On 4 Jan 2015, at 18:43, rogt3...@proinbox.com wrote:
Reading Postfix's docs re
Disconnect suspicious SMTP clients
http://www.postfix.org/STRESS_README.html#hangup
in the example there it says
"To hang up connections from blacklisted zombies, you can set specific
Postfix SMTP server reject codes for specific RBLs ... We'll use
zen.spamhaus.org as an example ... their documents say that a response
of 127.0.0.10 or 127.0.0.11 indicates a dynamic client IP address,
which means that the machine is probably running a bot of some kind."
and uses in a restriction
1 /etc/postfix/main.cf:
2 smtpd_client_restrictions =
3 permit_mynetworks
4 reject_rbl_client zen.spamhaus.org=127.0.0.10
5 reject_rbl_client zen.spamhaus.org=127.0.0.11
6 reject_rbl_client zen.spamhaus.org
then sets up a 521-response reply map to override the usual 554
responses.
That's clear and I understand how it works.
When you read the spamhaus docs for those reponse codes @
http://www.spamhaus.org/faq/section/DNSBL%20Usage#202 it says
DNSBL Zone to Query Returns Contains
SBL sbl.spamhaus.org 127.0.0.2-3 Static UBE sources, verified spam
services (hosting or support) and ROKSO spammers
XBL xbl.spamhaus.org 127.0.0.4-7 Illegal 3rd party exploits,
including proxies, worms and trojan exploits
PBL pbl.spamhaus.org 127.0.0.10-11 IP ranges which should not be
delivering unauthenticated SMTP email.
ZEN zen.spamhaus.org 127.0.0.2-11 Combined zone (recommended)
Includes SBL, XBL and PBL.
My question is about usage.
Is there a reason NOT to simply use the 521 hangup coes for ALL the
spamhaus hits from 127.0.0.2-11 ? It seems to me like all of those
would be good candidates.
Before I go ahead I wanted to ask in here from somebody with more
epxerience maybe.
The problems with just hanging up on listed IPs (whether in smtpd or
postscreen) are:
1. Different sorts of spam senders react differently to different styles
of rejection & error codes. A 521+hangup is much more likely to be
interpreted as a general server failure than is an accurate 554 5.7.1
reply which is clearly an expression of policy, and *SOME* spammers do
eventually give up on servers that persistently send such expressive
responses.
2. Even Spamhaus makes mistakes.
3. The "probably" of the documentation hides the fact that on a fairly
regular basis, people with entirely innocent intent attempt to send mail
which is absolutely not spam from IPs that are on the PBL for entirely
proper reasons. There is a benefit in giving those people the clearest
sort of rejection possible and one which their MUAs are mnost likely to
interpret correctly.
4. There's a reason for this to be documented in STRESS_README. If you
are not under significant connection stress, you don't gain much by
dropping connections with a 521 rather than sending the proper rejection
response and doing a normal shutdown.