Arvid Ephraim Picciani wrote:
Greetings.
I'm thinking of implementing:
- greylisting
- honeypots
- rejecting broken HELO at smtp time (such as "MUMS_XP_BOX")
- rejecting dynamic IPS at smtp time (PBL)
- firewalling hosts with 100% spam, forever.
Are there any oposing opinions on those?
I recall some people dont like greylisting for some reasons.
Also i'm unsure if should firewall, since the postmaster of that host
might all sudden get things under control. But we currently have around
99% spam, so i think i need more drastic actions before our mailbox
overloads :(
I'm getting lots of it from zombies, so i wonder if its legitime to scan
the sender before accepting. For example if it blocks icmp, its very
likely a home router. But i have no data on that, and no clue.
Spamhaus has only about half of the zombies. PBL even lacks half of the
german dialup ISPs. i'm thinking i need my own techniques to build such
lists.
thanks.
I have good success rejecting malformed HELOs at smtp (postfix) using:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
If find this blocks around a third of all smtp connections.
Then I use zen.spamhaus.org and greylisting. Combined, HELO tests,
spamhaus and greylisting blocks ~96% of spam for me, and certainly gets
the easy/obvious spambots. I use postgrey (for postfix) which will
autowhitelist compliant servers that do retry so a week or two after
installation I noticed no real impact against legitimate mail. Moreover,
even a very minimal delay of 60 seconds is good enough to do the job as
spambots simply won't retry after the initial temporary rejection.
However, be prepared to come across the occasional legitimate sender
that may need whitelisting against greylisting as not all do retry.
After that, rejecting commonly spammed non-existent recipients
(recipient_access) and my own blacklists of IPs/sender domains that
continually spam me takes out a considerable chunk more. SA is left with
around 1% of the total spam volume to deal with.
I monitor my blacklists, and if they've not spammed in 1 month I remove
them from the list, checked weekly.
