[Exim] Spam Prevention Tactics and Feedback

Página Inicial
Delete this message
Reply to this message
Autor: Paul
Data:  
Para: exim-users
Assunto: [Exim] Spam Prevention Tactics and Feedback
Hi All,

I am just working on some ideas to prevent spam or at least slow down the
amount coming in. One thing we have noticed is that a lot of spam coming in
has a high source port. IE: > 50000 in the TCP stack on the remote end. This
either says to me their host is masq/nat'd or they have a whole lot of
outbound/outgoing connections concurrently. I think this is where the
"teergrube" concept comes into play by consuming a lot of resources on the
remote end to slow them down. It then got me thinking if we can safely say
that the majority (not 100% but a large amount) of spam has a high source
port above 50000 there must be a way we can slow it down or capture it
easily. I was then thinking along the lines of using ipchains and a TOS rule
to somehow slow down any TCP connections that:

ipchains -I INPUT -i ethX -s 0.0.0.0 50000:65535 -d 111.111.111.111 25 -j
ACCEPT -t <BADTOSFLAGHERE>

I know this is not the ipchains mailing list, but I'm just after some
ideas/feedback about the idea. Would this be a generally OK concept to
consider? Also taking into consideration there there can and will be
legimate hosts that fall into this range, ie: law21-scn45.msn.hotmail.com
who handles say lots and lots of email may in fact have 40000 outgoing
sockets for remote mail. In this case we would still accept the email, just
slow it down via TOS. But this could have a negative effect too!

We handle 1 millions email messages per day using exim 3.x and there's a lot
of spam hidden away that I'd like to either slow down or prevent from coming
in as best as I can. Please give me any feedback good or bad. Thanks and
have a good day.

Regards,
Paul