On 3 Sep 2009, at 22:14, Alan McKinnon wrote:
On Thursday 03 September 2009 22:51:04 Stroller wrote:
Relay through your ISP.
Using Postfix this is /etc/transports (and `postmap /etc/postfix/
transport` and restart Postfix)
If you have any influence at ucla.edu tell them how much their policy
sucks.
ucla.edu have the perfect policy.
They have a poor policy, which drops legitimate mail in favour of an
easy life for the system administrators.
I refuse point blank to accept any mail whatsoever from dynamic
ranges or
insane reverse lookups.
Why? Because doing so immediately gets rid of 1,000,000+ spam
messages PER
DAY.
Have you previously checked IPs against Spamhaus (85% of spam caught)
and also that the HELO address resolves correctly?
IE: mail from IP address 1.2.3.4 - which reverse lookups to
dsl-1-2-3-4.some.isp.net - is currently rejected, but the policy could
be changed to allow it if the mailserver connects saying HELO
coolname.com AND coolname.com resolves to 1.2.3.4
A spammer installing a virus on home PCs cannot afford to buy a domain
name for each of them, and if he allocates a sub-domain to each
infected computer then you can simply block the whole domain. I
believe you can check domains which are more or less than 14 days old
to allow for registrars offering no-payment grace periods.
... Do you have any idea how much that bandwidth costs in a
third world country? Or the spam cluster to deal with it?
You may be in a slightly exceptional position in that the bandwidth
cost - of syncing to Spamhaus and the additional DNS lookups - may be
prohibitive. UCLA are not.
Whatever the proportion of legitimate mail this policy rejects, this
policy DOES reject legitimate mail, and that's pretty lame because
there are other ways to achieve the goal (reduction of spam) without
that side-effect.
If you read postfix-users then you'll find many mail administrators in
a similar position to your own (dealing with millions of messages
daily) on that list, and that simply blocking home DSL connections is
not very popular amongst them. It's not considered a cool policy
because it's inefficient. I am not an expert on this subject - I'm
pretty sure there are other methods which will identify legitimate
hosts versus spammers which should be implemented before this one, but
I do not know the details.
Stroller.
