> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Stroller > Sent: Thursday, 23 October 2008 12:53 AM > To: Postfix > Subject: Re: Best anti-spam > > > On 22 Oct 2008, at 12:56, Richard Foley wrote: > >> ... > >> spam_ip_regex file: > >> > >> /[ax]dsl.*\..*\..*/i 450 AUTO_XDSL Email Rejected. You appear > >> to be > > > > This looks fairly useful. Does anyone else have any experience with
> > this approach, who might be able to offer insight into whether it's > > valid or not? > > > My experience is on the butt-end of such filters - they're a > sure fire way to annoy me if I'm sending you mail. > > I run a Postfix server on my home ADSL connection and it is > extremely frustrating to have mail rejected because of that. > The common response of admins to complaints about this is > "you should use your ISP's mail server", but really it is > just nice to have a a proper "receipt" for emails one has sent. > > If a message appears undelivered (it may have been > incorrectly have been classified as spam by the recipient's > filter) then, using Postfix & connecting directly, I can say > "the mailserver listed in your domain's MX records > acknowledged receipt for this message at $time on $date; > here's the log entry". If I use my ISP's relay then the blame > is uncertain. > > I have to admit that I can't say I've ever had to use this > "proof of delivery" - perhaps if I reported a missing mail > (through their > servers) to my ISP they would help track it down, but I am > not very optimistic. It is quite aggravating, however, to be > treated like a second-class citizen when I am following RFC. > Some major ISPs do not, and yet they get away with it just > because one can't simply ignore their whole huge customer base. > > Stroller. > > I implement those checks as a helo check. If you can't be bothered having a proper DNS entry for your mail server (ie. not a dynamic consumer one provided by your ISP), I tend to think it's a bot or at least a mickey-mouse outfit, and I really don't have to worry too much about accepting mail from them. However, due to the fact it seems that a number of actual businesses can't be bothered getting proper (r)DNS for their mail servers, I've had to relax that attitude a bit, and fortunately I've found that virtually all can configure a proper HELO hostname (except for the idiots who install Microsoft Small Business Server who don't realise you should configure a different hostname to XXXX.local). I still reject over 30% of mail from that check alone, and with no false-positives (I had a couple right at the start). To get around the problem that some people have pointed out with servers having domains with strings like "/dial/" inside them, I do a few /^mail.*/ /^smtp.*/ and so on DUNNO entries at the top of the helo access map. Those actually don't get triggered very often. Of course, I'm running a corporate network, not an ISP, and I feel quite strongly that such brute-force measures should not be used by ISPs. But I also feel that ISPs should force authentication for mail sending... speed the day. I also feel that the zen RBL is an excellent tool, and if I can get my employers to pay for it, I'll be ditching the brute-force checks (at present, using them allows us to be below the threshold for free lookups against zen). Fail2ban is also great. I have 15 minutes on the primary MX and 30 minutes on the secondary MX as lockout times.