Re: Cisco PIX Version 6.3(3) SMTP Problem

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 7 Jul 2005, Devdas Bhagat wrote:

> On 06/07/05 10:00 -0700, Gregory Hicks wrote:
> <snip>
> > For a home or SMALL business, I'd rather run my own mail scanner as
> > well.  For a medium to large business, I'd almost rather outsource the
> > spam suppression.
>
> Why?
> If you use a properly configured set of systems rejecting spam at the
> very edge, you can reject most of your spam without even hitting the
> content filters. Filter out specific file extensions as well, and you
> have very few things to really worry about (zipped viruses mostly).

[Devil's advocate]
It helps to have someone else eat the bandwidth costs.
[/Devil's advocate]

I'm not really a big fan of outsourcing core infrastructure, and I feel
e-mail is too critical to outsource- others seem to think not having to
deal with it is a bonus- reasonable folks differ.

However, I will say this:

Even without doing huge RBL stuff, there's enough spam out there to do
wonders just blocking on user name and the common domain stuff.

> Using DNSBLs effectively is a nice way of blocking a lot of spam.
> Another trick is to block systems which helo as a domain you host, or
> the hostname/domain name of your system. Add in sender NS and MX checks
> for valid MX IP addresses, and you lose a crapload of spam just like
> that. And a check on proper ESMTP pipelining usage.

I've got a customer who's business was dying from dictionary attacks via
e-mail.  They run FBSD and had Sendmail on their mail server with some
rejection stuff hacked in.  Load average on their primary MX was going
over 230, and the secondary was up over 100 during peak attacks.  They
were at the point they couldn't do business and were looking at a $15,000
mail server upgrade in the hopes that they could stave off the spam attacks.

I spent ~45m each on their two MX boxen upgrading from Sendmail to
Postfix, and implementing basic rejections.  Load average hasn't gone
above 1.0 since I did the changes about two months ago.  They average
about 1.2 million rejected messages in a 24 hour period, and their
legitimate mail gets through just fine.   Peak rejections in a day have
been 2.4M, with rates of 65 rejections/second sustained for an hour at a
time (thanks Jim, pflogsumm rocks!)

No OS upgrades, no hardware upgrades, and the primary MX "handles" the
rejections fast enough that the secondary doesn't get loaded up during
attacks.  I guess if I was a smarter consultant, I'd have made it so I had
to do something every week to "tune" it, but I prefer solving new
problems to continuing to tilt at old ones.

Generally what's left over is easy to filter with just about anything, so
I'd say my experience mirrors yours in that basic protections nail the
majority of the bad stuff.  For my personal stuff, I just run it all
through Mailscanner and clean out the rejected piles from time to time.

I've updated my rules three times this year.  I've seen about 20 spam
messages that didn't get caught by filters, I used to see 3x that a day
on *good* days.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards