My first port of call here would be to enable features like - DKIM - SPF - reverse DNS lookup for the connecting host, where several things can be done:
- match connecting IP to hostname in helo or mail from - match connecting ip to claimed sending domain in helo or mail from (check MX and A) this will take care of a lot of snowshoe attacks. cheers Bernhard ----------------original message----------------- From: "Stan Hoeppner" s...@hardwarefreak.com To: postfix-users@postfix.org Date: Tue, 12 Apr 2011 02:07:37 -0500 ------------------------------------------------- > pf at alt-ctrl-del.org put forth on 4/11/2011 7:32 PM: > >> Just because most of the emails are spam, doesn't mean that most of >> their customers are spammers. After all, the spammers are sending a lot >> more mail than legit sites do. >> >> If the ISP has multiple /15's and /16's, I think that blocking all of >> their IPs then exempting specific IPs would take too much time and >> effort. I would just be playing a different version of whack-a-mole and >> constantly be adding new exempted IPs. My goal is to automate anything I >> can, and not replace one problem with another. > > It is impossible to "automate" the rejection of snowshoe hosts. > Greylisting won't put much of a dent in it. Snowshoe spam is horribly > expensive, in both time and money, to combat, precisely because the > hosts are typically technically setup just like legit outbounds to meet > RFC and BCPs. > > Spamhaus SBL and DBL are getting better, but the lag time between a > snowshoe host hitting your server, and a DBL or SBL listing, can be days > or weeks. Many of the snowshoe hosts hitting here never get listed on > the DBL or SBL. > > The pay dnsbls from Invaluement work very well against snowshoe spam but > many/most mail OPs have a thing against paid dnsbls. Those large enough > to already pay Spamhaus don't have a problem with this, and many of them > do use Invaluement. > > In lieu of Invaluement, the only really solid defense against snowshoe > hosts is preemptive blocking of the networks from which they operate > after you identify snowshoe is emitting from said networks. Snowshoers > usually use /29 to /24 allocations. But often you'll see hijacked > netblocks up to /17 size with nothing but snowshoe emitting IPs throughout. > > Using rDNS lookup tools can help you identify snowshoe ranges and block > them after you receive a few. There is no way to automate this, as > software really can't tell the difference between the snowshoe domain > "screwyouispam.info" and "postfix.org". > > Effectively fighting snowshoe (in lieu of Invaluement dnsbls) requires > manual intelligence gathering by the mail OP, local block list > generation, and good content filters. Again, tweaking greylisting > delays is a wasted endeavor WRT snowshoe spam. > > -- > Stan > -- ------------- Bernhard Rohrer Consulting 529 Howth Road Dublin 5, Ireland +353 87 7907 134
