[PLUG] Joe Jobbed
Ed Sawicki
ed at alcpress.com
Thu Oct 4 19:26:43 UTC 2007
Paul Heinlein wrote:
> On Thu, 4 Oct 2007, Ed Sawicki wrote:
>
>> Thanks for the suggestion but I already do this (without Perl and
>> without memory issues) for real spammers and it works well. But this
>> backscatter volume is high and would create thousands of rules.
>> Besides it's coming from legitimate mail servers just doing their
>> job - victims like me. I'd like to find a better way.
>
> Sigh. Mail servers that decide the acceptability of messages *after*
> the SMTP transaction has been completed will always create this sort
> of backscatter. The only alternatives are
>
> 1. Scan mail during the SMTP transaction, so a message can be
> rejected without sending a separate rejection notice (which
> these days is almost always wrong-headed, even if it adheres
> to the letter of the SMTP RFCs, since the From: address is
> typically forged).
>
> 2. Silently reject spam, malware, etc. without notifying anyone.
>
> I hate the latter approach because of the possibility of losing a real
> transaction in the bit bucket.
>
> The first approach is much, much better. Our mail server at work only
> accepts for delivery about 1/3 of the messages it receives. The rest
> are all rejected with 55x error codes (RBLs, SpamAssassin, ClamAV)
> during the SMTP transaction. Otherwise, we'd be sending out thousands
> of (99.999% bogus) bounce messages every week.
You nailed it, Paul. The problem is exactly as you describe.
I've built my policy daemon to deal with almost everything at
SMTP time. Anything that can't be dealt with there (then) is
silently discarded but logged.
Too bad we can't fix other people's mail servers in
the same way attackers change Windows behavior. :-)
Ed
More information about the PLUG
mailing list