|
|
My Network: 1, Spammers: 0
So three weeks ago spam and viruses passing through the e-mail filter at work exploded, going from ~ 10,000 spam messages to ~ 200,000, per day, all at once. A week later I get a notice from our ISP that we've been reported as running an open relay. "Wha?!?" I said to myself. You see, a long time ago we really were running an open relay, and after many long hours and blown up e-mail configurations, I closed it. I've been damned careful about it ever since.
So I was flummoxed. I talked our ISP out of shutting us down, but was not at all sure what to do next. I regularly see various spamcop-like systems test our mail filter, and it always passes. A little more research revealed what was going on: because of the nature of our network, the filter accepts e-mail without checking to see if the address is valid. That's the job of the main mail server. If the main mail server thinks the address is bad, it sends a bounce message to the sender. It's supposed to do it. It's actually required to do it, by internet standards.
Which ended up being a loophole for spammers. It works like this: they send mail out to addresses on our network they know are bad, and fake the FROM address, which is the one they really want to reach. The mail server dutifully sends a bounce message to the person it thinks sent the message, and pow, some innocent person gets spammed and thinks it came from my network. Worse still, the filter has to process each one of these stupid messages, dragging performance down for the whole system.
By now whatever scumbag figured this out for our network had told all his friends, because our quite powerful filter was beginning to buckle under the load. Which is when I found this, a near-magical (and comparatively cheap) widget that lets the filter check if the address is good, and immediately reject the message if it's not.
When implemented, the filter went from a utilization of 4-7 (way overloaded) to a utilization of .86 (loafing along). I'm seeing thousands of messages being rejected because of this new widget. All of them representing scum-sucking spammer retards who were hijacking our stuff to send their messages.
Suck it, you bastards.
But that still doesn't keep them from using your mail server as an open relay to bounce spam other networks, it just keeps the spam out of yours.
Posted by: Tatterdemalian on October 17, 2006 03:55 PMNo, it's supposed to stop both. A different sort of error message is returned now, which immediately stops the message transaction. At least, that's the way I read things. If not, I'll just keep trying.
Posted by: Scott on October 17, 2006 04:02 PMDuh! Had you asked me, I would've told you that's all you need to do.
Posted by: ron on October 17, 2006 07:08 PM...check out Fluffy the SMTPGuardDog...I use it and highly recommend it.(and it's free)
http://smtpfilter.sourceforge.net/
Posted by: ATW on October 17, 2006 10:38 PM