Re: postgrey outgoing mail whitelister
Zitat von /dev/rob0 r...@gmx.co.uk: On Wed, Apr 18, 2012 at 04:33:31AM +0300, Henrik K wrote: Still, is it too much to ask for looking at things from many angles or backing up claims with any kind of statistics or science instead of personal gut feelings? Where/how would one collect such data? My mail stream differs from yours, as does my spam problem. The best, meticulously gathered statistics from one site won't be applicable to another site. Unfortunately the gut is what we have. My gut feeling is that SPF lookups are the surest way to make this scheme work without causing some kind of problem. Yes, my MX is also the outbound relay, but at bigger sites this is less likely. Another gut feeling: greylisting is past its prime. I do it using postscreen, but I sometimes consider disabling the deep protocol tests. The DNSBL scoring system is what blocks most of my spam. And that's how the gut feelings are differ. On our site greylisting is by far the most effective spam-block. For a long time we had problems because the RBL listings for spam sources only appear after they have dropped their spam to us, so pure RBL/DNSBL is near useless for us. With greylisting a big share of the spam bots don't come back anyway and the ones operate longer are finally listed in the RBLs at the time they would pass greylisting. Combined with a big automatic whitelist the negative impact from greylisting is near zero because all business partners and the like are whitelisted. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: postgrey outgoing mail whitelister
On 2012-04-17 6:54 AM, Reindl Harald h.rei...@thelounge.net wrote: the hard facts are that EVERY site using a dedicated spamfilter (own appliance or external service) have different IP's for MX and outgoing mail Not if they are using said spamfilter service for relaying their outbound mail *and* if the spamfilter service uses the same IP blocks for relaying. -- Best regards, Charles
Re: postgrey outgoing mail whitelister
Am 18.04.2012 14:13, schrieb Charles Marcus: On 2012-04-17 6:54 AM, Reindl Harald h.rei...@thelounge.net wrote: the hard facts are that EVERY site using a dedicated spamfilter (own appliance or external service) have different IP's for MX and outgoing mail Not if they are using said spamfilter service for relaying their outbound mail *and* if the spamfilter service uses the same IP blocks for relaying. IP blocks does not matter and if you whitelist BLOCKS you are making a major mistake - there are way to much single addresses with static IP and a mailserver where the other IPs in the address-block are totally different customers of the ISP owning the netblock so you should only whitelist single addresses a spamfilter usually does not relay if you have a managed network outgoing mails are usually not spam so the spamfilter-appliance is a dedicated IP and receives incoming mail from the internet, realy it after scan to the mailserver and the mailserver itself relays directly signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
Am 17.04.2012 11:48, schrieb Claudius: Hi, as nobody seems to have a working solution I built a little Perl script that adds the IP of the server receiving outgoing mail to postgrey_clients.db It's still a little unfinished but working fine on my server. There's room for improvement though (IPv6 missing, rsyslog spawning and lastline fetching is non-optimal). Maybe I will improve this with piping and a fifo. are you aware that you are whitelisting this way servers which sent spam to a user with autorply? signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On Tue, 2012-04-17 at 11:50 +0200, Reindl Harald wrote: Am 17.04.2012 11:48, schrieb Claudius: Hi, as nobody seems to have a working solution I built a little Perl script that adds the IP of the server receiving outgoing mail to postgrey_clients.db It's still a little unfinished but working fine on my server. There's room for improvement though (IPv6 missing, rsyslog spawning and lastline fetching is non-optimal). Maybe I will improve this with piping and a fifo. are you aware that you are whitelisting this way servers which sent spam to a user with autorply? And I would add that an inbound MX does not necessarily === the same outbound server a domain would use. Typically anti-spam gateways or hosted services used inbound on one IP, whereas outbound mail coming from another IP and server. Just imagine whitelisting a shared, spammy server because a domain is hosted on it. Naturally it will probably come through greylisting in the end anyway, but I'd not go out of my way to make it easy on them!
