Re: [exim] How to block using exim re:[doctor@nk.ca: Your ac…

Top Page
Delete this message
Reply to this message
Author: Graeme Fowler
Date:  
To: Exim-users
Subject: Re: [exim] How to block using exim re:[doctor@nk.ca: Your account has been hacked! You need to unlock.]
On 27 Jan 2019, at 17:30, Cyborg via Exim-users <exim-users@???> wrote:
> I guess, you are not using spamhaus or a similar dns ip blocking service,
> as the sheer amount of "got hacked" fraud messages is insane itselft.


You guess incorrectly.

Part of my day job is running the email infrastructure for a fairly large UK university. Today’s rejection stats for our staff email domain run at approx:

* 50% rejected at connect time, whether for DNSBL lookups or other reputation services including our own in-house one
* 20% invalid/rubbish/known bad EHLO/HELO
* 15% rejected for invalid recipients or unverifiable senders
* 15% for content-based problems - SpamAssassin, rspamd, malware, other lookups

That’s a fairly quiet day. On weekdays we can reject over 90% of all the connections or messages that hit us, into the top hundreds of thousands or low millions per day.

We’re of such a scale that we can’t use free DNSBL services, in the main. Encouraging people to use the free services is all very well but at scale they’ll end up being banned from them (or worst case getting a positive response for every lookup in order to discourage them).

As an aside, the SaneSecurity signatures include an awful lot more than just malware but should be used with care as some of the sig files are documented as having a high FP rate.

Graeme