>Perhaps I'm crazy, the numbers don't make sense. But here' the scenario. I
>upgraded from mail_version = 1.1.6 to 2.0.16 yesterday. Almost immediaoty I
>seemed to notice the numer of SPAM message reduced. This morning I have
>received a couple of calls expresseing surprised and satisfaction with the
>dramatic reduction in SPAM. I was expecting to see a huge increase in
>REJECTED. However the percentage is actually lower today 58% today and 91%
>yesterday.
>The total number of messages received yesterday was 20K less than
>the previous day. So did SPAMMERS take a holiday yesteray or should I stop
>smoking crack in the morning ?
rejects come from your restrictions, not from the version of postfix,
unless when upgrading postfix you also added new restriction features.
The amount of rejects (attacks) can vary a lot per-day, but not usually the
amt of receptions. You'd have to take an avg of the 7 days before the
upgrade and the 7 days after the upgrade.
I suggest you look at upgrading pflogsumm to latest version.
Also, while blocking mail to dead acccounts is fine, it's much better to
use reject all mail to unknown users with check_recipients_maps (better for
your volumes) or RAV.
And then harvest the IPs and ClassC's that have been rejected above
<threshold> for the past 60 days (to get the mta_clients_dict.map file
primed) and then updated hourly for "today". You will find that IPs that
send large numbers of rejects to unknown users (illegal behavior meriting
suspension of their right to send anything to your known users. Legit
servers don't send tons of msgs to unknown users.) are all slipping through
mail (spam) to your known users. This easily is proved by running in this
order, near the top of your restrictions:
check_recipient_maps or RAV,
mta_clients_dict.map,
You will see that IPs harvested from the first line rejects into the second
line still generate a lot of _dict rejects that would have gone to your
known users without the _dict blocking.
From yesterday at one ISP:
34 ACL [EMAIL PROTECTED]
40 SMTP unauthorized pipelining
69 ACL [EMAIL PROTECTED]
73 ACL unauthorized relay
90 DNS no A/MX for @recipient.domain
100 ACL HTML obfuscation
100 SMTP Exceeded Hard Error Limit after MAIL
116 ACL mta_clients_helo
148 SMTP invalid [EMAIL PROTECTED]
154 ACL body checks
185 ACL mta_clients_sav
186 SMTP invalid [EMAIL PROTECTED]
206 ACL RAV: new verification
281 ACL RAV: unverifiable recipient address
323 ACL from_senders_black
333 SMTP Exceeded Hard Error Limit after END-OF-MESSAGE
415 ACL helo_hostnames
550 ACL from_senders_slet
1089 ACL bogon network header
1255 ACL mta_clients_spamdomins
1336 ACL from_senders_bw
2239 ACL from_senders_imgfx
2285 ACL header checks
3771 DNS no A/MX for @sender.domain
3819 DNS timeout for MTA PTR hostname (forged @sender.domain)
4595 ACL mta_clients_regex
5080 RBL spamdomains.blackholes.easynet.nl
6167 DNS nxdomain for MTA PTR hostname (forged @sender.domain)
7304 ACL SAV: new verification in progress
12203 ACL SAV: undeliverable sender address
15134 ACL mta_clients_bw
20568 ACL SAV: unverifiable sender address
22094 SMTP Exceeded Hard Error Limit after DATA
22221 ACL RAV: undeliverable recipient address <<<<<<<<<<<<<
23893 SMTP Exceeded Hard Error Limit after RCPT
27270 ACL mta_clients_dict <<<<<<<<<<<<
=================================
185738 TOTAL
and a totally different situation at another ISP yesterday:
466 ACL PTR hostname does not match hostname (forged HELO)
497 DNS nxdomain for MTA PTR hostname (forged @sender.domain)
643 DNS no A/MX for @sender.domain
685 RBL dynablock.easynet.nl
896 ACL from_senders_bw
917 RBL dnsbl.njabl.org
930 ACL forged @sender.domain not from sender PTR domain
1886 SMTP helo hostname is an IP
2132 ACL from_senders_imgfx
2660 RBL sbl.spamhaus.org
3217 SMTP helo hostname not fully qualified
3266 RBL blackholes.easynet.nl
11829 ACL from_senders_slet
16071 ACL subscriber network
16761 ACL mta_clients_dict <<<<<<<<<<<<
20634 SMTP Exceeded Hard Error Limit after DATA
70898 SMTP Exceeded Hard Error Limit after RCPT
232626 ACL to_relay_recipients unknown recipient <<<<<<<<<<<<
===============
389781 TOTAL
Len
