On 07/24/2012 10:38 AM, Stan Hoeppner wrote:
On 7/24/2012 2:16 AM, Arnaud Abélard wrote:
And first of all, even if this is not dovecot related, use a greylisting solution.
Greylisting only stops bots. It is resource intensive, and causes delivery delays. There exist bot spam killing solutions that are just as effective, with less downside. Two are Postfix' postscreen daemon, and fqrdns.pcre, which rejects based on consumer/dynamic looking rDNS. Some users have modified the latter for use on HELO strings instead of client rDNS strings, with good success. Either combined with CBL/ZEN should kill all your bot spam much more efficiently. I'm surprised you're using greylisting (Postgrey?) with 72k mailboxes.
Greylisting only stops bots. Exactly. That's the whole point! We have been using sqlgrey for now 5 years and we only had one problem last month with OVH smtp infrastructure which sucks and we're happy to see mails bouncing from them, hoping their customers will complain.
But I can understand why you would think greylist is trouble. It depends on how you set it up. One mail delayed per domain and per month is really nothing compared to hundred thousands of bot spams we are rejecting.
dynamic/consumer ip range DNSBL are dangerous since they are rarely up to date, I can painfully remember that.
I guess it all depends on what kind of smtp traffic you get. As a large university we aren't getting the same traffic as a big corporate company which will mostly communicate with other business. We are getting tons of individual mails from local ISPs, lot of geeks hosting their servers at home (a lot of ppl do that here...), etc.
Indeed! Fighting spam is a continuous task.
Unfortunately...
We (72,000 mailboxes) are currently using amavisd-new with spamassassin and CRM114 via a custom plugin instead of the default bayesian filter. Also like Noel, we're using DNSBLs, SPF (although we had to publish a permissive record since some of our users are using their ISP smtp instead of our own).
Which of your countermeasures blocks spam from Orange/France Telecom VPS/colo sources?
Ahah.. that's a good question! since we are a french university we are also getting tons of clean mails from Orange/FT. But the problem isn't as bad as it used to be since Orange is now blocking direct outgoing traffic on port 25 for a few years now. Back then the DNSRBL were a good solution for spams coming from them. Now the new pain in the ass is OVH, the largest european hosting company which also has the worst smtp infrastructure that will not play well with greylist (tons of smtp servers, each on a different ip range so you can't even whitelist them by their networks).
Arnaud
-- Arnaud Abélard (jabber: arnaud.abelard@univ-nantes.fr) Administrateur Système - Responsable Services Web Direction des Systèmes d'Informations Université de Nantes
ne pas utiliser: trapemail@univ-nantes.fr