Re: [exim] Setup for authenticated submission

Top Page
Delete this message
Reply to this message
Author: Bill Hacker
Date:  
To: exim
Subject: Re: [exim] Setup for authenticated submission
Andrew - Supernews wrote:

>>>>>>"Bill" == Bill Hacker <wbh@???> writes:
>

*SNIP*

> It is a _NORMAL_ case for the HELO domain to be different to the domain


"Not uncommon", yes, Dunno if 'Normal' fits so well w/r MTA's.

*SNIP*

>
> However, and this is the important point, looking for multiple different
> HELO values from a single ip is a _MASSIVELY_ effective way of detecting


apparent ? potential ?

> spam sources. If you configure your server to use a variable HELO then
> you _will_, sooner or later, find that people end up blocking you as a
> result.


'To be determined'. Or if they are of concern to our clients.

We only recently began allowing traffic to/from yahooligans, AOL,
msn, and the like. Used to have to just block 'em. Both ways.

> If you've never used this method of detecting spam (and it takes
> a fairly large mail flow into several domains to really do it right)


The technique you outline should be applicable even on very light
traffic, from a single active zombie up. One bad-actor at a time.

While it is not required to e aware that said source is also being
rude to the neighbors, I suspect they would already be in RBL's.

Our rejectlog shows *many* quite obvious spam-bots that such a
test would (also) flag.

But - they were caught without any need of retaining/comparing
IP or helo information or investing DB resources,

.. and before 'expensive' external RBL or SA checks,

...arguably with a lower false-positive rate as well.

Rationale for that satement?

Most of the truants abandoned the connection in the first 30-45 seconds
of their *first* jail term, 'didn't last a minute' IOW.

Well-behaved MTA are more patient than the average spam engine.

> you
> would not believe how amazingly effective it can be.


Compare it with the rejectlog from any/all other tools,
and it should be clear that it is potentially VERY effective.

However - compare it with the mainlog on the same criteria and note
that it might be more problematic w/r false-positives than other
approaches - most of which are simpler / lower maintenance.

YMMV, YOCD

BTW - 'supernews.net' ?

Interesting concept, that of charging a subscription fee for usenet access.

Perhaps someone there would be interested in packaging our Hong Kong
air and selling it? Thick enough to pass for curry powder.... ;-)

Bill