[Mimedefang] Re: Pre-Acceptance filtering (WAS: Re: recipient filter and RBLs)

Dirk the Daring dirk at psicorps.org
Fri Dec 7 07:43:22 EST 2007 

On Thu, 6 Dec 2007, Jan-Pieter Cornet wrote:

> On Thu, Dec 06, 2007 at 01:33:16AM -0500, Dirk the Daring wrote:
>> On Mon, 3 Dec 2007, "Paul Houselander" <housey at sme-ecom.co.uk> wrote:
>>
>>> After a bit of digging around I think ive pretty much decided not to use
>>> the
>>> rbl feature in sendmail but to intergrate spamhaus checking into my
>>> mime-defang script.
>
> That's a wise decision, I'd say.
>
>>    While you can certainly do this, all you're doing is creating a *lot*
>> more work for your mailserver, and encouraging the spammers.
>
> Err, no. You have the wrong idea about mimedefang.

    Actually, I have the right idea about MD. I made the mistake of 
thinking about SpamBayes when I saw spamhaus. SpamBayes being a 
post-acceptance tool and spamhaus being an RBL.

>>    As far as the spammer is concerned, that is "Mission Accomplished".
>> They have successfully wasted your bandwidth and disk space, and you're
>> about to let them waste your CPU and RAM as well.
>
> Not quite, it's "Nuisance Accomplished". For a spammer, it's only
> "Mission Accomplished" as soon as someone actually buys something. Or
> in practice, this means that as soon as a large enough population of
> people see the message.

     We may be arguing semantics here. If the spammer never reaches DATA, 
they *know* their crap is not going thru. Mission Failed. If they reach 
data, they can (possibly reasonably) *assume* that it has a chance to get 
thru.

     Remember, we're not dealing with ethical or honest individuals.

     I've seen some spam-for-hire arrangements that work based on a very 
small commission amount per E-Mail "successfully sent" and then a larger 
commission per sale. The spammer wants to recoup *something* for their 
large investment in millions of victim E-Mail addresses, while the company 
hiring the spammer doesn't want to pay serious money without sales.

>>    By the end of HELO, I've stopped fully half of the SPAM sent to my mail
>> relay. By the end of RCPT TO: (before DATA), I've stopped about 75-80%.
>
> Roughly the same here, I suppose. Let's see, the stats for the day:
>
> blocked by HELO pattern: 86 (21%)
> pregreeting traffic: 21 (5%)

    I'm seeing GREETPAUSE block perhaps 1%, if that. It used to be 
higher...around 10%.

    What I *do* see being very successful right now is sendmail's RATECONN 
Feature. That is tagging about 30% right now, and only about 15% or so of 
total connections are being stopped by HELO filtering specifically.

> blocked using blacklists: 258 (64%)

    Only half of the incoming connections survive to be checked by RBL, and 
I'm only dropping about 13% of incoming connections via RBL.

More information about the MIMEDefang mailing list