[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Initial Installation Step 2
From: |
Andrew Daviel |
Subject: |
Re: Initial Installation Step 2 |
Date: |
Thu, 25 Jun 2009 19:11:22 -0700 (PDT) |
On Thu, 25 Jun 2009, Don Armstrong wrote:
That's why you should generally just discard them instead of
rejecting. If you're fairly certain that it's spam, rejecting just
means that you increase the likelihood that people get backscatter
from forwarding MTAs.[1]
It would be nice to have 2 thresholds, one above which we drop and one
above which we reject. Spam analysis is not an exact science, and
besides, one person's spam is another person's ham (newsletters from
travel agencies, for example). I would rather let someone know that their
mail has been rejected, than dedicate gigabytes of storage to spam on the
offchance that some is legit, or tell someone that their flight
confirmation or visa application might have gone to /dev/null.
If a message has multiple recipients, the milter cannot apply personal
scoring or whitelists. Having user's legitimate mail just disappear is
not acceptable.
I do not recollect getting any complaints about backscatter from rejected
mail based on DNSBL - we get a huge amount of that, which as I recall
sendmail rejects with 5xx at MAIL FROM. I presume, if that was sent via
an MTA, it would be generating DSNs. I do get occasional queries from
users about "I never sent that", but the volume of such is infinitesimal
compared to the volome of spam, so I conclude it is not a significant
problem.
We have had problems with Barracuda, I admit, when one of our users
forwards mail offsite. If spam goes over threshold at the destination,
but got under ours, our MTA generates a DSN if they reject. Barracuda's
reputation algorithm was fingering us as a spammer if we had no or little
legit traffic with the spoofed sender's domain. We made that go away by
suppressing the original body in DSNs, and purging out stale forwards and
expired aliases (e.g. an alias points to a deleted account).
1: From zombie machines in the networks of ISPs, for example.
How common is that ? Offhand, I don't recall seeing any. I know that many
ISPs now block port 25 to curtail direct-to-MX spam, but I was not aware
of significant volumes of spam being sent through ISP's MTAs. I imagine
that, if it was, the ISP might notice and actually do something - it
would stand a good chance of putting their MTA in a DNSBL and bouncing
all their customer's mail, for one thing.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager