Re: Cisco PIX Version 6.3(3) SMTP Problem

[Devdas Bhagat <devdas () dvb homelinux org>]

On 06/07/05 17:10 -0400, Paul D. Robertson wrote:
> On Thu, 7 Jul 2005, Devdas Bhagat wrote:
>
> > On 06/07/05 10:00 -0700, Gregory Hicks wrote:
> > <snip>
> > > For a home or SMALL business, I'd rather run my own mail scanner as
> > > well.  For a medium to large business, I'd almost rather outsource the
> > > spam suppression.
> >
> > Why?
> > If you use a properly configured set of systems rejecting spam at the
> > very edge, you can reject most of your spam without even hitting the
> > content filters. Filter out specific file extensions as well, and you
> > have very few things to really worry about (zipped viruses mostly).
>
> [Devil's advocate]
> It helps to have someone else eat the bandwidth costs.
> [/Devil's advocate]
>
> I'm not really a big fan of outsourcing core infrastructure, and I feel
> e-mail is too critical to outsource- others seem to think not having to
> deal with it is a bonus- reasonable folks differ.
This depends on a lot of factors. In particular, the skillset of the
administrator. Email administration does not take so much time, as
skill.

Email is possibly the most complex piece of application infrastructure
out there. IMHO, a good email administrator knows IP routing, DNS, SMTP,
POP3, IMAP, LDAP and/or SQL, HTTP, Unix system tuning, Perl/Shell
scripting, possibly NFS, procmail/maildrop/other MDA, log analysis, 
and then some more administrative skills. Oh, and reasonable people
skills too.

Such people are not easy to locate, or cheap.

> However, I will say this:
>
> Even without doing huge RBL stuff, there's enough spam out there to do
> wonders just blocking on user name and the common domain stuff.

http://nixcartel.org/~devdas/minute.png just to contrast with your
numbers below. These systems are CPU bound.
About half that is DNSBL, a quarter is unknown user and the rest is
other checks. And that graph is from last August. There is no major
content filtering (only some header, mime_header and body checks).

> > Using DNSBLs effectively is a nice way of blocking a lot of spam.
> > Another trick is to block systems which helo as a domain you host, or
> > the hostname/domain name of your system. Add in sender NS and MX checks
> > for valid MX IP addresses, and you lose a crapload of spam just like
> > that. And a check on proper ESMTP pipelining usage.
>
> I've got a customer who's business was dying from dictionary attacks via
> e-mail.  They run FBSD and had Sendmail on their mail server with some
> rejection stuff hacked in.  Load average on their primary MX was going
> over 230, and the secondary was up over 100 during peak attacks.  They
> were at the point they couldn't do business and were looking at a $15,000
> mail server upgrade in the hopes that they could stave off the spam attacks.
Was this an "accept everything and then bounce" setup? People should
know better than to leave systems like that on the Internet today.

> I spent ~45m each on their two MX boxen upgrading from Sendmail to
> Postfix, and implementing basic rejections.  Load average hasn't gone
> above 1.0 since I did the changes about two months ago.  They average
> about 1.2 million rejected messages in a 24 hour period, and their
> legitimate mail gets through just fine.   Peak rejections in a day have
> been 2.4M, with rates of 65 rejections/second sustained for an hour at a
> time (thanks Jim, pflogsumm rocks!)
Nice. If you have the time, plug in mailgraph there, it generates pretty
graphs.

> No OS upgrades, no hardware upgrades, and the primary MX "handles" the
> rejections fast enough that the secondary doesn't get loaded up during
> attacks.  I guess if I was a smarter consultant, I'd have made it so I had
> to do something every week to "tune" it, but I prefer solving new
> problems to continuing to tilt at old ones.
Do they really need the secondary? Spammers tend to attack secondaries
far more often than primaries, and most secondary MX servers serve no
useful purpose today.

> Generally what's left over is easy to filter with just about anything, so
> I'd say my experience mirrors yours in that basic protections nail the
> majority of the bad stuff.  For my personal stuff, I just run it all
> through Mailscanner and clean out the rejected piles from time to time.
>
> I've updated my rules three times this year.  I've seen about 20 spam
> messages that didn't get caught by filters, I used to see 3x that a day
> on *good* days.
I wish I was that lucky. I get about 40 UBE a day sent to my forwarding
accounts. Stuff sent directly here doesn't make it through though.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards