[Mimedefang] Order of the fuctions?

John Scully jscully at isupportisp.com
Tue Jun 21 10:06:18 EDT 2005 

The users receive a daily/weekly summary report (the message automatically
refreshes the same message so the users never has more than one in their
inbox) listing mail rejected or put in the spambox.  They can purge messages
or transfer them to the inbox directly from this list.

But we do not send spam bounces back to the sender - after all, what
percentage of spam has a valid reply or sender address?  We handle several
million messages per day and used to get people calling and begging us to
'stop filling their inbox' becuase their address had been used for a
joe-job.

I know this has been discussed before on this list.

So - the complete answer is that if their is at least one valid recipient
who does not have the sender black-listed, and we do not have the sending IP
blocked then we receive and score the message, then check against each
recipient's settings and use add_recipient/delete_recipient to alter the
envelope to remove people set to discard.  Others may have it be marked and
go into the inbox or go into their spam box.

Although this violates "the rules" we consider those old rules to have been
destroyed by spammers.  We have been under continuous dictionary attacks for
the last two years, with traffic varying from a few hundred to 10 to 20
thousand recipients per minute, almost always with multiple recipients per
message - depending on the worm involved either 8 or 25 recipeints per
message.  One reason for this traffic is that we run 250 ISPs with lot's of
domains.  If an ISP advertises the wrong way they paint a big spam target on
their back.  Seems like some of the "let us increase your web traffic"
companies do this.

So we use this to our advantage - we watch sending IPs in real time and
block them at the interface level (iptables) if they have never sent valid
mail and hit just 10 bad recipients in a row.  We block that address for
just ten minutes, then unblock.  If they hit it again they are blocked for
30 minutes, then one hour, then 4, t hen 24, then 7 days.
We also do this if they are sending to valid addresses, but scoring very
high as spam.

An address sending any decent amount of valid mail overrides this - i.e. if
you begin by delivering real mail then we are not so sensitive to
no-such-user or high spam score mail, but if you knock on my door and throw
a bucket of spam on me when I open it I slam it in your face.  hmmm.  that
is quite a picture isn't it?

The result of this is that we are blocking the infected PCs used as
spam-bots.  So far today we have been hit by 28,000 different Ip addresses
and have 27,000 blocked right now.  At any given minute I have about 400
addresses hitting me.

I will say one thing - I am very impressed by the spammers. The zombie
armies automatically shift the spam load from IP to IP as we block them.  If
I let addresses keep sending they will keep doing so forever, but as soon as
one address can not connect to us they shift to another, seemingly picking
up at the same point int he list.

The only really stupid thing is that they do not clean their list, or try to
build a list of valid addresses.  I did a report once to examine the
addresses we were giving "No Such User" responses to, and found that there
are about 400,000 addresses that have each been hit at least five times
every day for a year.  sigh.

John

----- Original Message ----- 
From: "Matthew Schumacher" <matt.s at aptalaska.net>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Monday, June 20, 2005 1:34 PM
Subject: Re: [Mimedefang] Order of the fuctions?


>
> John Scully wrote:
> > We handle this a little differently.  Instead of relying on "the lowest
> > threshold" to determine how to han dle all recipients we pull the users
> > settings during the recipient check in filter_recipient, and write them
to
> > our own file called RECIPIENT_SETTING in the working directory of the
> > message (this is very fast since we have the MD dir on ramdisk).
> > This includes exploding any multiple mailbox aliases into their
individual
> > users and saving those settings.
> >
> > In filter end, after scoring the message we loop through the
> > recipient_settings file and based on the relative score and the per-user
> > setting to mark, file or discard spam we use add_recipient and
> > delete_recipient to make the changes.
> >
> > End result is that each user's message is handles based on their own
> > settings for threshold and disposition, without the additional overhead
of
> > stream_by_recipient.
> >
> > John
> >
>
> John, that is a very interesting way to do it, it solves the issue with
> each user getting their own settings, but the error reporting is a
> little odd since people sending email marked as spam will not get
> notified that their message was not delivered.
>
> Have you noticed that to be a problem or do you send a bounce message to
> those senders?
>
> Thanks,
>
> schu
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
>

More information about the MIMEDefang mailing list