On 10/19/2006 7:11 PM, John Rudd wrote: > It is my observation that the messages which come from an immediately > relay that: > > A) does not have a PTR record, or > > B) has forged DNS (PTR record doesn't lead to an A record which > resolves back to the SMTP client's IP address), or > > C) has a hostname that appears to be an end-client of some other > network than my own (contains its own IP addr in the hostname, contains > words like "dynamic", "dsl", "dial-up", etc.) > > are generating spam.
It's a bigger list than that but yeah. My theory is that if they can't get their network configured, no telling what else is broken, so I flag it. > In order to exempt my own legitimate users, I skip the check if they're > on my IP block OR if they do SMTP-AUTH. I've got two listeners, one for SMTP 25, one for SUBMIT 587. The latter only allows authenticated sessions. Mail sent to the former is heavily inspected while the session is action, while mail to the latter bypasses the filters altogether. > The one thing I'm thinking about changing is, at home I _reject_ > messages that fail these checks (using filter_sender in mimedefang). > I'm thinking that, for the production systems at work, just to cover > that incredibly small percentage of people who can't or wont use their > ISP's mail server or do SMTP-AUTH, I'll merely quarantines their > messages, via spam assassin score, instead of rejecting them. Yeah, I moved almost everything out of postfix and into spamassassin so that I could work on probability instead of binary. Just make sure to whitelist all traffic for any mailing list that you're on, possibly including to/cc whitelists. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
