Re: spam rejection

From: Len Conrad (no email)
Date: Thu Aug 01 2002 - 08:53:28 EDT

• Next message: Wietse Venema: "Re: Freezing Mail in Queue"
• Previous message: Duncan Hill: "Re: spam rejection"
• Maybe in reply to: Jeroen Vriesman: "spam rejection"
• Next in thread: Cybertime Hostmaster: "Re: spam rejection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We don't find RBL to be a huge contributor to our rejection rates perhaps
because we don't subscribe to many of them, but it does make a significant
contribution.

here's how our rejects total up for yesterday:

       3 ACL from_senders bogus
       4 SMTP invalid
       5 SMTP Bad HELO
       6 ACL mta_clients_regex
       9 SMTP invalid
      17 RBL orbs.dorkslayers.com
      20 SMTP unauthorized pipelining
      33 RBL dynablock.wirehub.net
      63 ACL body checks
      75 RBL relays.visi.com
      84 ACL unauthorized relay
     117 ACL mta_clients_unkn_user
     125 ACL mta_clients_nxdomain
     185 ACL mta_clients_proxies
     324 RBL relays.ordb.org
     383 ACL header checks
     383 DNS no A/MX for @sender.domain
     398 DNS timeout for MTA PTR hostname
     463 ACL mta_clients_relays_ordb
     518 RBL blackholes.wirehub.net
     728 DNS nxdomain for MTA PTR hostname
     804 ACL SLET
     816 ACL mta_clients_slet
     871 RBL proxies.relays.monkeys.com
    1105 ACL to_recipients
    1804 ACL mta_clients_bogus
    9343 TOTAL

We find that wirehub's SpamList-Extended.Txt has very few false positives,

     804 ACL SLET

  and we harvest the ip's rejected with SLET to make a local .map file,
which gives us this category:

     816 ACL mta_clients_slet

Also, monkey's list of frequently forged domains gives us these categories:

     728 DNS nxdomain for MTA PTR hostname
     398 DNS timeout for MTA PTR hostname
    1804 ACL mta_clients_bogus

Since monkey's list is DNS based ( query for PTR and matching A ),
harvesting the rejects' ip's, above a certain threshold, to a local .map, I
would think, makes the reject faster.

We have also compiled the top 250 "unknown users" and then harvest the ip's
for MTA's that continue to send to those 250 dead addresses.

On an avg day, the single biggest category, by far, is rejecting mail to
unknown users. But when we get attacked, it drops to 2nd place, as above
(where our harvest ip's of monkey forged domains came out on top), or even
lower, as other blocks take over in repelling the attack.

Len

__________________________________________________________________
www.menandmice.com/DNS-training : DNS Training
BIND8NT.MEIway.com : ISC BIND for NT4 & W2K
IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways

-
To unsubscribe, send mail to with content
(not subject): unsubscribe postfix-users

• Next message: Wietse Venema: "Re: Freezing Mail in Queue"
• Previous message: Duncan Hill: "Re: spam rejection"
• Maybe in reply to: Jeroen Vriesman: "spam rejection"
• Next in thread: Cybertime Hostmaster: "Re: spam rejection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]