Re: [exim] SPAM Filtering - Losing the war!

Top Page
This message is part of the following thread:
M----+----+-\the complete thread tree sorted by date
M++\.M+-+\M\MOdhiambo Washington at <-
MMMMMMM\MMMMChris Lightfoot at ->
Delete this message
Reply to this message
Author: Andreas Pettersson
Date:  
To: exim users
Subject: Re: [exim] SPAM Filtering - Losing the war!

>Is there anyone on this list who can afford to brag about the
>effectiveness of their spam filtering techniques? (With the
>exception of Marc Perkel ;))
>

Here's how it works at my place.


* All netblocks belonging to the spam spewing ISP's on the first and
second page on http://www.senderbase.org/ is blocked in the firewall.
Never reaches Exim.

* If I have missed to block a range (or if a new block pop up), I have
ACL's that captures connecting hosts based on $sender_host_address in
acl_smtp_connect. If I get a match on comcast.net for example, drop the
connection AND add the IP to a 24h-blocklist so that they cant retry
immediately. This blocklist is emptied at 24h every day.

* If $sender_host_name seems to indicate this is a dynamic IP, add
header for later check in SA.

* If HELO name contains no dot (very simple check), then drop and add
IP to 24h-blocklist.

* If HELO contains any of these ( _ | \ / : ), drop and block.

* If HELOing with my own host/domain name, drop and block.

* If HELOing with an IP-address AND IP don't match the connecting IP,
drop n' block.

* If HELOing with a (correct) IP-address, add header to check against
later in SA (yes, that could be done directly in SA and without having
Exim adding a header, but I feel it's easier this way).

* If HELO name contains a few uppercase chars, add header for later
check in SA.

* Then the usual ClamAV and SA kicks in. SA uses DCC and Razor as well
as some SARE rulesets. I have trimmed SA with quite a few own rules, but
most of them only applies to my environment, I guess.


I'm hosting 2 domains.
Total stats for last friday 2006-10-20: 

Incoming connections (to exim):    14220
Rejected after helo/rcpt:           8193
Scanned by SA:                      6027
Rejected after data:                4388


Put in quarantine (5-11 SA points): 319
Delivered to users (less than 5): 1270

(If you sum all rejects and deliveries it won't get exactly 14220. I'm
sure the problem is somewhere behind all egrep and awk patterns)


Worth noting; I dont use any public blocklist directly from Exim. Only
from within SA.

The homegrown 24h-blocklist is interresting however. I usually have
about 5000 IP-adresses/day in the 24h-blocklist. About 1/3 of them
returns and makes a total of 6500 (times 3) connection attempts.

Without the 24h-blocklist I would have around 20000 incoming connections
each day. Perhaps not so much more spam getting through, but some higher
load on the server, and larger log files.


--
Andreas




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] SMTP host or exim setting to send all emailsRe: [exim] SPAM Filtering - Losing the war!->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)