Re: [Declude.JunkMail] Sandy's 5xx event sink

[Matt]

Markus, Just last week Comcast lit up a new mail server that had no reverse DNS entry.  This type of thing happens all the time.  Plus there might be an issue with timeouts if your software can't differentiate between that and a true absence of a reverse DNS value.  Either way, it will definitely create issues. Matt Markus Gufler wrote: Yes, that's my opinion too. But as Zombie networks are still growing and so their power is growing too I search something that can block effectively durring SMTP envelope. Yesterday I've had >20k spam messages (all with the same message + random content) comming from more then 1000 different IP's. The peak was more the 6000 messages between 5 minutes. By accepting anything and analizing it afterward as Declude can do it would be possible to block all spam messages but at the same time I've a overfilled queue and a noticeable and in some cases inacceptable delivery delay. My idea is to have something that is able to check for missing REVDNS-records and/or HELOISIP and if there are more then x of them between let's say 5 minutes enable Envelope-Blocking for missing REVDNS and/or HELOISIP. This should avoid false positives and durring bot-network-attacks it should allow a very effective and resource friendly protection against thousands of messages. The same tecnique should also work with IP-Blacklists and by sending a "service temporary unavailable" instead of blocking the message theoretically it would avoid nearly all false positives because legit MTA's even with missing REVDNS or HELOISIP should retry it after some minutes. Markus -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Doherty Sent: Thursday, January 12, 2006 2:15 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Sandy's 5xx event sink Hi, Markus- We don't block on a missing PTR record, but some people do. There are people who block if the PTR record doesn't match the HELO or EHLO string, and some who block if the HELO/EHLO, PTR, and A records don't match perfectly. IMO, anybody who blocks based on a failing a single test is not doing their clients any favors. There are exceptions to that, of course - for known spammers, etc. - but for random incoming mail, there's some legit stuff coming in to us that lacks a PTR record. For us, the PTR record check is just one of the tests we run. It is weighted heavily, but it is not decisive by itself. -Dave Doherty Skywaves, Inc. ----- Original Message ----- From: "Markus Gufler" <[EMAIL PROTECTED]> To: <Declude.JunkMail@declude.com> Sent: Thursday, January 12, 2006 3:38 AM Subject: RE: [Declude.JunkMail] Sandy's 5xx event sink ... < With Xwall it would also be possible to block all messages comming from a host IP without PTR-record. Anyone beside AOL & Co. has already enabled such a test? Looking to the results of MDLP from last month I can see that 77% of all incomming messages has valid REVDNS records. From the other 23% 20% seems to be clearly spam and most of the other 3% are in a grey zone who it's hard to say if it's legit or not. I fear if I enable Envelope blocking for sending IP's without REVDNS record this will block some legit messages send from non-mailservers (web-forms, admin. status messages, ...) Markus --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.