On Tue, Apr 10, 2007 at 02:33:54PM -0700, alan wrote: > > > >For example, I will personally never see email that comes directly to my > >email address though an open mail relay *or* from something that appears > >to be just a random botnet PC (I forget the exact rule, since I'm hapily > >ignorant of MIS, but I think it boils down to requiring a good reverse DNS > >lookup). > > Depending on your definition of "good". > > I run my mail server off my DSL line. I prefer having control over my > mail server instead of being chained to what my ISP provides. (The > problems of having been a sysadmin for way too many years.) I don't have > control over the reverse ip address, but I do over my DNS resolution. > (Well, most of it. A couple domains are sitting on really old dns servers > from years past.) > > >That's getting much more common. Most spam is done through botnets, and > >they still try to do the direct-to-port-25 thing, exactly because if you > >go through a *real* SMTP host, your ISP will generally shut you down > >pretty quickly if you're spamming. > > Which makes Greylisting a useful tool. However, some people define a > "real SMTP host" as being the one your ISP provides and no other. No > matter how good your OS or how stringent your rulesets for sending mail > are. > greylisting unfortunately requires "some maintenance" to keep it going well, and it also breaks some mail appliances and probably some MTA's that are completely compliant in retrying to send mails. another tactic which is probably just as good if not better than greylisting is "nolisting", that is to have your primary mx point to a non-existant machine with a real ip-address and dns entries (or even a machine with a firewall that runs iptables that blackholes or does funky stuff to anything coming in on port 25 and then just drops the connections). if the remote end is a compliant MTA it will failover to the secondary mx which is a real machine that receives mail. but it probably suffers from the same problem of mail appliances not being completely compliant to the specs on how MTA's should work. nolisting offers almost as good effects as greylisting without the hassle of maintaining a list. Jimmy. -- Jimmy Tang Trinity Centre for High Performance Computing, Lloyd Building, Trinity College Dublin, Dublin 2, Ireland. http://www.tchpc.tcd.ie/ | http://www.tchpc.tcd.ie/~jtang - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html