On Mon, Aug 17, 2009 at 09:24:32AM -0700, Douglas Otis wrote:
Could you provide a brief outline regarding what constitutes an
efficient anti-spam solution?
Sure. In brief (really brief!) and in (rough) order of application
and increasing resource cost:
Spamhaus DROP list on perimeter routers/firewalls
Consider IDP list on perimeter routers/firewalls
Use firewall rulesets per-country, see ipdeny.com *or* if possible,
use default-deny and grant access per-country
Use multiline SMTP greeting (defeats some zombies)
Use "greetpause" or equivalent (defeats some zombies)
Enforce DNS/rDNS existence/consistency checks on
hostname, MX records and HELO parameter;
defer/reject as appropriate
Blacklist known virus/ratware senders, e.g. "big(_at_)boss(_dot_)com". Faster
than running through an AV check
Permanently blacklist known phisher domains. Even if acquired by legit
companies will never be used.
Consider blacklisting spammer-infested/useless TLDs (e.g., .info, .mobi)
with whitelisting as needed, if needed
Permanently blacklist known spammer domains (e.g. Joe Wein's list)
Permanently blacklist any "snowshoe" domain/domain group on sight
Blacklist any "snowshoe" network range on sight
Use enemieslist or other similar rDNS-based blocks on end-user/dynamic names
Use Spamhaus Zen DNSBL
Use other DNSBLs/RHSBLs as appropriate
Throttle connections with excessive attempts/deliveries
to nonexistent users/etc.
Obviously, the choice of which ones, in which order, with which
configuration, depends on mail system administrator knowledge of local
mail patterns. Everyone should analyze their own logs to gain that
knowledge. And some of these are no-brainers no matter what those
patterns are, e.g., DROP list, DNS/rDNS checks, Spamhaus Zen, etc.
And I've probably omitted some by doing this off the top of my head.
On a Monday. ;-)
Asrg mailing list