Firewall Wizards mailing list archives
Re: Cisco PIX Version 6.3(3) SMTP Problem
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Thu, 7 Jul 2005 03:38:49 +0530
On 06/07/05 17:10 -0400, Paul D. Robertson wrote:
On Thu, 7 Jul 2005, Devdas Bhagat wrote:On 06/07/05 10:00 -0700, Gregory Hicks wrote: <snip>For a home or SMALL business, I'd rather run my own mail scanner as well. For a medium to large business, I'd almost rather outsource the spam suppression.Why? If you use a properly configured set of systems rejecting spam at the very edge, you can reject most of your spam without even hitting the content filters. Filter out specific file extensions as well, and you have very few things to really worry about (zipped viruses mostly).[Devil's advocate] It helps to have someone else eat the bandwidth costs. [/Devil's advocate] I'm not really a big fan of outsourcing core infrastructure, and I feel e-mail is too critical to outsource- others seem to think not having to deal with it is a bonus- reasonable folks differ.
This depends on a lot of factors. In particular, the skillset of the administrator. Email administration does not take so much time, as skill. Email is possibly the most complex piece of application infrastructure out there. IMHO, a good email administrator knows IP routing, DNS, SMTP, POP3, IMAP, LDAP and/or SQL, HTTP, Unix system tuning, Perl/Shell scripting, possibly NFS, procmail/maildrop/other MDA, log analysis, and then some more administrative skills. Oh, and reasonable people skills too. Such people are not easy to locate, or cheap.
However, I will say this: Even without doing huge RBL stuff, there's enough spam out there to do wonders just blocking on user name and the common domain stuff.
http://nixcartel.org/~devdas/minute.png just to contrast with your numbers below. These systems are CPU bound. About half that is DNSBL, a quarter is unknown user and the rest is other checks. And that graph is from last August. There is no major content filtering (only some header, mime_header and body checks).
Using DNSBLs effectively is a nice way of blocking a lot of spam. Another trick is to block systems which helo as a domain you host, or the hostname/domain name of your system. Add in sender NS and MX checks for valid MX IP addresses, and you lose a crapload of spam just like that. And a check on proper ESMTP pipelining usage.I've got a customer who's business was dying from dictionary attacks via e-mail. They run FBSD and had Sendmail on their mail server with some rejection stuff hacked in. Load average on their primary MX was going over 230, and the secondary was up over 100 during peak attacks. They were at the point they couldn't do business and were looking at a $15,000 mail server upgrade in the hopes that they could stave off the spam attacks.
Was this an "accept everything and then bounce" setup? People should know better than to leave systems like that on the Internet today.
I spent ~45m each on their two MX boxen upgrading from Sendmail to Postfix, and implementing basic rejections. Load average hasn't gone above 1.0 since I did the changes about two months ago. They average about 1.2 million rejected messages in a 24 hour period, and their legitimate mail gets through just fine. Peak rejections in a day have been 2.4M, with rates of 65 rejections/second sustained for an hour at a time (thanks Jim, pflogsumm rocks!)
Nice. If you have the time, plug in mailgraph there, it generates pretty graphs.
No OS upgrades, no hardware upgrades, and the primary MX "handles" the rejections fast enough that the secondary doesn't get loaded up during attacks. I guess if I was a smarter consultant, I'd have made it so I had to do something every week to "tune" it, but I prefer solving new problems to continuing to tilt at old ones.
Do they really need the secondary? Spammers tend to attack secondaries far more often than primaries, and most secondary MX servers serve no useful purpose today.
Generally what's left over is easy to filter with just about anything, so I'd say my experience mirrors yours in that basic protections nail the majority of the bad stuff. For my personal stuff, I just run it all through Mailscanner and clean out the rejected piles from time to time. I've updated my rules three times this year. I've seen about 20 spam messages that didn't get caught by filters, I used to see 3x that a day on *good* days.
I wish I was that lucky. I get about 40 UBE a day sent to my forwarding accounts. Stuff sent directly here doesn't make it through though. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco PIX Version 6.3(3) SMTP Problem David M. Nicksic (Jul 06)
- Re: Cisco PIX Version 6.3(3) SMTP Problem Paul D. Robertson (Jul 06)
- RE: Cisco PIX Version 6.3(3) SMTP Problem David M. Nicksic (Jul 06)
- Re: Cisco PIX Version 6.3(3) SMTP Problem Devdas Bhagat (Jul 06)
- Re: Cisco PIX Version 6.3(3) SMTP Problem Paul Robertson (Jul 06)
- Re: Cisco PIX Version 6.3(3) SMTP Problem hermit921 (Jul 06)
- Re: Cisco PIX Version 6.3(3) SMTP Problem Devdas Bhagat (Jul 06)
- Re: Cisco PIX Version 6.3(3) SMTP Problem Paul D. Robertson (Jul 06)
- <Possible follow-ups>
- Re: Cisco PIX Version 6.3(3) SMTP Problem Gregory Hicks (Jul 06)
- Re: Cisco PIX Version 6.3(3) SMTP Problem Devdas Bhagat (Jul 06)
- Re: Cisco PIX Version 6.3(3) SMTP Problem Paul D. Robertson (Jul 06)
- Re: Cisco PIX Version 6.3(3) SMTP Problem Devdas Bhagat (Jul 06)
- Re: Cisco PIX Version 6.3(3) SMTP Problem Paul D. Robertson (Jul 06)
- Re: Cisco PIX Version 6.3(3) SMTP Problem Devdas Bhagat (Jul 06)