Thanks everyone for your suggestions. As at 23:15 it's reached 24,648
rejected spam emails.
Unfortunately this wouldn't be satisfactory for my clients and, as this
On 16/02/2014 15:28, Andy Bennett wrote:
> Just firewall everything for 12 hours. If that's not enough to encourage
> the spammers to give up then you can probably extend it a little more
> without having any remote mailservers bounce messages.
> During this time, legitimate mail should queue on the sending host and
> be retried for anywhere between 24 and 72 hours.
is the second time in 3 weeks that it's been hit by this level of
inbound spam (it's not relay attempts - my server gives that short
shrift), doing that once a month would be both a pain and cause me to
get phone calls. As long as my clients get their messages in a
reasonably timely manner they are generally happy (mail does appear to
be getting through despite my home mail server's issues connecting).
Currently I only use RBLs as part of the Spamassassin checks and
On 16/02/2014 20:52, ed wrote:
> Not for SpamAssassin, but have you thought about using one of the
> RBLs? Then you'd block potential junk before you start spending CPU
> time on bayes filtering.
scoring. I'm worried about applying stricter RBL checks due to various
issues such as the lag or difficulty in removing entries and the poor
configuration of some of my clients' regular contact's mail systems and
lack of understanding on both sides when mail is rejected.
(Thanks to Ian for your reply on this too)
> Alternatively, you could try greylising, 4xx the sending mail server
> IP for thirty minutes on the first mail seen from it, then allow it.
> Often this helps as most exploited spam sources don't queue.
I will have a look at greylisting, but I recall from when lug.org.uk
implemented it that there was significant impact and delay with emails
coming through and again this will lead to issues with clients calling
me about emails that they were expecting.
Ed, Keith (and anyone else) - what RBLs do you consider "good" (taking
On 16/02/2014 21:53, Keith Williams wrote:
> I think the only answer is a good multilayered approach. Use a couple
> of good RBLs.
into account my previously mentioned concerns)?
I've got several checks, but am always open to additional suggestions.
> Then make sure you are doing all the checks on headers etc.
I have Fail2ban installed, but I don't have it checking Exim logs. I've
> Then into spamassassin. The next step is to use fail2ban, so that any
> particular IP can only be used by them a couple of times before being
> blocked at the firewall. This has limited usefulness tbh, because they
> are not using their own machines. What I have done is to research
> addresses and found that there are certain ISPs that keep appearing in
> spam but not ham. I then log and block them.
not found a config to do that (my regex foo is not strong), but I do
block IPs that are regular offenders within my IPTables , however as you
note, spammers use many different compromised IPs so that is of limited
value. I've blocked one or two ranges (e.g. Proxad's IPs), but again as
my initial point, banning whole IP ranges could impact on some of my
clients getting legitimate emails.
An interesting thing I have just found from analysing todays logs is
that almost all are being sent to email addresses (mostly rubbish names,
e.g. message IDs) at a single client's domain name. Is there a quick
way in Exim to apply additional rules just to one domain (such as
greylisting or strict application of RBLs)?
Thanks
Gavin
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users