[Mimedefang] Blocking IP #

Chris Gauch cgauch at digicon.net
Thu May 5 13:35:36 EDT 2005


> -----Original Message-----
> From: mimedefang-bounces at lists.roaringpenguin.com [mailto:mimedefang-
> bounces at lists.roaringpenguin.com] On Behalf Of Paul Murphy
> Sent: Thursday, May 05, 2005 1:24 PM
> To: mimedefang at lists.roaringpenguin.com
> Subject: RE: [Mimedefang] Blocking IP #
> 
> I've seen 4 copies of Sober.P (one was zipped) in 48 hours, from 740
> messages.
> The reason its so low is because I use greylisting - all of these were
> generated
> by systems which bounced a message back to us which purported to come from
> our
> domain.  All had invalid addresses as senders, and all were detected as
> viruses
> by Clamav.
> 
> On the question of the effectiveness of greylisting, here's some details
> of the
> traffic I've seen through the MySQL implementation of greylisting on our
> system
> (http://www.bl.org/~jpk/md-greylist/) found by querying the database for
> everything which has a 'new' entry and then filtering for only those which
> are
> knocking more than 5 times from the same sender/IP pair:
> 

<...snip...>

> 11 rows in set (0.63 sec)
> 
> As you'll see, the higher numbers are clearly being spewed from a virus
> mailer.
> Interestingly, it appears that this one tries 30 random recipient
> addresses per
> sender address, and then gives up - the "piona.com" sender also tried
> "sales",
> which we bounced as a banned address rather than as an unknown user.  The
> other
> entry is a scatter-gun spammer who never came back.

I completely agree with Paul there.  I'd say greylisting itself blocks about
90% of those auto-virus mailings coming from infected PCs and small mail
servers on the net.  Greylisting has had a huge positive impact on our mail
system -- we log mail-in and our gateway servers only really have to deal
with 8000 out of 30000 emails received per hour due to invalid senders
and/or spam exploit software never retransmitting messages.

- Chris

------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net




More information about the MIMEDefang mailing list