Re: [Dovecot] what best for anti-spam filter?
Morten Stevens mstevens@imt-systems.com writes:
So it is now RFC compliant. Anyway I think delaying mail traffic is not a good solution.
Well, OK, if you not keen on greylisting, you can try greet pausing, which introduces a shorter delay.
It tests a bot's patience by inserting a pre-HELO pause. RFC allows 5 minutes before timeout. This is last week's stat for one of my mail server and the count of early-talker or early-disconnecter, almost all of which are bots. A greet pause of over 20s dumps a lot of bots. Expect to whitelist the odd server here and there because they've tuned their servers to some aggressively small RFC non-compliant timeouts.
Delay Disconnect/early-talkers
00 = 9
01 = 1
02 = 1
03 = 11
04 = 34
05 = 5
06 = 1
07 = 1
08 = 3
09 = 3
10 = 9
11 = 1
12 = 2
16 = 7
17 = 10
18 = 4
19 = 17
20 = 1161
21 = 431
22 = 61
23 = 43
24 = 13Joseph Tam jtam.home@gmail.com
On Tue, Jul 24, 2012 at 12:51 PM, Joseph Tam jtam.home@gmail.com wrote:
Well, OK, if you not keen on greylisting, you can try greet pausing, which introduces a shorter delay.
This, works well. Interesting your sweet spot is around 20seconds, I found 13s to be the right mark.
-- .warren
On 24.07.2012 12:51, Joseph Tam wrote:
Morten Stevens mstevens@imt-systems.com writes:
So it is now RFC compliant. Anyway I think delaying mail traffic is not a good solution.
Well, OK, if you not keen on greylisting, you can try greet pausing, which introduces a shorter delay.
It tests a bot's patience by inserting a pre-HELO pause. RFC allows 5 minutes before timeout. This is last week's stat for one of my mail server and the count of early-talker or early-disconnecter, almost all of which are bots. A greet pause of over 20s dumps a lot of bots. Expect to whitelist the odd server here and there because they've tuned their servers to some aggressively small RFC non-compliant timeouts.
Yes, something like greet_pause (sendmail) or postscreen (without deep protocol tests) is a very good solution. In addition, several DNSBLs with different scores.
This could for example look like this: (for postfix users)
postscreen_dnsbl_threshold = 3 postscreen_dnsbl_action = drop postscreen_greet_action = enforce postscreen_dnsbl_sites = ix.dnsbl.manitu.net*3 b.barracudacentral.org*3 zen.spamhaus.org*3 dnsbl.njabl.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net spamtrap.trblspam.com list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-4 list.dnswl.org=127.[0..255].[0..255].[2..255]*-6
Best regards,
Morten
participants (3)
-
Joseph Tam
-
Morten Stevens
-
Warren Baker