Davide - sorry to continue this OT here, but perhaps others might be interested... At 10:27 12/29/2003, Kirk Friggstad wrote:
>If I may jump in here with a comment on your spam-blocking method... > >We've just been through hell with an ISP who uses a similar blocking scheme >(blocking IP addresses in the headers of reported spam messages). We have a >forwarding mail account set up for one of our out-of-office sales reps - >[EMAIL PROTECTED] forwarding to [EMAIL PROTECTED] (obviously, names >have been changed). Our sales rep had spam sent to the >[EMAIL PROTECTED], and proceeded to report it to hisISP.net. hisISP.net >then blocked all messages sent through our mail server, which effectively >cut us out of any communication with our sales rep. > >After about a week's worth of phone calls between our rep, our tech guys, >and hisISP.net, we managed to get our server "whitelisted" at hisISP.net - >although our whitelist entry apparently disappeared a few days later, and we >had to do the whole thing again to get back into the whitelist. > >The point of this story - the collateral damage of this type of blocking >scheme may outweigh it's effectiveness. Not saying that it will in your >case, but just something to keep in mind. Not to be obstinate or anything, but you really don't know anything about my blocking methods here... Let me explain to you how things work here. I have a number of email addresses which are "spam-traps". These addresses were used about 3 years ago for various things, then disabled (all mail to these addresses was refused with "invalid local account" messages) for a full year (12 calendar months). At the end of those 12 calendar months, the accounts were unblocked and all mail they receive (which, at this point, is *nothing* but spam, as any legitimate correspondent to those addresses were notified that they were no longer valid prior to them being disabled) is directed to spam filters. Each mail received on one of these spam trap addresses is header analyzed. Each IP address (real or forged, doesn't matter) in the headers is looked up for RDNS. I then create a pattern for the RDNS and add that to my blocking list. For example: 62.73.63.106 resolves to adsl-63-106.kotikaista.lsp.fi I would then create a pattern of "adsl*.kotikaista.lsp.fi" and add that to my blocking list. From the time that is added, all mail *originating from* an IP address which has RDNS matching that pattern is rejected as spam. While I agree that there is a possibility of unintentional rejecting based on this, I review my mail logs on a daily basis, and I'm in direct contact with my mail clients regularly to discuss any mail problems (such as missing or misdirected mail). I also have contacted major ISPs (especially those from which I receive a high volume of direct-to-MX spew) to request information on their designated out-MX IP addresses, and those who responded have been whitelisted locally (thus bypassing these checks). The net end result is to block direct-to-MX spam (and worm spew) from dynamic addresses and known spam havens. Has there been any collateral damage? Sure. There have been (at last count) 17 emails that were blocked in error by this method. That's out of 3 months of operation. Of those 17 emails, only two were "unrecoverable" (meaning the sender was unable to be contacted to resend the mail after appropriate whitelisting). In all but 4 cases, the intended recipient never needed to be aware (but was informed anyway as a matter of policy), as the problem was caught by me and the sender contacted for whitelisting information and resubmission of the email before the recipient had even noticed that the mail was missing. However, this is in no way a recommendation for this kind of blocking on other systems. It works well for me, it is true. But every system must find a method that works for them. I have a small user base, and I'm able to spend the time necessary to maintain the setup. It is somewhat labor intensive, and would definitely not scale to a larger operation (well, some portions of it would, but the threshold for blocking would need to be much higher than I currently use). Not to mention that the various checks and special handling required some custom mods to Xmail locally. If you wish to be pre-emptively whitelisted on my server, and are willing to accept full responsibility for any spam received from your whitelisted servers, please feel free to contact me off the list. I don't have any problem with whitelisting mail servers. However, whitelisting is only needed if your mail server fails one of the following tests: 1) Server IP address has never been seen in spam locally 2) Has proper RDNS (the connecting IP address has a matching PTR record) 3) HELO/EHLO name resolves (name has a proper A record) 4) Has an MX record which matches the domain on the MAIL FROM: address If your mail server can pass all those tests, then there is no need for whitelisting. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