Re: postgrey outgoing mail whitelister
Am 17.04.2012 11:50, schrieb Reindl Harald: Am 17.04.2012 11:48, schrieb Claudius: Hi, as nobody seems to have a working solution I built a little Perl script that adds the IP of the server receiving outgoing mail to postgrey_clients.db It's still a little unfinished but working fine on my server. There's room for improvement though (IPv6 missing, rsyslog spawning and lastline fetching is non-optimal). Maybe I will improve this with piping and a fifo. are you aware that you are whitelisting this way servers which sent spam to a user with autorply? what about using some tecs from here http://mailfud.org/postpals/ -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: postgrey outgoing mail whitelister
Am 17.04.2012 12:09, schrieb Robert Schetterer: Am 17.04.2012 11:50, schrieb Reindl Harald: Am 17.04.2012 11:48, schrieb Claudius: Hi, as nobody seems to have a working solution I built a little Perl script that adds the IP of the server receiving outgoing mail to postgrey_clients.db It's still a little unfinished but working fine on my server. There's room for improvement though (IPv6 missing, rsyslog spawning and lastline fetching is non-optimal). Maybe I will improve this with piping and a fifo. are you aware that you are whitelisting this way servers which sent spam to a user with autorply? what about using some tecs from here http://mailfud.org/postpals/ this all will not work in most cases how do you act with us as example? you are sending a message to me to MX barracuda.thelounge.net well, you whitelist barracuda.thelounge.net but you will never receive any message from our spamfirewall this is a typical business case signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 12:12:53PM +0200, Reindl Harald wrote: Am 17.04.2012 12:09, schrieb Robert Schetterer: Am 17.04.2012 11:50, schrieb Reindl Harald: Am 17.04.2012 11:48, schrieb Claudius: Hi, as nobody seems to have a working solution I built a little Perl script that adds the IP of the server receiving outgoing mail to postgrey_clients.db It's still a little unfinished but working fine on my server. There's room for improvement though (IPv6 missing, rsyslog spawning and lastline fetching is non-optimal). Maybe I will improve this with piping and a fifo. are you aware that you are whitelisting this way servers which sent spam to a user with autorply? what about using some tecs from here http://mailfud.org/postpals/ this all will not work in most cases how do you act with us as example? you are sending a message to me to MX barracuda.thelounge.net well, you whitelist barracuda.thelounge.net but you will never receive any message from our spamfirewall this is a typical business case Stop spreading stupid FUD. It works in _majority_ of cases. For a certain large organization, 28% of total traffic matched a known entry and only 0.1% of those were spam. Most of that spam originated from large relays that should not be rejected directly at MTA anyway. And yes this was from my government organization with several thousands of users across many domains. If you don't understand what benefits such whitelisting achieves, then just be silent and don't use it.
Re: postgrey outgoing mail whitelister
Am 17.04.2012 12:38, schrieb Henrik K: On Tue, Apr 17, 2012 at 12:12:53PM +0200, Reindl Harald wrote: how do you act with us as example? you are sending a message to me to MX barracuda.thelounge.net well, you whitelist barracuda.thelounge.net but you will never receive any message from our spamfirewall this is a typical business case Stop spreading stupid FUD. It works in _majority_ of cases. If you don't understand what benefits such whitelisting achieves, then just be silent and don't use it. the majority has outgoing and incoming on the same IP? in which world are you living? i don't use it BECAUSE i understand the non-benefits signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 12:42:16PM +0200, Reindl Harald wrote: Am 17.04.2012 12:38, schrieb Henrik K: On Tue, Apr 17, 2012 at 12:12:53PM +0200, Reindl Harald wrote: how do you act with us as example? you are sending a message to me to MX barracuda.thelounge.net well, you whitelist barracuda.thelounge.net but you will never receive any message from our spamfirewall this is a typical business case Stop spreading stupid FUD. It works in _majority_ of cases. If you don't understand what benefits such whitelisting achieves, then just be silent and don't use it. the majority has outgoing and incoming on the same IP? in which world are you living? Statistics speak for themselves. Come back with hard facts instead of your FUD. i don't use it BECAUSE i understand the non-benefits Non-benefits? Like wasting few bytes of memory for keeping barracuda.thelounge.net in database even if it never matches? I guess if you are very short on memory then yes.. otherwise I don't understand what you example has anything to do with anything.
