(Long posting ahead...)
>About a dozen spam got through.
Lucky you. I get more than a dozen spams to *each* of my several
mailboxes some days. On average, I'd say I get about half a dozen
per day, per email account. and I'm using several RBLs.
First off, if anyone sees any flaws in my logic or reasoning below,
by all means educate me. That's why I post to mailing lists.
On Feb 17th, (a 21MB log file, BTW, and logging isn't turned up on my
server) about 150 emails were spamtrapped (but spamtraps seem
ineffective) 150 hosts were blocked by RBLs, and about 35 hosts were
added to the TempBanned list, and hundreds upon hundreds of emails
were stopped that would have gotten through (that's not counting the
hundreds upon hundreds of bad addresses that caused those hosts to
get tempbanned in the first place.)
(make window wide to view)
00:02:42 1 SMTP-918([194.198.208.52]) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
00:02:42 1 SMTP-918([194.198.208.52]) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
00:02:42 1 SMTP-918([194.198.208.52]) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
00:02:42 1 SMTP-918([194.198.208.52]) SPAM? Too many bad usernames
(3); suspending the line for 10 seconds
00:02:52 1 SMTP-918([194.198.208.52]) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
00:02:52 1 SMTP-918([194.198.208.52]) SPAM? Too many bad usernames
(4); suspending the line for 10 seconds
00:03:02 1 SMTP-918([194.198.208.52]) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
00:03:02 1 SMTP-918([194.198.208.52]) SPAM? The host is now on
TempBanned list for the next 1200 seconds
00:03:02 1 SMTP-918([194.198.208.52]) SPAM? Too many bad usernames
(5); suspending the line for 10 seconds
00:03:12 1 SMTP-918([194.198.208.52]) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: sending host is blacklisted, "The
host is suspected in address harvesting"
THIS is happy blacklisting. Once a spammer "shotguns" the server
with all those user names, usually a few good user names follow in
the list after the host is blacklisted. To me that's stopping spam
just as good as or even better than the RBLs. Rather than letting
the RBLs decide this was a spammer, the SIMS server just handled it.
In all cases it's going to be either a really poorly managed mailing
list (perhaps not opt-in?) or a spammer. And searching out a host in
the logs nearly allways shows that they eventually do go away after a
day or so of being denied. TempBanns seem to be the most effective
form of anti-spam I've seen yet.
An idea for the spamtrap (and this could be used in Communigate Pro,
too) would be to have it add the host that was spamtrapped to the
Temp Banned list, but for something longer than 1200 seconds. 86400
seconds comes to mind as a good number. I see spamtrap hosts usually
sending one spam, being rejected as a spamtrap, then opening up
another connection later to send the email. On Feb 17th, my SIMS
server had 165 spamtrap rejections. ALL OF THEM were for Spamtrap
addresses (or aliases) only. The hosts that were rejected just came
right back and spewed spam later (usually under 5 secconds later).
Not a single spam sent to a real address was stopped do to spamtraps.
Case in point..
I'm not sure if the flowgo.com domain is problamatic spam or not, but
I see that domain in my logs all day long being TempBanned, and
tripping spamtraps. If it *WAS* a legit spammer, I would only assume
than it'd be listed in an RBL. Still, I've never had a single
complaint about blocked email from this domain....
