[OT] HELP!!! mail attack

Wed Mar 26 14:09:04 UTC 2008

On Wed, 2008-03-26 at 06:35 -0700, Craig White wrote:
> On Wed, 2008-03-26 at 23:06 +1030, Tim wrote:
> > On Wed, 2008-03-26 at 05:12 -0700, Craig White wrote:
> > > My first 'defense' is greylisting, run as a policy in postfix.
> > 
> > Though do so with the knowledge that it may mean some mail never gets
> > delivered/accepted.  Greylisting, for both cases of rejecting spam and
> > accepting ham, requires the services sending to you to work in certain
> > way [1], and they don't all do that [2].
> > 
> > 1. They reject the initial attempt, tell the sender to resend later, and
> > accept the resend.
> > 
> > 2. Some senders never resend, causing mail to get lost permanently.
> > Some resends come from a different server, and that can get rejected,
> > too - causing long delays, or permanently lost mail.  Some resend
> > attempts come after a very long delay, which can be annoying or business
> > destroying, or can cause another reject.
> > 
> > I've experienced all of the above bad scenarios.
> ----
> I had heard that before I set it up but I have been running this same
> setup on servers for 7 separate businesses and besides the initial
> complaints of delays, it has been completely a non-issue. Few delays
> have ever been longer than 30 minutes.
> 
> On the other hand, my setup has completely lightened the mail load.
> 
> And for an amusing side note to this...
> 
> My boss forwarded an e-mail to me which was a newsletter that he gets
> via e-mail. I asked him what he expected me to do with it and he pointed
> out to me a paragraph about their upcoming changes and that subscribers
> should alter their 'filters' to be sure that they receive it.
> 
> I pointed out to him that on our network, I don't know of a single user
> that has had to implement 'user level filters' for spam because so few
> spam messages get through (I get about 5 a week and I am a very heavy
> e-mail user). I pointed out that my methodology at the server level has
> been so effective that I have no 'whitelisted' senders, no 'special
> handling rules' at all beyond the high scoring spamassassin filter that
> each user automatically inherits.
> 
> He replied back - never mind and later expressed to me that yeah, he
> never gets spam and manages to get all of his e-mail.
> 
> Greylisting has been a very effective tool for me and I have had NO
> complaints about it at all. There's actually a way around it in a
> crunch...I've put a 5 minute window. The sender need only wait 5 minutes
> and send the e-mail again which ultimately means that 2 copies show up
> but the second one is delivered immediately and the first one is
> delivered when their SMTP server decides to try again which is almost
> always 15-30 minutes later.

Greylisting is indeed a very effective and I would say essential tool,
however we're seeing the effectiveness being reduced as time goes on
because spammers are getting smarter. This is an arms race and it's not
going to end in the foreseeable future.

poc