North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: marking dynamic ranges, was fixing insecure email infrastructure
On Tue, Jan 25, 2005 at 01:09:04PM +0530, Suresh Ramasubramanian wrote: > On Mon, 24 Jan 2005 22:29:49 +0100, Markus Stumpf > <[email protected]> wrote: > > If you look at your logfiles you will notice that > 95% of all legit > > mailservers already have working and individual revDNS. > > I'll just point out that you are generalizing based on a case you see > in your mailserver I am generalizing on what I see from about 300 mailservers and about 1 million messages a day. > I havent got the time to gather stats from our production clusters > right now but a quick grep through the last week's logs on my personal > colo (lots of ISPs in india mail it, some indian users - friends, > family, large local linux lists - on it) .. I'd say that about 40% of > my legitimate email comes from IPs that don't have rDNS let alone > DNAME / MTAMARK. How did you calculate that "40% of my legitimate email"? If you get 60 emails from 60 different hosts that have revDNS and you get 40 mails from two hosts without revDNS then also "40% of your legitimate email" is coming from servers without revDNS, but in fact the precentage of servers without revDNS would be around 3.2%. Quite a difference. > On our production boxes we get email from around the world for about > 40 million users, and I just dont want to try blocking based on no > reverse DNS there .. just not worth the amount of legitimate email > traffic that gets filtered out. On the mailserver for our company we had 2002 attempts to inject messages for the last 17h30m from hosts without any revDNS. -> 30 allowed, 2 of them non spam -> 1982 rejected (badhelo (ip or name of local mailserver), not existing recipient, relaying denied, blocked due to prior spamming) This makes a 0.1% non-spam rate. 888 unique hosts sending spam, 2 did not, 0.23% good servers without revDNS. yesterday: 2368 attempts from hosts without any revDNS -> 2315 rejected -> 53 allowed, 6 of them non spam (4 of them from the same sender) This makes a 0.25% non-spam rate. 1044 unique hosts sending spam, 3 did not, 0.29% good servers without revDNS. As you can see, we don't filter out "no revDNS", too. But setting MTAMARK records would give the admins of the receiving mailservers a hint as how to classify the sending IP. \Maex -- SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299 "The security, stability and reliability of a computer system is reciprocally proportional to the amount of vacuity between the ears of the admin"
|