On 3/7/06 9:18 AM, "Howard Lowndes" <[EMAIL PROTECTED]> wrote: > I went with Postgrey over the weekend. That starts with a default 5 > minute delay time which has seen a sensational drop in crap, probably > about 99% of the crap is now dropped, which says that most was coming > off botnets.
Wow - that's a serious amount of crud. > I did make two changes to the settings though; the max > days for no activity in the whitelist I took out from 35 days to 36 days > to cater for monthly mailing lists and 31 day months, and I took the > must retry period down from 2 days to 4 hours - I reckon any MTA should > be retrying within 4 hours. The 4 hour thing turn around and bite - I know that Sun and HP's mail hubs *might* retry within 4 hours, but maybe not from the same IP. Seems their mail farms share the spool via a distributed file system (NFS probably) across many physical machines. Doesn't really matter if your grey list database holds retry info for a few days; the records are small and disk space is cheap. >> We also track the full tuple for 30 days: sender address, recipient address >> and source SMTP IP address. However some companies have multiple out-bound >> mail hubs (Novell, HP and Sun and the main culprits) so we imply >> white-listed their domains, provided the source IP reverse-resolves to their >> domains. This works a treat, but I haven't found similar feature in >> Postgrey :( > > Postgrey by default looks at the /24 subnet of the IP address, but that > doesn't cater for Bigpond whose server farm extends over a wider block. > I might have to look at whitelisting BP based on a regex of their MTA > hostnames, something like omta*bigpond.com so that I don't get the *CPE* > addresses which are likely to be zombies. The regex matching in Postgrey is good - you'll be able to bash it into shape to achieve your desired result. Still being able say " acl whitelist domain example.com" is just dead easy in milter_greylist; which looks out SRC IP, if SRC IP is in example.com, no grey listing is imposed. Simple, effective and unless someone hijacks their DNS, spoof-proof. >> Anyway, that's my experiences with grey listing - it's an extremely >> effective method to limit your exposure to e-mail botnets. Even if it >> p155es of the users for a little while :) > > It only annoys those whose mates send an email and then phone them to > say that they sent an email, and for those - care factor -> 0 Yup. As I tell the (l)users that complain: e-mail aint another term for "instant messaging", get over it. Then again, these are the same people we tell "'Deleted Items' is NOT a 'Miscellaneous' folder that was mis-labelled!" Sigh - life as a mail admin....blessing and curse. At least they didn't foist the mSexchange swerver upon me. I side-stepped that one nicely, leaving my team free to look after the *nix mail gateways :) Cheers, -- James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
