[Mimedefang] Re: Pre-greeting traffic.
John Rudd
john at rudd.cc
Thu Apr 12 18:14:56 EDT 2007
G.W. Haywood wrote:
> Hi there,
>
> On Thu, 12 Apr 2007 Mark G. Thomas wrote:
>
>> On Wed, Apr 04, 2007 at 07:31:55PM +0100, G.W. Haywood wrote:
>>> My mail system automatically firewalls spam sources. Depending on a
>>> variety of factors, the block is either for a few hours or indefinite.
>>>
>>> At the moment about half of the spam sources I see send pre-greeting
>>> traffic (I'm using sendmail's greet_pause feature), but blocking on
>>> that basis alone does give false positives, which I'd like to avoid.
>> Really? I haven't had any complaints about blocking any non-spam sources
>> due to pre-greeting traffic, and we're handling about a million messages
>> per week. Right now we're using a greet_pause setting of 5000 (5 secs)
>> and blocking about 45,000 connections per week with this rule.
>
> One such non-spam source was mac.com - I tweaked the rules to give no pause.
>
> But apparently there are no takers for my question? That is, paraphrasing,
> does anyone have a way to log the actual pre-greeting traffic for analysis?
> Other than sniffing the TCP connection, of course.
>
You tweaked the rules, or you added them to your access file with a 0
second pause? The former seems like a colossally bad idea, where the
latter is pretty easy to do, easy to maintain, and doesn't require you
to potentially re-write rules on every software update.
When I had a friend working at mac.com's server group, she fixed their
greet_pause problem. And then she left that job, and on their next
update they went back to misbehaving. Since then, I've had apple's
servers on a 2 or 3 second pause (their threshold is around 10 seconds
IIRC).
Most legitimate systems with problems are happy with a 5 second pause.
In fact, I can't think of any that I had to give less than a 5 second
pause (when I make an exception, I don't give them a 0 second pause, I
give them a pause that is smaller than the default).
Though, since I switched to using Spamhaus Zen, and my anti-botnet
rules, I haven't needed to have any host with more than a 3 second
pause. Zen, botnet, and an aggressive greet_pause (15 or more seconds)
all seem to catch the same hosts (with each one catching a small number
that the others didn't).
So, these days, even though I used to be a huge proponent of aggressive
greet_pause magnitudes, I am using a pretty flat arrangement: 3 seconds
default, 0 seconds for machines I administrate, no exceptions. Then Zen
catches a bunch (I delay checks, so it catches them during check_rcpt).
My botnet code used to reject in filter_sender, but these days it's a
Spam Assassin plugin, and it just adds to the SA score (and I reject
messages whose SA score is >= 10, so a message whose score without the
anti-botnet code is 5 <= score <= 10 may get pushed over the edge with
the anti-botnet code).
I could raise the greet_pause, to lighten the load on DNS checks and SA
checks, but that increases the administrative load I have on maintaining
an exception list. I suppose if my DNS load or SA load were high
enough, I might make that trade off, but right now it's fine.
More information about the MIMEDefang
mailing list