Re: JoeJobbed - Vbounce plugin - SPF?.
On 17.03.09 14:02, Michael Hutchinson wrote: We initially tried 'riding out the storm' as it were, but were unable to keep on top of the load put on the servers by excessive E-Mail messages requiring scanning by SA. This got so bad that the mailserver had become unresponsive to our clients. qmail is known for bouncing, instead of rejecting unknown recipients at SMTP leve. You filter unknown recipients? If not, this is your problem. On 19.03.09 09:54, Michael Hutchinson wrote: If an smtproutes entry forces me to accept unknown recipients for said affected domain, then Yes, and I would assume that this is the behaviour. Oh, yes, smtproutes is a problem. Not good until we'll all have some clean way how to detect valid and invalid customers. I was considering convincing the powers to let me setup SPF, but their requirement would be to have both v1 and v2 spf tags - and I'm not sure whether Q-Mail is up to both yet, but some kind of SPF implementation where we check the tags (not necessarily publish them) but I guess that's an MTA question:) forget SPF v2. Use v1 but don't expect huge results, there's still many SMTP servers not checking the SPF... OK, What's wrong with SPF v2 ? I think we should better google for it, but iirc SPF v2 is based on Microsoft's idea that has some logical and some patent issues. Does anyone here know more/better about SPF v2? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
RE: JoeJobbed - Vbounce plugin - SPF?.
-Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: Tuesday, 17 March 2009 10:17 p.m. To: users@spamassassin.apache.org Subject: Re: JoeJobbed - Vbounce plugin - SPF?. On 17.03.09 14:02, Michael Hutchinson wrote: I'm running Spamassassin 3.1.7, with netqmail 1.05, ClamAv etc.. old ! The current SA version is 3.2.5 - upgrade. Yes, I know it's old :) The upgrade is in the pipeline, but not for a couple of months yet. Mind you, it still runs pretty well and does catch a lot of Spam, for it's age. We initially tried 'riding out the storm' as it were, but were unable to keep on top of the load put on the servers by excessive E-Mail messages requiring scanning by SA. This got so bad that the mailserver had become unresponsive to our clients. qmail is known for bouncing, instead of rejecting unknown recipients at SMTP leve. You filter unknown recipients? If not, this is your problem. If an smtproutes entry forces me to accept unknown recipients for said affected domain, then Yes, and I would assume that this is the behaviour. How might I keep delivery flowing to valid recipients for the domain (smarthosted (smtproutes) to exchange) but reject the blowback at SMTP time? So you do NOT reject invalid recipients? Change qmail, or at least its SMTP server. There are afaik some that can do that. Yes, that can be done with a valid rcptto patch for qmail. I've not applied the patch, but have added it to the list. And, optionally, consider some rules of rejecting before queeuing - block invalid HELO strings, senders in some reliable blacklists etc. This helps. I will work at blocking invalid HELO and some certain subjects at SMTP time, for a while after a joe job. I was considering convincing the powers to let me setup SPF, but their requirement would be to have both v1 and v2 spf tags - and I'm not sure whether Q-Mail is up to both yet, but some kind of SPF implementation where we check the tags (not necessarily publish them) but I guess that's an MTA question:) forget SPF v2. Use v1 but don't expect huge results, there's still many SMTP servers not checking the SPF... OK, What's wrong with SPF v2 ? Thanks for your reply, Matus, I appreciate your help and ideas. Cheers, Michael Hutchinson Manux Solutions Limited.
Re: JoeJobbed - Vbounce plugin - SPF?.
