On Wed, 2004-07-21 at 16:56, Scot L. Harris wrote: > On Wed, 2004-07-21 at 19:35, netmask wrote: > > > ---- > > > I'm not convinced that this is entirely true any longer. I was under the > > > impression that much of today's UBE was being sent by Windows machines > > > that have been compromised and are relaying mail at the control of > > > others and less from improperly configured mail servers (hence your > > > point about idiot ISP's that don't block port 25 properly I suppose). I > > > don't have any statistics on this though. > > > > According to my logs, this would be an accurate statement. I get hit by a lot > > of brute forcers trying *@domain and just tons of stupid spam drones.. Nearly > > all coming from dialup win boxes (according to p0f they are win boxes). > > Luckily cbl.abuseat.org and the other various rbl's do a pretty good job of > > keeping them under control. I very rarely see someone rejected as being an > > open relay. > > > > However, the second someone has an open relay up.. it's a spammer heaven. > > Everyday I see relay attempts through the mail server, all blocked of > course. There must be enough open relays for them to keep trying that > method. > > And I agree with you that the majority of the spam comes from > compromised zombie windows clients. I recently setup greylisting on the > mail server and this alone reduced spam by 98 to 99% (was 2000 to 6000 > spam messages a day and now we get 3 to 8 spam messages a day). > Greylisting works by telling the remote MTA that there is a temporary > error (451). A real MTA will wait a few minutes and try to connect > again. Virtually all the zombie machines out there are not that smart, > they get an error and just move on and don't retry. Amazingly quiet on > the email server now. :) ---- why is it that I feel this is only a temporary fix? ;-( Craig
