-------- Original-Nachricht --------
> Datum: Fri, 21 Sep 2007 22:46:18 +0100
> Von: "Riaan Kok" <[EMAIL PROTECTED]>
> An: policyd-weight-list@ek-muc.de
> Betreff: Re: 4xx or 5xx: just a matter of taste?

> Thanks for the explanations!  Some more comments:
> 
> On 21/09/2007, Robert Felber <[EMAIL PROTECTED]> wrote:
> > On Thu, Sep 20, 2007 at 07:10:08PM +0100, Riaan Kok wrote:
> > > On 19/09/2007, Robert Felber <[EMAIL PROTECTED]> wrote:
> > > >
> > > > On Wed, Sep 19, 2007 at 09:56:48AM +0100, Riaan Kok wrote:
> > > > >    What's the thinking behind choosing between 450s and 550s in
> > > > >    policyd-weight?
> > > >
> > > > Be more specific?
> > >
> > >
> > > It seems to me that in policyd-weight, by default, 450s are used for
> clients
> > > with DNS errors or client connections with a lowish score (and stuff
> > > shortcircuited in the DEFER_STRING), and 550s then for everything
> else: high
> > > scoring clients, multi-RBL-listed clients, etc.
> > >
> > > I'm not sure that I understand the reasoning that has gone before here
> > > (especially, why being listed in spamcop (IN_SPAMCOP)  or having a
> bogus mx
> > > record would shortcircuit the default reject to the defer_action?).
> >
> > Spamcop: Delisting Policy: 12 - 24 hours after last report
> >          Some FPs in the past
> >
> > So - a Spamcop listing may be temporarily. If scores go gen sky, then
> > this may not be temporarily.
> 
> Ok, but the check seems to not care whether the client is listed in
> other RBLs or have numerous other mistakes - IN_SPAMCOP is a surefire
> ticket from 5xx to 4xx, and the whole point of my post is about caring
> whether you 4xx or 5xx.
> 
> 
> > > Anyway, my understanding of 4xx versus 5xx is this: a 4xx (defer) from
> an
> > > MTA means go-away-and-try-again-later (keeping the responsibility with
> the
> > > client), and a 5xx pretty much means go-away-and-notify-the-sender
> (shifting
> > > the responsibility to the sender).
> > >
> > > By far the most of the messages that gets rejected by policyd-weight
> in
> > > sheer numbers seems to be by hardcore listed spamfountains, and it
> doesn't
> > > really matter how you reject the msg as long as you don't allow it!
> >
> > It does matter. As we always have to consider that the client maybe  a
> > FP/legitime sender. In such cases the majority does indeed want that
> > (even if FP), the sender gets an _instant_ feedback - and not after 5
> > or more days.
> 
> I may not have been that clear, but FPs was handled in the "The
> remaining percentage" paragraph of mine..  To clarify my position: if
> the client is a true spammer, no person (that matters) would care how
> you get rid of it.
> 
> > > these clients will just keep on inventing new messages and senders so
> it
> > > doesn't matter whether you defer or reject, they will sit there and
> hog your
> > > smtpd processes and try and try again.
> >
> > Does that change in any way with 4xx(421)? You have also the
> > smtpd_hard_error_limit in postfix.
> 
> I experimented with a Postfix + greylisting + no_RBLs server once and
> changed the greylister's 450 to a 421 and saw roughly a 40% drop in
> NOQUEUE messages in the logs.  In other words, the spam hogs might
> still come back (and reconnect), but they seem to be less likely to.
> 
421 with Postfix 2.3.0 and higher has as well the positive effect that the 
connection gets immediately closed. This helps to keep Postfix connection pool 
less stressed. When I had a spam bot network attack on my infrastructure then 
switching to 421 helped drastically to lower the load on Postfix.