Re: postgrey outgoing mail whitelister
Am 17.04.2012 12:47, schrieb Henrik K: the majority has outgoing and incoming on the same IP? in which world are you living? Statistics speak for themselves. Come back with hard facts instead of your FUD. are you really too stupid not use the term FUD as long you are not understand what it means the hard facts are that EVERY site using a dedicated spamfilter (own appliance or external service) have different IP's for MX and outgoing mail additionally most big sites have MANY outgoing mailservers i don't use it BECAUSE i understand the non-benefits Non-benefits? Like wasting few bytes of memory for keeping barracuda.thelounge.net in database even if it never matches? what excatly do you not understand in the word benefit? where did i say anything about wasting memory? please consult google the explain benefit however, do what YOU want if you are happy, but accept that there other people which are calling it nonsense signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On 2012-04-17 12:04, Sam Jones wrote: And I would add that an inbound MX does not necessarily === the same outbound server a domain would use. Typically anti-spam gateways or hosted services used inbound on one IP, whereas outbound mail coming from another IP and server. Just imagine whitelisting a shared, spammy server because a domain is hosted on it. Naturally it will probably come through greylisting in the end anyway, but I'd not go out of my way to make it easy on them! Valid point, thanks for the input. That's why I decided to white-list with a date in the past. In case there is no reply the white-list goes away soon. The main idea of this script was to have faster replies for mails to people we have sent mail ourselves. Some mail servers have ridiculously long retry periods and waiting an hour for a mail just sent made people impatient. This actually helped a lot. I could do a SPF lookup to white-list the outgoing remote servers though. On 2012-04-17 11:50, Reindl Harald wrote: are you aware that you are whitelisting this way servers which sent spam to a user with autorply? Haven't actually though about that. Thanks for bringing it up. I guess filtering autoreplies would be a good idea if I can figure out how.
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 12:54:10PM +0200, Reindl Harald wrote: the hard facts are that EVERY site using a dedicated spamfilter (own appliance or external service) have different IP's for MX and outgoing mail So? Postpals also looks at whole /24 subnets and also can compare sender/recipient emails. additionally most big sites have MANY outgoing mailservers I guess this would be new information for someone who doesn't have a clue. And it has little to do with how postpals performs in real life. Have you even READ the description? This is important because many legimate servers are located in dynamic looking networks etc, which commonly result in false rejects. Catching your big sites is not a goal worth mentioning. Your big sites are very likely to be on global whitelists already. i don't use it BECAUSE i understand the non-benefits Non-benefits? Like wasting few bytes of memory for keeping barracuda.thelounge.net in database even if it never matches? what excatly do you not understand in the word benefit? where did i say anything about wasting memory? please consult google the explain benefit You haven't actually said _anything_, only spread unnecessary doubt to everyone. however, do what YOU want if you are happy, but accept that there other people which are calling it nonsense Some people actually test theories before calling them nonsense. You haven't made a single point why there would be non-benefits in running postpals.
Re: postgrey outgoing mail whitelister
On 2012-04-17 12:09, Robert Schetterer wrote: what about using some tecs from here http://mailfud.org/postpals/ Thanks for the link, that's pretty much what I was looking for. Guess I'll have to improve my search engine skills ;) -- Claudius
Re: postgrey outgoing mail whitelister
Am 17.04.2012 13:05, schrieb Henrik K: Some people actually test theories before calling them nonsense. You haven't made a single point why there would be non-benefits in running postpals. maybe you should have read my replies? you are sending to the MX you are whitelisting the MX wonderful, the MX is mistly not the outgoing server you are receiving a spam-message your user has a autoreply with bad luck you are whitelisting the spamming server use greylisting or do not but it makes little sense to make AUTOMATIC whitelisting if you think it makes sense for you do it but realize that others have more practical expierience over years which can not be displayed in a single log snippet saying that it is a really bad idea signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 11:04:43AM +0100, Sam Jones wrote: Just imagine whitelisting a shared, spammy server because a domain is hosted on it. Naturally it will probably come through greylisting in the end anyway, but I'd not go out of my way to make it easy on them! It's fine to imagine many worst case scenarios, but it doesn't mean that you actually ever encounter one or that they even exist. A shared server or similar could be sending both ham and spam. I'm sure you would rather receive the ham instead of rejecting it straight away. After all, you do have _more_ defence layers than just the simple rbl/greylisting at MTA stage which we are talking about bypassing here? Someone commented about autoresponders.. every good admin should block them to suspicious mails anyway. I sure have lots of processing on my relay which prevents autoreplying to anything even smelling like spam. Stupid Outlookers..
