 	441,860 suspected spam
> 	 15,101 delivered spam
> -428,114 deleted spam
> -51,079 pending processing
> -----------------
>  40,569 delivered messages
>
> 519,762 messages received
> 102,908 messages rejected
>  70,703 messages Aborted/Incomplete
> -----------------
> 693,373 total message attempts
>
> ****************************************************************
> 102,908 messages were rejected:
> 	  9,017 (550) - Relaying denied
> 	  6,507 (451) - Sender domain did not resolve
> 	 14,534 (553) - Domain of sender address does not exist
> 	     57 (450) - Relaying temporarily denied. Cannot resolve PTR
> record
> 	     99 (Admin) - Administratively rejected
> 	 47,840 Reject due to pre-greeting traffic
> 	 24,854 Unknown reasons
> 183,590 deferred delivery attempts:
> 	 37,274 Connection refused
> 	  6,610 Connection reset
> 	      3 Connection limit reached
> 	102,112 Connection timed out
> 	 11,932 Deferred localy
> 	 25,659 Unknown reasons
>     296 (DSN) Delivery Service Notifications:
> 	     22 Return receipt
> 	     36 User unknown
> 	    231 Service unavailable
> 	      1 Host unknown
> 	      5 Local configuration error
> 	      1 Data format error
> ****************************************************************
>  10,050 messages FROM bakerbotts.com
>  25,317 messages TO bakerbotts.com
>   3,911 inbound connections encrypted with TLS
>   9,464 outbound connections encrypted with TLS
> ****************************************************************
>
> Messages received by server:
> Server         		  Count
> -------------- 		-------
> ausgate        		     12
> baker8         		      3
> bbmx01         		129,075
> bbmx03         		  4,679
> bbmx06         		173,909
> confgate       		      3
> daldmz01       		      2
> dalgate        		    294
> hkgate         		      6
> hougate2       		    243
> houmx02        		  9,240
> houmx04        		 83,601
> houmx05        		118,672
> longate        		      5
> nygate         		      7
> tempfw2        		      4
> wasgate        		      7
>                		=======
>                		519,762
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Stephen
> Swaney
> Sent: Monday, November 26, 2007 4:35 PM
> To: mailscanner at lists.mailscanner.info
> Subject: Re: Set it and forget it?
>
>
> Ugo Bellavance wrote:
>   
>> Steve Campbell wrote:
>>     
>>> Ugo Bellavance wrote:
>>>       
>>>> Steve Campbell wrote:
>>>>         
>>>>> I'm curious as to how much time is spent by most of the email 
>>>>> admins here using MS. I realize that some of my efforts could be 
>>>>> streamlined by upgrading to the latest release, but the people here
>>>>>           
>
>   
>>>>> seem to think that this is a "set it and forget it" type of
>>>>>           
> operation.
>   
>>>> I don't believe that.
>>>>         
>>> Gosh, maybe it _is_ me then.
>>>       
>> Not sure.  What I meant is similar to what Hugo said.  It does need 
>> maintenance, as spam is evolving.  We see a new version of SA almost 
>> every 3 months, MS about the same, then razor, DCC, system updates.
>>
>> More components you have, more effective it is, but more maintenance 
>> it requires.
>>
>> What I meant is that it is not a system that you can install and let 
>> hum for a few months w/o touching it.
>>
>>     
> We do make such a system. It's not as flexible as MailScanner and it's 
> not open source but it does run for a long time with very minimal 
> maintenance and very little cost.
>
> It's our BarricadeMX product with SpamAssassin (using spamd) and ClamAV 
> (using clamd) along with Razor, SARE rules and DCC. All of the software,
>
> The operating system, CentOS 5, and all applications are updated using 
> rpms. Many of which we maintain in our own yum repositories.
>
> Since BarricadeMX typically correctly identifies over 90% of the 
> incoming mail as spam and rejects it with an NDR, there aren't a lot of 
> messages to push through SpamAssassin or ClamAV.
>
> And since there are few options:
>
>  * You can reject at the MTA level with NDR if spam score is greater
>    than x.xx
>  * You can tag and deliver if spam score is less than x.xx but
>    greater than y.yy
>  * You can deliver untouched if spam score is less than y.yy and
>    Message passes ClamAV
>  * You can reject with NDR is message is rejected by ClamAV.
>  * You can white / black list with a web interface
>
> And you cannot:
>
>  * Block on filename or file type
>  * Disarm dangerous HTML
>  * Quarantine anything (not necessary because messages are rejected
>    with an NDR or accepted)
>
> Most of the cool things MailScanner can do to protect your email systems
>
> are not available. This is a basic but simple system.
>
> You do get a very low maintenance, high capacity gateway that does a 
> very good job at detecting spam with little white / black listing 
> required and a very low false positive ratio.
>
> A single core, single CPU system with 2 GB of memory can actually handle
>
> over 1,000,000 delivery attempts a day so you can push a LOT of mail 
> through relatively inexpensive systems.
>
> We have very inexperienced Systems Administrators using these systems 
> because it really is as simple to maintain as running `yum -y update`.
>
> And if you want the best of both worlds and don't mind a bit more work, 
> you can run BarricadeMX on most MailScanner systems. This gives you very
>
> high capacity gateways that really block almost every bit of the junk 
> that's out there
>
> Best regards,
>
> Steve
>
> Steve Swaney
> www.fsl.com
>   

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit www.transtec.co.uk


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.0 (Build 867)
Comment: Use Thunderbird's Enigmail Add-on to verify this message
Charset: ISO-8859-1

wj8DBQFHS1p3EfZZRxQVtlQRApMWAJ9y6/e/raCxbTG9CSZATShZyawuPwCg05l9
OWDddYRUsb6TkM0dSDPwJ/U=
=z5pq
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list