I am an ISP with over 50000 users (wich is not that big for an isp) permannently connected. I can hardly imagine to manage the poilicies of all my customer, and I know they would really don't like it. What if your ISP told you what you got to do, where to go and to forget about your buggy OS your using for years?
But mostly I agree, a clean network should be the basis. Le mardi 16 février 2010 à 12:40 -0800, Ted Mittelstaedt a écrit : > I know your not going to want to hear this because your looking > for a quick fix, but nothing substitutes for good network design. > > Your buggy customer network should enforce the following: > > > Direct SMTP transmission (port 25) is filtered so that only > machines designated as mailservers are allowed to send outbound > mail to port 25, everyone else must use the submission port 587 with > SMTP authentication to send mail to one of your mailservers, which > then relays this to the rest of the world. > > > > I know you don't have this now. But, you should be enforcing it > on new customers and you should adjust all of your self-help > documentation so that as customers discard PC's and set new ones > up, that they start using auth-SMTP on the submission port. > > It will take a few years. And for some time you will wonder why > your bothering since it will seem like your only doing all of the > extra work of maintaining auth-smtp for a minority of customer. > > But the day will come that you will realize the majority of your > customers are using smtp-auth. And every day after that the > number of clients sending mail directly to port 25 will continue > to dwindle and you will become more and more interested in just > chopping the minority off and letting them scream. > > Ted > > Alexandre Chapellon wrote: > > Hello the list, > > > > I have a quite buggy customer network, full of zombie PCs that spends > > all days sending spam and wasting the whole "reputation" of my networks. > > As a result it sometimes become quite hard to delivers queues for > > specific domains such as Yahoo!'s hosted ones. Indeed they have some > > temp fail (blacklist) mechanism that forbid my servers to send messages > > to them during hours. > > Taht's why I would like to setup some ougoing filtering to avoid sending > > too much spam through my mail relays. I think SA can help me in doing > > so, but I know too it's not really intented to work this way. I guess SA > > expects to work on MX hosts more than on smtp relays. > > > > My prerequisites are mainly: > > - STOP as much spam as possible at SMTP time (before queuing) > > - Have NO (or very few) false positives cause I could not manage > > telling thousands of users that they should *always_have_a_subject*, > > *shouldn't_write_the_subject_in_CAPS* or anything else. > > > > Further more I can't rely on RBL because a lot of my dyn IP address are > > regularily listed on different blacklist. > > > > Does anyone have already setup something like that and what specific > > config/tools/plugin could be usefull for me. > > If some one already done it.... does he/she have any statistics about > > the efficiency of this setup. > > > > Best regards. > > >