Re: postgrey outgoing mail whitelister
Am 17.04.2012 13:37, schrieb Henrik K: On Tue, Apr 17, 2012 at 11:04:43AM +0100, Sam Jones wrote: Just imagine whitelisting a shared, spammy server because a domain is hosted on it. Naturally it will probably come through greylisting in the end anyway, but I'd not go out of my way to make it easy on them! It's fine to imagine many worst case scenarios, but it doesn't mean that you actually ever encounter one or that they even exist. A shared server or similar could be sending both ham and spam. I'm sure you would rather receive the ham instead of rejecting it straight away. this would be true if greylisting would rejecting straight away but greylisting don't by design it kills only RFC ignorant MTA's servers of people with permanent communication are whitelisted automatically by design, the other messages are only delayed so this sounds like having solution, searching for problem signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 01:29:23PM +0200, Reindl Harald wrote: you are sending to the MX you are whitelisting the MX wonderful, the MX is mistly not the outgoing server you are receiving a spam-message your user has a autoreply with bad luck you are whitelisting the spamming server So a imaginary bad luck scenario. It's funny I haven't encountered any in the two years I've been doing this _in the real world_. Also read my autoreply comment in other post. use greylisting or do not but it makes little sense to make AUTOMATIC whitelisting You do realize that the whitelisting should only apply to direct MTA rbl/greylisting/ptr/etc rules? If that's your _only_ defence, then yes I guess you should not use postpals. if you think it makes sense for you do it but realize that others have more practical expierience over years which can not be displayed in a single log snippet saying that it is a really bad idea Hopefully by now people realize that your practical expierience is questionable.
Re: postgrey outgoing mail whitelister
Am 17.04.2012 13:43, schrieb Henrik You do realize that the whitelisting should only apply to direct MTA rbl/greylisting/ptr/etc rules? If that's your _only_ defence, then yes I guess you should not use postpals. if you think it makes sense for you do it but realize that others have more practical expierience over years which can not be displayed in a single log snippet saying that it is a really bad idea Hopefully by now people realize that your practical expierience is questionable. -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
Am 17.04.2012 13:43, schrieb Henrik K: Hopefully by now people realize that your practical expierience is questionable. my practical expierience is managing some hundret domains with 15.000 RCPT since years - so stop your idiotic personal attacks while nobody attacked you until you creeped out of your hole and replied to a message which was not sent as reply to one of yours signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
Zitat von Reindl Harald h.rei...@thelounge.net: Am 17.04.2012 13:43, schrieb Henrik K: Hopefully by now people realize that your practical expierience is questionable. my practical expierience is managing some hundret domains with 15.000 RCPT since years - so stop your idiotic personal attacks while nobody attacked you until you creeped out of your hole and replied to a message which was not sent as reply to one of yours Calm down boys. The world is not true/false but mostly it depends. If you really insist in pissing contest take it somewhere else, most of us don't care. Andreas
Re: postgrey outgoing mail whitelister
Am 17.04.2012 14:00, schrieb Henrik K: On Tue, Apr 17, 2012 at 01:53:50PM +0200, Reindl Harald wrote: Am 17.04.2012 13:43, schrieb Henrik K: Hopefully by now people realize that your practical expierience is questionable. my practical expierience is managing some hundret domains with 15.000 RCPT since years - so stop your idiotic personal attacks while nobody attacked you until you creeped out of your hole and replied to a message which was not sent as reply to one of yours Feel sorry for your users.. it's pretty obvious that your expierience and PRACTICAL expierience are different things. to remember: the Stop spreading stupid FUD was your first reply in this thread you are a blindly idiot play around with your childish solutions for problems which are not existing while other people are using dedicated spamfirewalls since many years which do no need greylisting at all because spam protection will never be made by one setting the right way really - leave me fuck in peace this is a typical business case Stop spreading stupid FUD. It works in _majority_ of cases. signature.asc Description: OpenPGP digital signature
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 02:06:34PM +0200, Reindl Harald wrote: Am 17.04.2012 14:00, schrieb Henrik K: On Tue, Apr 17, 2012 at 01:53:50PM +0200, Reindl Harald wrote: Am 17.04.2012 13:43, schrieb Henrik K: Hopefully by now people realize that your practical expierience is questionable. my practical expierience is managing some hundret domains with 15.000 RCPT since years - so stop your idiotic personal attacks while nobody attacked you until you creeped out of your hole and replied to a message which was not sent as reply to one of yours Feel sorry for your users.. it's pretty obvious that your expierience and PRACTICAL expierience are different things. to remember: the Stop spreading stupid FUD was your first reply in this thread you are a blindly idiot I apologize my Reply-To was left intact for private replies.. this was not meant for postfix-users. On my part this is already finished.
