>I have found that fighting SPAM can be a thankless job. :))
Yesterday, I received a spam msg from "Moshe Koldny" <[EMAIL PROTECTED]> (is Moshe/Moses ever the name for girl?), received by my backup MX (already a bad sign) from a subscriber IP "c-24-125-17-169.va.client2.attbi.com", always a bad sign: vba3221.jpg Hi I am running a small website, Please come visit me and click on my sponsors, this way I will be able to pay my ISP bills. the site is here. <http://www.kievonline.org/>http://www.kievonline.org/ please be patient as the site is only 1 week old and we need money to pay for it we do have a nice forum though <http://www.kievonline.org/forum/>http://www.kievonline.org/forum/ Thanks allot ================================================== the website traceroutes to apparrently near Atlanta GA: 14 pos5-0-2488M.cr1.LAX1.gblx.net (67.17.72.105) 55.200 ms 54.862 ms pos5-0-2488M.cr2.LAX1.gblx.net (67.17.67.170) 100.935 ms 15 pos0-0-2488M.cr1.ATL1.gblx.net (67.17.70.1) 82.594 ms 81.552 ms 85.511 ms 16 pos0-0-0-155M.ar3.ATL1.gblx.net (67.17.68.246) 82.465 ms 82.932 ms 82.362 ms 17 American-Pro-Servers-Inc.so-2-2-0.br1.ATL1.gblx.net (64.211.110.42) 101.145 ms 84.901 ms 84.004 ms 18 server10.fastbighost.com (64.74.112.74) 82.919 ms 84.329 ms 81.827 ms Their web pages are probably poisoned with IE-exploits. I just deleted the msg. Today I receive another msg from [EMAIL PROTECTED], always via my backup MX, but this time from PTR-less IP in a Clas B .cn reverse zone: ; AUTHORITY SECTION: 226.159.in-addr.arpa. 10800 IN SOA ns.cnc.ac.cn. hostmaster.ns.cnc.ac.cn. 2003090901 10800 900 604800 86400 ... with this joyful msg (perhaps hoping I would respond to his email, validating my email, or visit the poisoned website): "You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person" Thankless, indeed, AND pleasant!! :) Anyway, NEVER take any of these messages personally, and NEVER respond, since the [EMAIL PROTECTED] could be forged and/or set up to harvest your response email or exploit your browser when visiting their website. ======================================== >My thought was to ratchet down IMGate a bit (perhaps remove one RBL) not a very precise ractchet-down, but whatever > and then let SPAMASSAIN block. This way the >customers would SEE some of the blocked mail. How will the customers see the mail if SA blocks it? Tag some of it and let it through? perhaps pass some farm porn to one of the people who complains about spam leaks? >Perhaps this is unwise. Hence my request for comments on people using both >IMGate and SPAMASSASIN. declude, SA, other content-scanners are useful for catching the 4% or 5% that gets past IMGate (probably less than 4% if running the advance filters). >p.s. Now I'm blocking almost 5 million messages a month! I upgraded an MX a couple weeks ago that is one of 3 MXs, each blocking 600+ K mgs/day, 2 million/day, 85% of all inbound is blocked. This is not a "mine is bigger than yours" point, but a point that escapes people running Declude, sniffer, or SA type solutions (on lower volumes) that reject only after the DATA command, and that is, that mail admins simply (perhaps can but) don't want these spam volumes running through their systems, or whose systems simply can't handles these volumes and don't want to spend their time + $$$ to upgrade their systems required by $$$content-scanner solutions just to reject spam. So you're between a "rock", blocking legit mail that is mis-addressed or legit server incompetently set up, and a "hard place", minuscule amt of spam leaking past your IMGate filters. To block increments of spam that leak past IMGate, I find it useful to put in filters that are more aggressive than your would-be-blocked legit senders can tolerate (reject_unknown_client, reject_unknown_hostname, helo_world 4tuple, etc) but run them in warn_if_reject mode and then look at the 4tuple report for each type reject_warn. Very often you can identify very easily from the 4tuple msgs spam and legit servers badly setup (so you can whitelist them before promoting the warn_if_reject to reject). Len -- Binary/unsupported file stripped by Listar -- -- Type: image/jpeg -- File: vba3221.jpg
