Re: [exim] Setup for authenticated submission

Startseite
Diese Nachricht ist Teil des folgenden Threads:
M\Der komplette Thread sortiert nach Datum
MM+\John W. Baxter am <-
.MMM\Kjetil Torgrim Homme am ->
Nachricht löschen
Nachricht beantworten
Autor: Bill Hacker
Datum:  
To: exim
Betreff: Re: [exim] Setup for authenticated submission
Andrew - Supernews wrote:

>>>>>>"Bill" == Bill Hacker <wbh@???> writes:
>
*SNIP*

> It is a _NORMAL_ case for the HELO domain to be different to the domain

"Not uncommon", yes, Dunno if 'Normal' fits so well w/r MTA's.

*SNIP*

>
> However, and this is the important point, looking for multiple different
> HELO values from a single ip is a _MASSIVELY_ effective way of detecting

apparent ? potential ?

> spam sources. If you configure your server to use a variable HELO then
> you _will_, sooner or later, find that people end up blocking you as a
> result.

'To be determined'. Or if they are of concern to our clients.

We only recently began allowing traffic to/from yahooligans, AOL,
msn, and the like. Used to have to just block 'em. Both ways.

> If you've never used this method of detecting spam (and it takes
> a fairly large mail flow into several domains to really do it right)

The technique you outline should be applicable even on very light
traffic, from a single active zombie up. One bad-actor at a time.

While it is not required to e aware that said source is also being
rude to the neighbors, I suspect they would already be in RBL's.

Our rejectlog shows *many* quite obvious spam-bots that such a
test would (also) flag.

But - they were caught without any need of retaining/comparing
IP or helo information or investing DB resources,

.. and before 'expensive' external RBL or SA checks,

...arguably with a lower false-positive rate as well.

Rationale for that satement?

Most of the truants abandoned the connection in the first 30-45 seconds
of their *first* jail term, 'didn't last a minute' IOW.

Well-behaved MTA are more patient than the average spam engine.

> you
> would not believe how amazingly effective it can be.

Compare it with the rejectlog from any/all other tools,
and it should be clear that it is potentially VERY effective.

However - compare it with the mainlog on the same criteria and note
that it might be more problematic w/r false-positives than other
approaches - most of which are simpler / lower maintenance.

YMMV, YOCD

BTW - 'supernews.net' ?

Interesting concept, that of charging a subscription fee for usenet access.

Perhaps someone there would be interested in packaging our Hong Kong
air and selling it? Thick enough to pass for curry powder.... ;-)

Bill



Diese Nachricht wurde auf der folgenden Mailing-List gepostet:
Exim-users
Mailing-List-Info | Nachrichten um die Zeit		<-RE: [exim] best practices for set up and authentication[exim] Some mail passed onto Exchange server->
Tahini and Hummus and Cumin Development Archives administriert von cumin AdminsLurker (Version 2.3)