Hannah,
On 9/26/07, Hannah Schroeter <[EMAIL PROTECTED]> wrote:
> Hi!
>
> On Wed, Sep 26, 2007 at 02:03:03PM -0700, Rob wrote:
> >[...]
>
> >While watching the connection logs, I've noticed that a large majority
> >of spammers get the first spamd response ("250 Hello, spam sender.
> >Pleased to be wasting your time.") and immediately disconnect. This
> >suggests to me that rather than spend time trying to get whitelisted
> >by spamd servers, they've mostly decided to skip them entirely and
> >move on to servers that aren't running spamd.
>
> Interesting. Do you think they pattern match on the response, or do you
> think they disconnect if the initial greeting takes too long (spamd
> "stutters" for the first 10 seconds, in its default settings)? I'd guess
> the latter.
I would guess the latter too, except that they tend to wait the full
default 10 seconds until the first 250 response. I'm looking forward
to increasing the stutter time to something on the order of 60 seconds
and watching to see what happens then.
> >We've also been hit by backscatter, and I haven't had the time to
> >figure out how to stop that one yet.
>
> For some, signed envelope senders or variations thereof work. That
> depends on a few circumstances.
>
> The basic idea is this:
[...snip...]
That would be nifty, but I don't think it would work in our case. We
have a number of customers that send mail through their own mail
server (or another provider's mail server) and receive mail through
ours (old email addresses, hosted domains, etc.).
So far we've seen the backscatter come through in a quick burst from a
handful of mail servers. For one example, one of our unlucky users
received 800+ bounce messages from about four mail servers in Italy. I
think I can use max-src-conn and max-src-conn-rate, plus a few
whitelist entries for Google, Yahoo, etc., to stop that, but it
requires careful monitoring.
- R.
