--On Samstag, 30. August 2003 11:30 -0700 Ricardo Kleemann <[EMAIL PROTECTED]> wrote:
[also applies to Mircea Damian] >> There is no point bouncing spam to forged or innocent >> senders. Stop bouncing the crap (and effectively double >> the spam-load), and your queue will be just fine. >> > You have a very good point... but at what point can we > determine that a bounce is spam or not? How do you > distinguish between a "legitimate" bounce and one due to > spam? with the current trojan-flood there are very few legitimate reasons for bounces. Dont bounce anything which has been already accepted, reject early or swallow/quarantine whatever comes through. > I'm having major troubles with spammers as well, and my > queue is almost 10,000 long. > > I've programmed a perlfilter that detects floods (either due > to sender, ip, or recipient) and blocks those (generates 550 > errors once the flood is detected) and with that I can see > the tremendous amount of spam that is hitting my box. The perlfilter runs bevore the mail has been accepted, and does not generate any bounces (at least not on your system). Bounces will occur only with rejections after the message has been accepted, for example with braindead virus-scanners and SpamAssassin run from dot-courier or maildrop-filters. Courier itself does only generate bounces if the maildir is over quota, but I dont think thats responsible for the whole queue. Mircea mentioned he's using RAV. Dont know what functionality this scanner provides, but I cant recommend RAV anyway since they where aquired by M$, the evil company responsible for the virus-flood. Good antivirus-scanners (like DrWeb whose free evaluation runs just fine without nagging, <http://www.sald.com/get.html> ...) will not try inform the 'sender' if the trojan is known to fake the headers. This list is of course fully configurable. > However, there is still a huge amount of bounces that are > generated and are stuck in the queue. I can see, by manually > diagnosing, that so much of that is bounces to "forged or > innocent senders", but I don't know of a way to effectively > determine whether a bounce is legitimate or not. Too bad courier cant reject based on non-resolvable helo, this would kill away all the Sobig, and many other trojans and proxy-spam. The simple patch published a few days ago will take care of them. If your perlfilter also parses the controlfile you could extract the helostring from there. Use a couple of DNSBL, especially those listing open proxies, dialups and adsl-/cable ranges, add the rdns of the remaining worst home- providers as wildcards to etc/smtpaccess, adding a few notorious /8 or countries also helps - depending on your geographic location and your customers. Also use the freemail-feature of etc/bofh to get rid of the most forged domains, start with Yahoo, MSN, Hotmail. Then set etc/queuetime down to 12h or 24h (I even have this down at 6h on the company server, dont forget to set etc/warntime at no more then the half) to get rid of all the old stucked undeliverables. Another way could a callback implemented in courierfilter, even Sourceforge does this for all postings to the lists since a few days. But this wont protect the innocent forged parties from bounces. Roland ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
