We've all been filtering email for years now and it's not getting any better.
The mail abuse war will never be won. It's been muddy trench warfare
for years, with neither side winning or losing technically (although
MXs lose money defending, while spammers make huge money attacking),
escalation and counter-escalation. The best you can do is just stay
in the game, and minimize your defensive costs.
The best minimization is to reject as much as possible only on
envelope data of
IP, HELO, MAILK FROM, RCPT TO. You can reject near 95% of spam at
this level, greatly reducing the traffic passed to the next phase,
the expensive scanning the DATA.
No offense to the people offering filtering software but the
information on who is spamming our systems is right in our own logs.
yes, reactive blacklisting based on rejects in the logs is a very
valuable tactic, again blocking pre-DATA.
Given that 95% of email that comes to all of our servers is spam can
you imagine not having to process or pay to receive it?
That's why the main policies must be pre-DATA, which has been and is
IMGate's approach.
Sorting the information culled from our logs by IP reveals some
interesting information.
These attack patterns change from month to month and certainly year to year.
* all of those "invalid user" lines are likely to be future spamming IP's
yes, when in IP has a history of sending to bad recips or
unverifiable senders, it is almost certainly a spamming IP.
Len
