Re: [exim] mp3 spam - talk about bandwidth

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MDave Evans at <-
M 
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] mp3 spam - talk about bandwidth
Dave Evans wrote:
> On Thu, Oct 18, 2007 at 08:02:25AM -0400, W B Hacker wrote:
>> Dave Evans wrote:
>>>>> Boy... I just read an article about how picture spam is starting to blow
>>>>> away bandwidth capacity on many corporate networks (as well as eat up a
>>>>> lot of internet bandwidth). Now I'm starting to get mp3 spam at 256k
>>>>> per junk mail. ridiculous.
>>>> Trival to block for most people, though...
>>> Only after they've already wasted your bandwidth, though.
>> Not in the least!
>
> Well yes... maybe I should have said something along the lines of: "If you
> want to definitely detect and block mp3 spam, you can only do so after they've
> already wasted your bandwidth". i.e. you can't tell it has an mp3 attachment
> until after DATA.
>
>> Very seldom will such garbage come from 'legitimate' hosts with proper DNS
>> records. (etc)
>
> Yup. It's just another thing to keep an eye on: if it becomes a problem, I
> might want to consider blocking more mail before DATA.

The long-term average here is that 89% is rejected on 'demerits' earned *before*
invoking SA, even though we wait until RECPT_TO to action faults known as early
as CONNECT or soon after. (rDNS fail, HELO mismatch, RFC format faults, et al)

Many of these are 'cheap' tests, some are Exim or DNS cached, and all of them
cheaper than SA runs, even when those that SA would duplicate (RBL calls) are
optioned OFF as already done.

Makes for a lighter SA load (also no Bayes or awl/abl..) even when we DO call it
up, and keeps the servers running cool as well.

>
> Currently I instantly block (and firewall out for a day) anyone connecting who
> is listed on sbl-xbl.spamhaus.org, and probably some other lists I can't
> remember right now; and some, but not all, of my addresses refuse mail from
> IPs with missing/mismatched/templated reverse-DNS.

About 50% by account-count here.

But even for those who fear losing even ONE message out of thousands and are
willing to do the manual review and take the risk, the suspicious messages are
quarantined and diverted to a special IMAP folder. Typically reviewed only once
or twice a day, but one WILL find a legit message in there now and then.

ClamAV hits, and more than one RBL hit, OTOH are sudden-death, never optional,
for all users.

> That's probably the bit
> I'll consider ramping up next. /If/ it becomes necessary.
>
> Regards,
>

Helps reduce the load on the data center UPS and A/C, makes for lower disk-space
used for logs as well as mailstore, saves on IMAP b/w as well as MTA b/w,
reduces storage needed on user's Mac's.

No real downside, so long as you have responsive + semi-automated white listing
as part of the mix.

All one of our users has to do on getting a fax or phone call about rejected
mail is to send something - anything - TO that individual, and we'll open an
'exception' automagically. Doesn't affect very many senders, though.

Best,

Bill

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] spammers MXesRe: [exim] spammers MXes->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)