Autor: Bill Hacker Data: A: exim Assumpte: Re: [exim] Setup for authenticated submission
Andrew - Supernews wrote:
>>>>>>"Bill" == Bill Hacker <wbh@???> writes:
> *SNIP*
> It is a _NORMAL_ case for the HELO domain to be different to the domain
"Not uncommon", yes, Dunno if 'Normal' fits so well w/r MTA's.
*SNIP*
>
> However, and this is the important point, looking for multiple different
> HELO values from a single ip is a _MASSIVELY_ effective way of detecting
apparent ? potential ?
> spam sources. If you configure your server to use a variable HELO then
> you _will_, sooner or later, find that people end up blocking you as a
> result.
'To be determined'. Or if they are of concern to our clients.
We only recently began allowing traffic to/from yahooligans, AOL,
msn, and the like. Used to have to just block 'em. Both ways.
> If you've never used this method of detecting spam (and it takes
> a fairly large mail flow into several domains to really do it right)
The technique you outline should be applicable even on very light
traffic, from a single active zombie up. One bad-actor at a time.
While it is not required to e aware that said source is also being
rude to the neighbors, I suspect they would already be in RBL's.
Our rejectlog shows *many* quite obvious spam-bots that such a
test would (also) flag.
But - they were caught without any need of retaining/comparing
IP or helo information or investing DB resources,
.. and before 'expensive' external RBL or SA checks,
...arguably with a lower false-positive rate as well.
Rationale for that satement?
Most of the truants abandoned the connection in the first 30-45 seconds
of their *first* jail term, 'didn't last a minute' IOW.
Well-behaved MTA are more patient than the average spam engine.
> you
> would not believe how amazingly effective it can be.
Compare it with the rejectlog from any/all other tools,
and it should be clear that it is potentially VERY effective.
However - compare it with the mainlog on the same criteria and note
that it might be more problematic w/r false-positives than other
approaches - most of which are simpler / lower maintenance.
YMMV, YOCD
BTW - 'supernews.net' ?
Interesting concept, that of charging a subscription fee for usenet access.
Perhaps someone there would be interested in packaging our Hong Kong
air and selling it? Thick enough to pass for curry powder.... ;-)