[TriLUG] spam attack help?

Douglas Ward dward at nccumc.org
Wed Apr 2 11:37:29 EDT 2008 

We ran graylisting here for about 1300 accounts and it was a minor
disaster.  Large e-mail providers (hotmail, bellsouth, etc...) use multiple
outgoing mail servers when sending mail.  We were graylisting the same
message two or three times because of this.  It would take 12 hours plus for
a message to finally make it.  I heard there were ways around this but had
to give it up because of the uproar it caused.  Maybe there is a way around
that issue now?

On Wed, Apr 2, 2008 at 11:31 AM, Matt Pusateri <mpusateri at wickedtrails.com>
wrote:

> I can see no reason why you would not want to run greylisting.  Any
> valid mailserver will retry and any invalid one disappears. Postgrey
> works great.  I also use maRBL although I'm not sure if it's actively
> being developed.  maRBL, uses p0f to passively identify the host OS and
> if it is Winders it's triggers RBL.  This keeps the windows spam zombies
> at bay.
>
>
> Matt P.
>
>
> Dave Sorenson wrote:
> > Greylisting, while not perfect, has reduced my spamassasin workload by
> > 98%. It kills the winders zombies like a headshot from a 12 gauge.
> >
> > Dave
> >
> > Cristóbal Palmer wrote:
> >
> >> Hi folks. Anybody seen a huge spike in spam volume in the last few
> >> days? I'm responsible for mail at ibiblio and since yesterday
> >> afternoon our mail log has been growing at a rate of 1MB every 17
> >> seconds or so. So... what do you suggest to help reduce load? I'd like
> >> to reject more at SMTP time to keep spamassassin from having to chug
> >> through any more than it needs to.
> >>
> >> Current restrictions include (but are not limited to):
> >>
> >> smtpd_helo_restrictions =
> >>   permit_sasl_authenticated,
> >>   permit_mynetworks,
> >>   reject_invalid_hostname,
> >>   reject_non_fqdn_hostname,
> >>   reject_unknown_hostname
> >>
> >> smtpd_sender_restrictions =
> >>   permit_sasl_authenticated,
> >>   permit_mynetworks,
> >>   reject_non_fqdn_sender,
> >>   reject_unknown_sender_domain
> >>
> >> ...
> >>
> >> we don't currently use any RBLs at SMTP time for philosophical
> >> reasons... maybe principal should go out the window when under attack?
> >> Maybe we should be doing greylisting? I use greylisting on other
> >> systems, but we've been avoiding it on this machine for several
> >> reasons.
> >>
> >> I'd appreciate feedback offlist and on.
> >>
> >> Cheers,
> >>
> >>
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>

More information about the TriLUG mailing list