> -------------------------------------------
> On 21/09/2007, Henrik Krohns <[EMAIL PROTECTED]> wrote:
> 
> > On Fri, Sep 21, 2007 at 06:45:29AM +0200, Steve wrote:
> > >
> > > 421 would be good for all using Postfix >= 2.3.0.
> >
> >   A bit off-topic, but in case of 4xx, I think 420 should be used.
> According
> >   to Postgrey, that's the least error-prone in case of Exchange etc.
> They
> >   switched to it some time ago.
> 
> Henrik, in my experience a greylister needs caretaking in the shape of
> a custom whitelist anyway..  thanks to treating ALL mail to the defer
> action.  And Postfix treats only 421 out of the whole 4xx range in the
> way that is advantageous to your server if the client is actually a
> spammer.
> ---------------------------------------------
> 
> > > In the worst case, 5xx rejects on
> > > these will create scatter to faked senders.
> >
> > How so? Only if the client is a forwarder, in such cases the forwarder
> should
> > check what it does forward. The forwarder will be a backscatter source
> then,
> > yes.
> >
> 
> here, FPs:
> > > The remaining percentage of rejected messages will be from
> > > poorly-configured-yet-well-meaning clients, where the SENDER is either
> an
> > > uncaring webmailer or server daemon, or a clueless human with no idea
> or
> > > control over the reason for the reject..  And the most reliable way of
> > > notifying the administrator of the offending client (rather than the
> > > clueless sender) seems to me to be: letting a queue grow on his/her
> server
> > > by issuing 4xx defers!
> >
> > This will turn into a philosophic issue which we don't need for
> > defaults.
> 
> It does get tricky!
> 
> > Policyd-weight has also been written with just-in-time in mind. Many
> > organisations need to react/communicate rather quickly. If an error
> occurs,
> > even if false, then rather get to know of the error rather sooner than
> later.
> 
> Hmm, this is an advantage of rejects that defers would lack..  What's
> the list experience here: Does legit and false-positived senders seem
> to cope with the burden of notifying their MTA admin?  Using defers
> goes straight to the source, but the admin has got to notice it first!
> 
> > > Here's what I'm thinking:
> > > Why not use 421 across the board in policyd-weight?
> >
> > Several reasons which I described above and:
> >
> > The number of REJECT-worthy MTAs is still high.
> > This will not only increase their queue but also our load as we don't
> > cache everything. Especially 4xx we don't want to cache as the issue
> > might resolve. Which means, policyd-weight has to evaluate _every_
> deferred
> > client and we could throw away spam-caching (unless we implement scoring
> > for cache4xx:yes cache4xx:no).
> 
> Yes, the caching mechanism in policyd-weight does not seem to be
> compatible with my suggestion.  (By the way, how much of an advantage
> is the cache when you've already got a caching DNS server on
> localhost? (which seems rather logical if you're running DNS-based
> policy stuff!))
> 
> So, the higher the score and more likely the client is a true negative
> (lets call it the deal_harshly_zone), the more you want to get rid of
> the client in the way that is most advantageous to your server.  Enter
> 421..
> The closer the score to the REJECTLEVEL and the greater the likelyhood
> of a false positive (lets call it the be_nicer_zone), the greater the
> need to assist solving the problem.  Which is better: grow a queue on
> the client, or bounce to sender?  Hmm.
> 
> 
> > You can change all responses to 4xx and watch the results.
> 
> I did, on a non-primary MX machine that still has some traffic (a few
> thousand "confirmed" Ham daily)..  running since Monday for 4 days now
> and no problemo yet.
> 
> cheers,
> Riaan
> 
> PS. I come in flying all criticism-like, but I think policyd-weight is
> great!  Definitely worth spending time on and kudos to Robert and all
> for the piece of work.
> 
> ____________________________________________________________
> Policyd-weight Mailinglist - http://www.policyd-weight.org/

-- 
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kanns mit allen: http://www.gmx.net/de/go/multimessenger

____________________________________________________________
Policyd-weight Mailinglist - http://www.policyd-weight.org/

Reply via email to