[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Initial Installation Step 2

From: Andrew Daviel
Subject: Re: Initial Installation Step 2
Date: Thu, 25 Jun 2009 19:11:22 -0700 (PDT)

On Thu, 25 Jun 2009, Don Armstrong wrote:

That's why you should generally just discard them instead of
rejecting. If you're fairly certain that it's spam, rejecting just
means that you increase the likelihood that people get backscatter
from forwarding MTAs.[1]

It would be nice to have 2 thresholds, one above which we drop and one above which we reject. Spam analysis is not an exact science, and besides, one person's spam is another person's ham (newsletters from travel agencies, for example). I would rather let someone know that their mail has been rejected, than dedicate gigabytes of storage to spam on the offchance that some is legit, or tell someone that their flight confirmation or visa application might have gone to /dev/null.

If a message has multiple recipients, the milter cannot apply personal scoring or whitelists. Having user's legitimate mail just disappear is not acceptable.

I do not recollect getting any complaints about backscatter from rejected mail based on DNSBL - we get a huge amount of that, which as I recall sendmail rejects with 5xx at MAIL FROM. I presume, if that was sent via an MTA, it would be generating DSNs. I do get occasional queries from users about "I never sent that", but the volume of such is infinitesimal compared to the volome of spam, so I conclude it is not a significant problem.

We have had problems with Barracuda, I admit, when one of our users forwards mail offsite. If spam goes over threshold at the destination, but got under ours, our MTA generates a DSN if they reject. Barracuda's reputation algorithm was fingering us as a spammer if we had no or little legit traffic with the spoofed sender's domain. We made that go away by suppressing the original body in DSNs, and purging out stale forwards and expired aliases (e.g. an alias points to a deleted account).

1: From zombie machines in the networks of ISPs, for example.

How common is that ? Offhand, I don't recall seeing any. I know that many ISPs now block port 25 to curtail direct-to-MX spam, but I was not aware of significant volumes of spam being sent through ISP's MTAs. I imagine that, if it was, the ISP might notice and actually do something - it would stand a good chance of putting their MTA in a DNSBL and bouncing all their customer's mail, for one thing.

Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

reply via email to

[Prev in Thread] Current Thread [Next in Thread]