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 12:55:05PM +0200, Claudius wrote: On 2012-04-17 12:04, Sam Jones wrote: And I would add that an inbound MX does not necessarily === the same outbound server a domain would use. Typically anti-spam gateways or hosted services used inbound on one IP, whereas outbound mail coming from another IP and server. Just imagine whitelisting a shared, spammy server because a domain is hosted on it. Naturally it will probably come through greylisting in the end anyway, but I'd not go out of my way to make it easy on them! Valid point, thanks for the input. Eh, I'd call that a red herring. That's why I decided to white-list with a date in the past. In case there is no reply the white-list goes away soon. The main idea of this script was to have faster replies for mails to people we have sent mail ourselves. Some mail servers have ridiculously long retry periods and waiting an hour for a mail just sent made people impatient. This actually helped a lot. I could do a SPF lookup to white-list the outgoing remote servers though. That would make sense. As long as your whitelist merely bypasses greylisting you're not going to cause much harm with it. On 2012-04-17 11:50, Reindl Harald wrote: are you aware that you are whitelisting this way servers which sent spam to a user with autorply? Haven't actually though about that. Thanks for bringing it up. I guess filtering autoreplies would be a good idea if I can figure out how. In itself this is not a significant issue. An autoreply to spam is rarely going to go to the spammer: it will go to an innocent third party, or to an address which is not valid. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
Re: postgrey outgoing mail whitelister
Quoting Henrik K h...@hege.li: On Tue, Apr 17, 2012 at 11:04:43AM +0100, Sam Jones wrote: Just imagine whitelisting a shared, spammy server because a domain is hosted on it. Naturally it will probably come through greylisting in the end anyway, but I'd not go out of my way to make it easy on them! A shared server or similar could be sending both ham and spam. I'm sure you would rather receive the ham instead of rejecting it straight away. After all, you do have _more_ defence layers than just the simple rbl/greylisting at MTA stage which we are talking about bypassing here? Someone commented about autoresponders.. every good admin should block them to suspicious mails anyway. I sure have lots of processing on my relay which prevents autoreplying to anything even smelling like spam. Stupid Outlookers.. Why bother whitelisting any ip address? I have my system flag the outgoing and incoming email address. If the from address and the to address, are reversed from how the email went from me to them, AND it passes other checks, like spf, THEN that email can come directly in. This isn't affected by shared servers, whitelisting incorrect ip addresses, and other issues. I also run most of my domains with different incoming and outgoing ip addresses for email.
Re: postgrey outgoing mail whitelister
On Tue, Apr 17, 2012 at 04:44:49PM -0400, Patrick Domack wrote: Why bother whitelisting any ip address? I have my system flag the outgoing and incoming email address. Am I defensive or stupid for wondering what's the point of your question? Surely people whitelist all kinds of things with different methods? Why do dnswl.org or other IP whitelisting exist? There are too many angles to consider. If the from address and the to address, are reversed from how the email went from me to them, AND it passes other checks, like spf, THEN that email can come directly in. Nothing wrong with this. Of course it's just one method amongst others and targets a pretty narrow area. This isn't affected by shared servers, whitelisting incorrect ip addresses, and other issues. Makes it sound like there are severe issues. All this is rare and in reality the whitelisting we are talking about is only about skipping some MTA rules that might directly delay or reject mail. Things change the more deeper you apply. I also run most of my domains with different incoming and outgoing ip addresses for email. But are they in the same subnet? Even if they aren't, it makes no difference. There are plenty enough servers that are. Different methods target different things. I'm truly sorry if I sound harsh or defensive, but that may be the direct Finnish way. Still, is it too much to ask for looking at things from many angles or backing up claims with any kind of statistics or science instead of personal gut feelings?
Re: postgrey outgoing mail whitelister
On Wed, Apr 18, 2012 at 04:33:31AM +0300, Henrik K wrote: Still, is it too much to ask for looking at things from many angles or backing up claims with any kind of statistics or science instead of personal gut feelings? Where/how would one collect such data? My mail stream differs from yours, as does my spam problem. The best, meticulously gathered statistics from one site won't be applicable to another site. Unfortunately the gut is what we have. My gut feeling is that SPF lookups are the surest way to make this scheme work without causing some kind of problem. Yes, my MX is also the outbound relay, but at bigger sites this is less likely. Another gut feeling: greylisting is past its prime. I do it using postscreen, but I sometimes consider disabling the deep protocol tests. The DNSBL scoring system is what blocks most of my spam. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