On 17.03.09 14:02, Michael Hutchinson wrote: I'm running Spamassassin 3.1.7, with netqmail 1.05, ClamAv etc.. old ! The current SA version is 3.2.5 - upgrade. We've been subject to being joe-jobbed on one of our domains here at work. We were lucky as we were able to switch off delivery to the affected domain and effectively blocked the blowback by refusing E-Mail from all the Postmasters around the world sending NDR's and so forth to the now non-existent mailboxes. This was a far-from-optimal solution, as I'm sure many people will be wanting to point out already, what if we needed that domain to still receipt legitimate E-Mail... We initially tried 'riding out the storm' as it were, but were unable to keep on top of the load put on the servers by excessive E-Mail messages requiring scanning by SA. This got so bad that the mailserver had become unresponsive to our clients. qmail is known for bouncing, instead of rejecting unknown recipients at SMTP leve. You filter unknown recipients? If not, this is your problem. I removed a bunch of our own site rules (which were going to be whittled away anyhow) to decrease the average scantime of E-Mails by Spamassassin - this did work, for about 15 minutes. Then, an average scantime of 4 seconds was not good enough - clients still denied SMTP (too busy). I decided (wrongly) to implement the Vbounce plugin. Read the install doc, got it setup, tested SA with debug and lint, everything appeared to test OK. Put it into practice by reloading SA and then Wang! Average scantimes hit the roof: 38 seconds. Needless to say I disabled the plugin. Although whilst it was running, it did appear to be doing the job correctly according to my mail logs - and there were no errors. So we blocked the domain. I am interested to know the following: Has anyone else had this kind of result when installing the Vbounce plugin? (largely increased scantimes) I have not, but I use newer SpamAssassin How might I keep delivery flowing to valid recipients for the domain (smarthosted (smtproutes) to exchange) but reject the blowback at SMTP time? So you do NOT reject invalid recipients? Change qmail, or at least its SMTP server. There are afaik some that can do that. And, optionally, consider some rules of rejecting before queeuing - block invalid HELO strings, senders in some reliable blacklists etc. I was considering convincing the powers to let me setup SPF, but their requirement would be to have both v1 and v2 spf tags - and I'm not sure whether Q-Mail is up to both yet, but some kind of SPF implementation where we check the tags (not necessarily publish them) but I guess that's an MTA question:) forget SPF v2. Use v1 but don't expect huge results, there's still many SMTP servers not checking the SPF... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
JoeJobbed - Vbounce plugin - SPF?.
Hello everyone, I'm running Spamassassin 3.1.7, with netqmail 1.05, ClamAv etc.. We've been subject to being joe-jobbed on one of our domains here at work. We were lucky as we were able to switch off delivery to the affected domain and effectively blocked the blowback by refusing E-Mail from all the Postmasters around the world sending NDR's and so forth to the now non-existent mailboxes. However, This was a far-from-optimal solution, as I'm sure many people will be wanting to point out already, what if we needed that domain to still receipt legitimate E-Mail... We initially tried 'riding out the storm' as it were, but were unable to keep on top of the load put on the servers by excessive E-Mail messages requiring scanning by SA. This got so bad that the mailserver had become unresponsive to our clients. I removed a bunch of our own site rules (which were going to be whittled away anyhow) to decrease the average scantime of E-Mails by Spamassassin - this did work, for about 15 minutes. Then, an average scantime of 4 seconds was not good enough - clients still denied SMTP (too busy). I decided (wrongly) to implement the Vbounce plugin. Read the install doc, got it setup, tested SA with debug and lint, everything appeared to test OK. Put it into practice by reloading SA and then Wang! Average scantimes hit the roof: 38 seconds. Needless to say I disabled the plugin. Although whilst it was running, it did appear to be doing the job correctly according to my mail logs - and there were no errors. So we blocked the domain. I am interested to know the following: Has anyone else had this kind of result when installing the Vbounce plugin? (largely increased scantimes) How might I keep delivery flowing to valid recipients for the domain (smarthosted (smtproutes) to exchange) but reject the blowback at SMTP time? I was considering convincing the powers to let me setup SPF, but their requirement would be to have both v1 and v2 spf tags - and I'm not sure whether Q-Mail is up to both yet, but some kind of SPF implementation where we check the tags (not necessarily publish them) but I guess that's an MTA question:) Thanks in advance for any useful information :) Cheers, Michael Hutchinson