-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 22/6/10 16:47, Charles Marcus wrote: >> We DO recipient validation. I'm talking about cutting off the client >> before they hit a good one. The point I was making is that if you use >> something like fail2ban that detect an IP address that is doing a >> dictionary attack, and block the connection you reduce the probability >> of finding a recipient that will get validated. > > Ahh... you are attempting to hide your valid recipients. Security > through obscurity is a waste of time and resources imo. No. I think I'm not making the point through. It is cler we are in the same boat, I also despise security by obscrity.
> I use fail2ban, but only to block hack attempts... I don't care much > about someone finding out who the valid recipients are, I'm much more > concerned with someone trying to crack a password... Sure! But, once we have fail2ban in place, and watching over the logs, it cost nothing to stop someone running a list trying to deliver some crud. I compare this to the SSH attacks: nowadays is not safe to have passwords for SSH authentication, but that does not preclude cutting access of list attackers with the likes of fail2ban so they do not lock resources like TCP sockets or CPU cycles, or generate too much "noise" in the logs. > That's what I meant - add an after-queue filter and TAG+Deliver it. Use > sieve to deliver it to a Spam folder if desired. Agreed. Deciding on content should be on the hands of users, but, please, do not start a flame over this. It will depart from the OP question. - -- Victoriano Giralt Systems Manager Central ICT Services University of Malaga SPAIN -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMINCWV6+mDjj1PTgRAy8ZAJ4iV4chx6byB5BUd8ieho/yIBTLPACcDuu6 8YZzJL71nzV1A1WfFmlCaGE= =kTnF -----END PGP SIGNATURE-----
