[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CIDR notation - block spam

On Fri, 8 Oct 2004 12:12:08 +0200, i.t Consulting
<[email protected]> wrote:
> Am Freitag, 8. Oktober 2004 07:53 schrieb Kevin:
> >  [ Evaluations: 961075    Packets: 213111    Bytes: 76349669    States: 0  
> >   ] @34 block drop in log quick proto tcp from <PDL:10994> to any port =
> > smtp . . .
> >
> > This is my primary mail server rejecting SMTP sessions from hosts
> > listed in the Pan-Am DUL (http://www.pan-am.ca/pdl/).  The first field
> > of each line in the list is an IP address or subnet in CIDR notation,
> > so it's easy to just pass the list through cut and then reload the
> > table from a file.
> >
> > I have never encountered a false positive in my six months of using
> > the PDL. YMMV.
> thanks for the interesting info.
> 10994 addresses including CIDR-notation is pretty much to do for pf (?)
> what does top tell you by average?
As mentioned in the OnLamp interview
table efficiency in 'pf' has improved massively in recent releases;
tables of over 100K entries are no problem under 3.5.
The real resource hogs on this machine are running SpamAssassin and
ClamAV both under systrace.  if anything, the 'pf' ruleset helps out
by keeping down the volume of mass-mailer worms from dial-up, home
broadband, and similar networks.
> As interesting it is, I do not agree with PDL's policy "
The PDL is a list of dialup and dynamic addresses; if you feel that
this is not what you want to use in outright rejecting SMTP traffic,
you might still choose to load the PDL as a 'pf' table and make use of
this table in selective greylisting.
> ...list of home dial-up, home broadband and similar networks..."
> since small business often use ADSL connections;
The PDL lists only *dynamic* IP address blocks -- most any business
running a legitimate mail server will have static addresses, and will
thus not be on the PDL.  The PDL site specifically states "The PDL
lists networks used for temporary Internet connections where no SMTP
services are ordinarily found. Please remember this when making
submissions, as submissions for networks that contain e-mail servers
or fixed IP addresses may be refused."
I'm satisfied with the accuracy of the PDL; for anybody who is not,
the greylisting features of OpenBSD and pf should give a margin of
safety against false-positives, with the drawback of significantly
higher server load.  A 'block in quick' rule in pf is always going to
have less load than accepting those TCP sessions, forking a process,
and then logging and dropping after the RCPT stage of the session...
> and you can make your small business-server more secure than the one of an ISP
> who has to take care of many different customers - including their spam
> connections.
Absolutely; I've built a few of these myself.
All but the cheapest of small businesses will host their server on a
static IP served from an ISP which permits mail servers in their TOS
-- their address will not be listed in any of the various "dialup and
dynamic" block lists, unless they sign up with a spam-friendly ISP.