05:27:11 2 SMTP-797(MAILER115.flowgo.com) {S.0002348064} received, 3168 bytes
05:27:38 2 SMTP-801(MAILER115.flowgo.com) {S.0002348068} received, 3198 bytes
06:01:53 1 SMTP-206(MAILER115.flowgo.com) SPAM? address
<[EMAIL PROTECTED]> is a SpamTrap address
06:01:53 1 SMTP-206(MAILER115.flowgo.com) SPAM? Mail from
'<[EMAIL PROTECTED]>' rejected: SpamTrap
06:01:54 1 SMTP-206(MAILER115.flowgo.com) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
06:01:55 2 SMTP-206(MAILER115.flowgo.com) {S.0002348362} received, 2842 bytes
06:01:55 1 SMTP-206(MAILER115.flowgo.com) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
06:01:56 2 SMTP-206(MAILER115.flowgo.com) {S.0002348364} received, 2836 bytes
06:01:57 1 SMTP-206(MAILER115.flowgo.com) SPAM? address
<[EMAIL PROTECTED]> is a SpamTrap address
06:01:57 1 SMTP-206(MAILER115.flowgo.com) SPAM? Mail from
'<[EMAIL PROTECTED]>' rejected: SpamTrap
06:01:59 2 SMTP-206(MAILER115.flowgo.com) {S.0002348367} received, 2845 bytes
06:02:00 1 SMTP-206(MAILER115.flowgo.com) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
06:02:01 2 SMTP-206(MAILER115.flowgo.com) {S.0002348369} received, 2851 bytes
06:02:02 1 SMTP-206(MAILER115.flowgo.com) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
06:02:03 1 SMTP-206(MAILER115.flowgo.com) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
06:02:03 1 SMTP-206(MAILER115.flowgo.com) SPAM? The host is now on
TempBanned list for the next 1200 seconds
06:02:03 1 SMTP-206(MAILER115.flowgo.com) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: sending host is blacklisted, "The
host is suspected in address harvesting"
The spamtrap didn't seem to have an effect on this one. It wasn't
until it was TempBanned that email was blocked to
[EMAIL PROTECTED] (pcfarms was an active username).
Now, I know that quite a bit of spam leaks past my SIMS server, and
past the spam blocks on my seccondary mailserver........
20:35:58 1 SMTP-658(mail2.n-connect.net) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
20:37:53 2 SMTP-702(mail2.n-connect.net) {S.0002360762} received, 3904 bytes
20:44:13 1 SMTP-838(mail2.n-connect.net) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
20:50:38 2 SMTP-039(mail2.n-connect.net) {S.0002361017} received, 4664 bytes
20:54:20 1 SMTP-143(mail2.n-connect.net) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
20:54:20 1 SMTP-143(mail2.n-connect.net) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
20:54:20 1 SMTP-143(mail2.n-connect.net) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
20:54:20 1 SMTP-143(mail2.n-connect.net) SPAM? Too many bad usernames
(3); suspending the line for 10 seconds
20:54:30 1 SMTP-143(mail2.n-connect.net) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
20:54:30 1 SMTP-143(mail2.n-connect.net) SPAM? Too many bad usernames
(4); suspending the line for 10 seconds
20:54:40 1 SMTP-143(mail2.n-connect.net) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
20:54:40 1 SMTP-143(mail2.n-connect.net) SPAM? Too many bad usernames
(5); suspending the line for 10 seconds
20:54:53 1 SMTP-143(mail2.n-connect.net) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
20:54:53 2 SMTP-143(mail2.n-connect.net) {S.0002361103} received, 16172 bytes
20:57:27 1 SMTP-219(mail2.n-connect.net) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
20:58:57 1 SMTP-260(mail2.n-connect.net) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
21:36:05 2 SMTP-180(mail2.n-connect.net) {S.0002361837} received, 3663 bytes
21:47:06 1 SMTP-384(mail2.n-connect.net) SPAM? Recipient
'<[EMAIL PROTECTED]>' rejected: user unknown
Since mail2 is on the host list in SIMS, it can't be TempBanned. I
don't find it shocking that such a large amount of spam leaks though.
I'm thinking the only way to really block spam well is to not run
secondary MX for a domain, or be more of a SIMS router-rat than I am
now. Yes, mail2 is a SIMS server, it is running all the same RBLs,
and spamtraps as my main server, but since it can't say "user
unknown" for a top level domain that it MXs for, it can run arround
adding things to it's TempBanned list, and spams leak past. Two SIMS
servers sharing TempBanned lists would solve this, but that could be
a total nightmare for someone at Stalker to code, not to mention to
admin.
I've always run a secondary mail exchanger for my domains, but I'm
wondering if it's really all that necessary since any respectable
sending host will retry later, and I might just come out ahead in
less spam.
If SIMS exists as an experiment to try out new things that might get
incorporated into Communigate Pro later, then changing the anti-spam
behavior would be a place to start. The only features I see that
might ever need to be added to SIMS would be experimental anti-spam
ones. Everything else is peachy.
-Jerry
--
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
