Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?

To: debian-user@lists.debian.org
Subject: Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
From: Stan Hoeppner <stan@hardwarefreak.com>
Date: Sun, 10 Jul 2011 19:05:16 -0500
Message-id: <[🔎] 4E1A3E3C.20709@hardwarefreak.com>
In-reply-to: <[🔎] 87d3hib9th.fsf@yun.yagibdah.de>
References: <[🔎] 4E1785B3.6080306@affinityvision.com.au> <[🔎] pan.2011.07.09.10.41.34@gmail.com> <[🔎] 4E185D17.5000008@affinityvision.com.au> <[🔎] 874o2vfn0t.fsf@yun.yagibdah.de> <[🔎] 4E188052.2030808@rail.eu.org> <[🔎] 87zkkne6dh.fsf@yun.yagibdah.de> <[🔎] 4E18F888.9070806@hardwarefreak.com> <[🔎] 87d3hib9th.fsf@yun.yagibdah.de>

On 7/10/2011 7:26 AM, lee wrote:
> Stan Hoeppner <stan@hardwarefreak.com> writes:
> 
>> On 7/9/2011 12:00 PM, lee wrote:
>>
>>> The rDNS check is very useful because it keeps out tons of SPAM without
>>> occupying too many resources.  It also seems to be common practise.  Do
>>> you have a better suggestion?
>>
>> Just checking for the existence of rDNS is no longer sufficiently
>> effective against bot spam from infected residential hosts.  This is
>> because many/most? ISPs have rDNS for most of their IP addresses,
>> whether dynamic or static.
> 
> Well, most rejects are because the HELO checks fail.  There are only a
> very few that fail because of the rDNS check.  There isn't much SPAM
> getting through; I'm getting less than one message per day.

If your EHLO check is first it would make sense that it will reject more
than the rDNS check.  Reverse the order and you may see that metric
reversed.  It's good to hear you're not seeing much with your setup.
I'd guess you have low mail flow on that host.

>> If you really want to put the hammer on residential bot spam, especially
>> IPs that send to you before Spamhaus ZEN (CBL) lists them, and that are
>> not listed in the various DNS dynamic block lists, then you need
>> something like this:
> 
> Why would you use such lists and thereby have others decide what mail
> you accept and what not?
> 
>> http://www.hardwarefreak.com/fqrdns.pcre

I take it you are you really new to managing a mail server.  dnsbls have
been around forever, and every mail OP uses one or another, if not 5 or
more.  Have you heard of SpamAssassin?  Both restrictions make
reject/keep decisions for you.  Using this PCRE table is no different in
that regard.

>> This Postfix PCRE table consists of 1600+ rDNS patterns of residential
>> broadband/SOHO ISPs around the world, and is extremely effective at
>> killing bot spam, while putting very little load on your server.
> 
> Sounds like it must have taken quite some work to put the list together,
> and it would need to be maintained.  

The table was built over a relatively long period of time, and does take
a small amount of time to maintain.  ISPs don't add new residential rDNS
patterns very often.  When we spot a new one a regex is created to match
it.  Changes average about one add every 1 to 2 months.

> Won't graylisting work as well?

I see than indeed you are new.  Greylisting will usually defeat bot spam
as bots never retry.  The problem is the delivery delay introduced
(minutes to hours).  This doesn't work for those ordering last minute
air fare and need to print their boarding pass.  With greylisting that
boarding pass email may arrive an hour later.  Greylisting also sucks
system resources due to the triplet database.

The fqrdns.pcre table gives most of the "catch" performance of
greylisting without the downsides.

-- 
Stan

Reply to:

Follow-Ups:
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: lee <lee@yun.yagibdah.de>

References:
- Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: Camaleón <noelamac@gmail.com>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: lee <lee@yun.yagibdah.de>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: Erwan David <erwan@rail.eu.org>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: lee <lee@yun.yagibdah.de>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: Stan Hoeppner <stan@hardwarefreak.com>
- Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
  - From: lee <lee@yun.yagibdah.de>

Prev by Date: Re: What is the future for Debian on (Android) tablets?
Next by Date: ASUS u52 builtin microphone (alsa-driver-linuxant)
Previous by thread: Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Next by thread: Re: Networking -- use of two Internet connections for one server with round robin DNS -- web okay, but should I do mail this way too?
Index(es):
- Date
- Thread