From owner-freebsd-questions@freebsd.org Fri Jan 13 23:32:14 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AC3A6CAE195 for ; Fri, 13 Jan 2017 23:32:14 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from inet08.hamilton.harte-lyne.ca (inet08.hamilton.harte-lyne.ca [216.185.71.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "inet08.hamilton.harte-lyne.ca", Issuer "CA_HLL_ISSUER_2016" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 635951BD4 for ; Fri, 13 Jan 2017 23:32:13 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from localhost (localhost [127.0.0.1]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id A04AC6228F; Fri, 13 Jan 2017 09:05:57 -0500 (EST) X-Virus-Scanned: amavisd-new at harte-lyne.ca Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1]) by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n0dVRB4Yjekq; Fri, 13 Jan 2017 09:05:55 -0500 (EST) Received: from webmail.harte-lyne.ca (inet04.hamilton.harte-lyne.ca [216.185.71.24]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTPSA id 43ECD62286; Fri, 13 Jan 2017 09:05:46 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=harte-lyne.ca; s=dkim_hll; t=1484316346; bh=AYjTz58oBaaG59dpJowSnu4BmRJHrsc5WXy2PtuR4BY=; h=In-Reply-To:References:Date:Subject:From:To:Cc:Reply-To; b=pnS3DiBPWOFBeDGY8S9JJYFsa85eyNTqYOnC8Z9pNT6rbi7Vev+zejNt0TuOi5C8u NlOrkBwCA/yfBaeVdbYD9WwNrzsRQIw6qZg9+KRXskfRSF+4FGL+WsuK9VNFZfLy9d itfqmmaGojGqfbxJ+vzHSPwlEK/vfo1HlI9TBB1Y/he+z7LUoOZoWLnarISjLozdzP qCqbe6sfC/wNc3J+fBGNExZgNQUeKY8YanKHLw6xoz5z2PYqlYW+JdW/dD+3TLYIZN fJDvBHX/Ww0RN9Y6kHTiCQSn/xY+SZzWJgDdJXFhFZWRLPouSAmsJzFz2LEIIrXKNz yt0Q6L2SXm+xQ== Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb_hll) by webmail.harte-lyne.ca with HTTP; Fri, 13 Jan 2017 09:05:46 -0500 Message-ID: <2ad6c8d4892981f0123799f6789206cd.squirrel@webmail.harte-lyne.ca> In-Reply-To: <34435.128.135.52.6.1484263940.squirrel@cosmo.uchicago.edu> References: <23452361f18e06fccb64293d30f1b6eb.squirrel@webmail.harte-lyne.ca> <34435.128.135.52.6.1484263940.squirrel@cosmo.uchicago.edu> Date: Fri, 13 Jan 2017 09:05:46 -0500 Subject: Re: spamassassin not lethal anymore From: "James B. Byrne" To: galtsev@kicp.uchicago.edu Cc: freebsd-questions@freebsd.org Reply-To: byrnejb@harte-lyne.ca User-Agent: SquirrelMail/1.4.22-4.el6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2017 23:32:14 -0000 On Thu, January 12, 2017 18:32, Valeri Galtsev wrote: > > I have one question and one comment to your suggestion. > > Question: why spammers would go to your lower priority MX > instead of first going to your primary MX? Is that because > on primary and only on primary you have greylisting? Why > not to have greylisting on all MX serving your > domain then? I'm in darkness about the logic behind doing it. > The purpose of diverting spam noise to non-existent hosts is to lower the load on actual MX machines. It was noted by anti-spam advocates that in a significant number of cases spambot programs were targeting lower (lowest actually) priority MX services from the outset. The motivation for this behaviour is uncertain. Hypothetically it might be that spammers belive that secondary MX systems are frequently not as well protected as the the primary. Whatever the cause the effect was noted. Since most spam programs do not implement the SMTP particularly well it is believed that by stone-walling the first connection attempt from such scripts they would simply go on to their next target domain. Last year we were under a considerable assault from spam and I was given this idea from the SpamAssassin list. I may also have had it mentioned to me on the Postfix list but I cannot be certain. In any case, after implementing this we were able to detect a measurable drop in connection attempts to our actual MX services. All of our 'real' MX hosts are protected with exactly the same tools, including Postgrey and SpamAssassin with Amavis-new, and all are configured to the same degree of hardening. However, a packet not handled is a cycle saved for some useful work and diverting any amount of bogus traffic to a non-listening port works for us. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3