[Mimedefang] Bouncing on invalid HELO/EHLO

Michael Sims michaels at crye-leike.com
Thu Jun 12 15:04:00 EDT 2003 

Quoting Jim McCullars <jim at info.uah.edu>:

> On Thu, 12 Jun 2003, Michael Sims wrote:
> 
> > I think it's a good idea in general to skip the SpamAssassin check for
> > mail from trusted networks.
> 
>    I've thought about this, and I'm leaning towards doing the same thing,
> but I'd like to hear your reason for not scanning internal mail. 

When I initially implemented MD/SA I did not properly anticipate the load it
would place on my mail server.  Since then I have put a dedicated machine in
place that only scans mail and I have moved other mail services to a different
server.  But before I did this I was looking for anything I could do to lighten
the load on my sole mail server.  Skipping SA scans on internal mail cut the
amount of processing I had to do by about 30-40% off the bat.

Secondly, I used to actually alter the body of any email over a certain
threshold.  I would rewrite the message, putting a spam warning in its place and
attaching the original message as a message/rfc822 part.  At this time, had I
been scanning internal (outgoing) mail, I ran the risk of sending one of these
rewritten messages to an outside party.  Imagine receiving an email from a
company along with a warning stating that it might be spam. :)

I've since turned off this rewriting (it really bothered people to see the spam
warning in the case of a false positive), but I still forgo scanning on outgoing
mail.  It still does save me a lot of resources to skip that SA check, and it
allows me to communicate freely among other IT members about spam rules and
forward caught messages to them without worrying about them being filtered. 
Also, it's a political decision, because there are some at my company that would
get very upset if their email was falsely tagged as spam, even if it only
happened in a X-Spam-Score header...

> I guess
> I'm afraid that someone on-campus might do a spam run and we get a black
> eye because of it. 

That's true.  In my situation, I believe I can reasonably trust my end users not
to do that.  But, as one other poster mentioned, it is possible for malware to
end up on a user's machine.  I guess that is a risk that I am taking, but I
don't think it's very likely.  I'm not an ISP or anything...we have less than
4000 accounts so until an incident occurs I feel relatively safe to implicitly
trust anything generated internally.

I still, however, do virus scans on outgoing mail.  I feel this is my
responsibility as a good net citizen.  I can safely say that my mail relay does
not contribute to the number of Klez infected emails floating around the net...

> But it does cause me a problem if I get a piece of
> spam at one address, and try to send it to myself at another address and
> SA blocks it.  I've had that happen more than once.

Yep, that is annoying.  Since I don't filter internal mail, if I ever want to
actually manually test a custom rule I've set up, I have to jump through hoops
in order to send it from an untrusted relay.  I've kept one machine in my DMZ
that is not used for normal mail delivery out of the trusted group, and I send
from it if I want my message to be filtered for testing purposes...

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648  Pager: (901)769-3722
___________________________________________

More information about the MIMEDefang mailing list