Large Mail Provider Throttling

• Previous message (by thread): Large Mail Provider Throttling
• Next message (by thread): Large Mail Provider Throttling
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is a package that is being developed right now that basically will
squelch emails received from some domain.com address if the sending IP
address isn't in the list of permitted addresses. 

Sender Permitted From (http://spf.pobox.com/) attempts to eliminate Joe
Dropping from domain.com by doing a look up on a TXT record similar to
dccnet.com. IN TXT "v=spf1 mx ptr ip4:24.207.1.0/24 -all".  This would block
mail, with a FROM: address of *@dccnet.com that didn't relay through any of
the MX hosts, originate from any broadband client address (from the prt
record) or from the 24.207.1.0 Class C address space.

As this project is fairly new, there aren't many large domains making use of
it, and the tools available aren't mature enough for some email
implementations (mobile users making use of Hot Spots with SMTP Hijacking
and no submit port opened) for which the sending users IP address isn't
known.  However, I do believe this project will pick up favor to help
eliminate one source of address forgery, which I believe would have helped
in your situation.

AOL had made use of this for 24 hours earlier this month and it resulted in
the blocking of a large volume of spam addressed from aol.com (not
originating from aol.com address space).  Hopefully sites like yahoo,
hotmail and others 

Of course the cows have left the barn, but its definitely worth looking at.

Cheers,

Aaron

-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Suresh Ramasubramanian
Sent: January 22, 2004 6:15 PM
To: Edward Gray
Cc: nanog at merit.edu
Subject: Re: Large Mail Provider Throttling


Edward Gray wrote:
> To protect ourselves from delayed mail, we have implemented several 
> system wide rules to block Autoreplies and Undeliverable messages from 
> being sent to the large providers. Unfortunately, this has resulted in 
> many complaints from customers (since it's all or nothing). We have so 
> far, left these rules enabled 24x7 since, the system already becomes 
> degraded by the time we realize an event is occurring.

You might want to

* Use a mailserver that can reject rather than bounce email (that is, a
mailserver where the smtpd process has a view of the userdb)

* Use a "current spam source" blocklist like cbl.abuseat.org, as well as a
good open proxy blocklist like opm.blitzed.org

* Set up spamassasin to trash rather than later bounce email that does get
through your filters, and has a high enough spam score.

* Do some HELO filtering (HELO hotmail.com from an IP with rDNS that doesn't
say hotmail?  HELO your.own.ip or HELO your.own.domain from an untrusted IP
that you don't relay for / that someone hasn't authenticated from?  REJECT)
:)

* I'd add that a simple header check to reject (or preferably, discard) any
mail with the string ".mr.outblaze.com" in any Received: header will get rid
of a lot of spam for you.

There are a few other things, but these will be off topic here. Please feel
free to mail me offlist.

	srs

--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com
security and antispam operations

• Previous message (by thread): Large Mail Provider Throttling
• Next message (by thread): Large Mail Provider Throttling
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]