Mail7 11.15.2007

[admin]

Yea I am not to good with macs either.. Never used one for more than 10 min in my life. lol

[Silverbug]

Quote:

But the good thing is this will stop a LOT of spam once setup and given time to work

This does sound like a nifty idea, where did you get it from? I wonder if I could implement it on our private mailserver too... heads off to investigate

Also i take it this is only on mail's 7 & 8 at the moment. any plans to shift to the othere mail servers?

[rhanoudi]

Quote:

Originally Posted by admin

Ok we now have a proxy system setup in front of mail7 running a firewall and and spamd, this has caused the load on the server to drop to a load that is ok. SpamD is checking the connection and only passing legit connection or emails on to qmail on the next server. Our loads are now 1.5 proxy server and 2.7 mail server this is down from the 10.00 to 15.00 load it had.

In about the 1/2 hour it has been running so you can understand how bad of an attack this is to give you an idea.. there have been 471,000 connections and only 24500 attempts to send mail or real emails not just connections.

spamd does use a whitelist and greylist to get on the white list is simple anyone just has to send you an email and it adds them right to the white list. More less what we are doing is filtering out the bad or fake connections now only passing the good ones or emails along to the mail server.

This is ONLY on mail7 at the time if we don't see any issue though out the night we may do this for mail8 as well to get it more stable. But you are also welcome to turn off you mail and turn it back on it may or may not put you on a new mail server and yes you will lose mail and mail settings by doing this.

Just wanted to give everyone an update before they thought we were going under or forgot about you again. We are working hard to stop this attack and we think we have found the answer now.

I just wanted to say thank you very much for setting up this new solution to fix the mail problem with mail7 and to stop the spam. It seems to work really well

Happy Thanksgiving everyone!

Rayan

[admin]

Quote:

Originally Posted by Silverbug

This does sound like a nifty idea, where did you get it from? I wonder if I could implement it on our private mailserver too... heads off to investigate
Also i take it this is only on mail's 7 & 8 at the moment. any plans to shift to the othere mail servers?

Mail9 now has it local on it's system. It's the first on FreeBSD the Proxy box in front of mail7 and 8 is running openBSD even more stable than FreeBSD.

We will keep adding it to the systems and does not affect mail when we turn it up. Think we should send another email? I think the last one was clear but maybe to let everyone know it will be going cluster wide with in the next 15 to 30 days.

BTW someone asked what it is, it's called spamD here is the man page for it http://www.openbsd.org/cgi-bin/man.c...pamd&sektion=8 and more info: http://beta.freebsddiary.org/pf.php

We will also be adding these to it: http://www.greylisting.org/whitelisting.shtml if not already added, I think Aaron might have already done it, not sure since today was a holiday.

[admin]

AND HERE IS WHAT MAKES THE SYSTEM SO GOOD AND MAY ANSWER EVERYONES QUESTIONS:


Since SMTP is considered an unreliable transport, the possibility of temporary failures is built into the core spec (see RFC 821). As such, any well behaved message transfer agent (MTA) should attempt retries if given an appropriate temporary failure code for a delivery attempt (see below for discussion of issues concerning non-conforming MTA's).

During the initial testing of Greylisting in mid-2003, it was observed that the vast majority of spam appears to be sent from applications designed specifically for spamming. These applications appear to adopt the "fire-and-forget" methodology. That is, they attempt to send the spam to one or several MX hosts for a domain, but then never attempt a true retry as a real MTA would. From our testing, this means that in the test environment, based on a fairly conservative interpretation of testing data, we have attained an effectiveness of over 95%, and that is with no legitimate mail ever being permanently blocked.

In addition, with the recent rampant proliferation of email-based viruses, Greylisting has been shown to be extremely effective in blocking these viruses, as they also do not tend to retry deliveries. And since these viruses are fairly large, bandwidth and processing savings are significant versus the standard method of accepting delivery and local virus scanning.

This blocking comes with a minimal price from the terms of local resources. Assuming the use of a local datastore for the triplet and other metadata, there is no required network traffic caused by Greylisting other than that associated with the connection itself. Since we are not checking the contents of the message at all there is very little processing overhead, unlike many other spam blocking methods.

There is one effect that could be seen as either a positive or negative. Since the Greylisting method delays acceptance of unknown mail, that will generate a little more work for the sending MTA of legitimate mail. The flip side is that it generates a lot more work and smarts for the spammer's systems, hopefully enough to make the costs of spamming higher, possibly even to the point of making spamming unprofitable for some of them.

The best part is that since we never permanently fail a message delivery, as long as the delivering MTA's are well behaved, we should never cause a legitimate mail to bounce. There should never be a false positive!


FROM: http://projects.puremagic.com/greyli...hitepaper.html

[Vidvandre]

Haven't had any problems with this now, this is just a friendly reminder...

Previous experience tells me that (client-side) firewalls often is a source of problems when switching ports. Especially corporate firewalls can some times be very strictly configured. So if you're having problems after switching port, a good place to start is to see if firewalls let traffic pass...

Though this probably won't be that common a problem, as port 2525 have become a rather commonly used (alternative) port for SMTP...

[admin]

I think I have seen like 2 tickets about firewalls other than personal so it has not been bad but it's only 3 mail servers.

[Dreamzz]

with regards to the source of the problem, any way to prevent such things from happening again?

My clients has been displeased with regards to this issue.

[Ballyhoo]

Brad, I'm intrigued with this method. Thanks for the link--interesting reading. It appears that this method is so very simple but yet looks like it maybe one of the answers we all have been looking for. Good job!

On a different note--is there any other user-level controls that can be freely implemented so as to give the appearance of more control to our clients?

The more settings that my customers can fiddle with when they are unhappy with the level of spam the happier they seem to be. Not sure if everyone else has had the same experience.

[admin]

Quote:

Originally Posted by Ballyhoo

Brad, I'm intrigued with this method. Thanks for the link--interesting reading. It appears that this method is so very simple but yet looks like it maybe one of the answers we all have been looking for. Good job!
On a different note--is there any other user-level controls that can be freely implemented so as to give the appearance of more control to our clients?
The more settings that my customers can fiddle with when they are unhappy with the level of spam the happier they seem to be. Not sure if everyone else has had the same experience.

Well spamD is more less invisible to the end user so no fun settings to mess with. It's really just so simple it works. lol

[admin]

Quote:

Originally Posted by Dreamzz

with regards to the source of the problem, any way to prevent such things from happening again?
My clients has been displeased with regards to this issue.

Yep that is why we are putting spamD on all the mail servers so we don't have to worry about port 25 attacks on the mail server as much. We are also keeping the proxy box setup so if it ever happens again we can just slap it right in front of the servers that is needed and will take about 10 min to stop a big SMTP attack.

[server-68]

It is possible that TODAY mail7 is still with problems?
A customer did't recive an email sent four times. Onty at the fifth attempt he got te message.

[admin]

No we have not seen any problems, did she get a bounce and was it an email sent from out side to mail7 or mail7 out. It might be best to open a ticket we could check the logs in spamd maybe if we know the IP of the sending mail server and the logs on the mail server. But I have not seen many mail tickets today or issues.

[KentWA]

Brad, this problem seems to be persisting some. I had a client email me yesterday to my account on mail7 and cc an account on mail3. The one for mail3 arrived a little over 22 hours ago, still no mail in the mail7 account. She received a delayed message right away but has not received anything since. The mail is coming from doodle1.hotdoodle.com.

Kent

[admin]

Open a ticket and be sure to include the delayed message and headers.