[Sussex] Securing Mail Servers

Ronan Chilvers ronan at thelittledot.com
Thu Apr 20 11:32:00 UTC 2006 

Hiya Jon

On Thu, 20 Apr 2006 11:13:20 +0100
Jon Fautley <jfautley at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Ronan Chilvers wrote:
> > Sorry - forgot to include greylisting - very useful technique which
> > is extremely effective at combatting spam.
> 
> Be careful with comments like that - yes, it's very effective at
> combatting spam, as long as you take the time and effort to configure
> it correctly.

Which, because the comment was very general, I'm assuming the canny
sysadmin will do. ;-)

> 
> I used to run Greylisting back before it was 'cool' - and it sucked.

I don't use greylisting because its cool, I use it because, to date, it
has helped me cut my spam intake by over 90%, with about 3 brief
complaints in 2 years of using it.  (I don't use RBLs, which had
huge kudos, because I found they gave me far too many irritating false
positives.)

> 
> It sucked then, and it sucks now... *unless* you want to spend the
> time configuring it. In my opinion, it's much, much easier to properly
> configure SpamAssassin, or any other spam detection engine, than to
> get a working, reliable greylisting filter.

But by the time the junk gets through to SA, your server resources are
already committed.  Far better to block at the SMTP level (not just with
greylisting but with other in-protocol filters too) to block known junk
before it gets to the mail queue.

SA is a brilliant, but resource hungry system.  The more junk I can
dump before I have to subject it to SA tests, the better.  For example,
if a subject line has "V_I_A_G_R_A_!_!_!" in it, it's not getting
through, because I'm willing to bet 50 quid that my users don't want
it.  I don't need to subject that to an SA scan to find out, I can dump
it at the DATA command. (Slightly naive example, I admit! :-) )

> 
> Oh, and when you do get it working, remember that you're quite likely
> to get randomly delayed emails, and lose email coming from broken
> servers.
> 

With the greylisting policy I have, I set the greylist interval quite
low, which is enough to stop the vast majority of junk.  Most spam
delivery attempts seem to either try once and disappear for good, or
hammer away with repeated delivery attempts for 30 seconds, then go
away.  Setting a low retry interval dumps all of this stuff at the
first hurdle.  Create a whitelist of IPs / domains / whatever that you
don't subject to greylisting and you're off.

To say 'greylisting sucks' is generalising hugely, surely?  Why does it
'suck'? What system were you using? How had you configured it? What was
your greylist interval?  How often did you clean your greylist
database? What was your policy on removing single hit entries? What was
your policy on multi-hit database entry lifetime? Did you maintain a
whitelist?

Cheers
-- 
Ronan
e: ronan at thelittledot.com
t: 01903 739 997

This email has been digitally signed using GNUPG to verify the identity
of the sender. Please see http://www.gnupg.org/ for further information.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20060420/6cd58d0c/attachment.pgp

More information about the Sussex mailing list