Author: W B Hacker Date: To: exim-users Subject: Re: [exim] Using GeoIP to block spammers - anyone?
Jakob Hirsch wrote: > Quoting Odhiambo G. Washington:
>
>
>>| them by SMTP AUTH or fixed IPs. That should give you the facility to
>>Yes and yes. I already do that. However, it has not stopped spammers
>>from connecting to it, which is why I am looking at this other option.
Well .. two things;
- By itself, it doesn't stop a 'connect', but with other Exim
settings it sure can shed that connect in a hurry - and with
very little resource load. So say *my* logs anyway.
- if you close or firewall port 25, or switch to port 24 (any
private e-mail system) so that your appropriately-configured
'listed' mx can send you internal messages, spammers generally
WON'T be able to connect to the stealth MSA box.
>
>
> Ok, but what's the big deal about them connecting to your server? Are
> they so many that you have excessive load or something?
>
> I think there's no reliable way to do what you want without client side
> changes. If the latter would be ok, though, a good way is WB's
> suggestion: Only allow incoming connections to 587 (and 465/smtps for
> the u$ clients) and block people which are not trusted (IP) or
> authenticated at MAIL FROM or RCPT TO.
>
MUA's should not be connecting on port 25 anyway. Setting them
to use the submission port(s) has the added advantage of an
improved environment for whatever percentage of your users
travel outside of Kenya and/or have a Kenyan/other ISP or
firewall blocking port 25.
'Trusted IP' for MUA should follow the same rule - use
submission port(s).
'Trusted IP' for peer MX can be whitelisted or set up with a
firewall divert rule if not "trusted-enough" to be in relay host
status.
And I do still believe that 'outbound' from this box should be
relayed via your 'listed' mx so the IP and HELO match and are
forward/reverse resolvable in an available DNS.
If you think that does not matter, try sending me a message
off-list from that box. Tell me on-list the time you did so,
'coz it won't reach delivery stage. I'll have to look in the
logs for the 'blackhole' entry.
Bite the bullet. Roll-out proper MUA settings, then configure
to the standards. That might take months to finish, but once
done, it is done. Configure a weird stealth MX, OTOH, and you
are 'married' to it for life.