Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Black List check order
  •  
kbrill

Messages: 4
Karma: 0
Send a private message to this user
Maybe I'm missing something here but if I look at my logs I see hundreds of messages that say that the sending address has been found on one black list or another (and this is great), but nearly 100% of those messages are sent to non-existant accounts on my server. Would it not make more sence to check to see if the user exists and then if they do, check the black list. That would cut my traffic down considerably I would think.

But then I'm not sure it really matters. Any thoughts?
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
The advantage to checking the blacklist first is that the message gets rejected on the grounds that the IP is blacklisted, rather than the user doesn't exist. If you did it the other way around, you could have blacklisted IPs harvesting your e-mail addresses, even though they're known to be abusive servers.

Scott
  •  
kbrill

Messages: 4
Karma: 0
Send a private message to this user
I can sort of see that, but wouldn't the message be rejected anyway (as there is no user by that name) without needing to send several IP requests to remote blacklist servers?

[edit]
I think I see now, you mean that the remote (possibly abusive) server would know that the email is invalid?

[Updated on: Mon, 06 November 2006 23:18]

  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Right. At least this way, they don't know the e-mail address is good or not.

Scott
  •  
kbrill

Messages: 4
Karma: 0
Send a private message to this user
But when you weigh that against 1367 (the number of rejected email attempts stopped by blacklists yesterday from my server) outgoing requests is it really worth it. I don't really know how much traffic that really is but it seems like alot. And if they should happen to get a correct email address then the blacklist would stop delivery anyway so I still don't see really why blacklists aren't checked last instead of first.

So at best they might get to find out that clownfacemagoo<_at_>myemail.com doesn't exist but that just takes one entry off of a billion entry list. But as it stands now my server generates up to 4 outgoing requests for every peice of mail that comes in. There has to be a way to cut that down a bit. And again I really don't know if this traffic amounts to enough to worry about anyway....but..
  •  
Nixs

Messages: 159
Karma: 0
Send a private message to this user
My front facing MTA does that. It checks the FROM before the blocklist. I don't like it.

What I see is that these blocklisted servers will start sending my front facing mail server tens of thousands of connections, doing rcpt to:<a<_at_>domain.com> then <aa<_at_>domain.com> then <ab<_at_>domain.com> until they try every address they are programmed to.

Some are smart enough to do one connection at a time so the anti-bombing rule doesn't kick in. Some are not. At the end, they /could/ have my entire address list (I have other measures in place -- they actual end up with honey pot addresses in my case.)

Future e-mailings from the harvest never come from this host doing the harvest. They come mostly from zombie networks.

So, imo, I'd do the blocklist lookup first. When the spammers realize that they can harvest your server, the word gets out. That takes a lot more utilization than the DNS lookups, which are next to nothing for 2000 e-mails a day.



  •  
kbrill

Messages: 4
Karma: 0
Send a private message to this user
OK, I'll grant that EMail fishing happens, but with the 25 second SMTP greeting delay (if they actually wrote their tool to be that patient, most would not (my assumption)) and only allowing 2 connections per IP address, an abusive server could send as many as 6912 requests a day (2 every 25 seconds). I would think on a server just a little bigger than my little 25 user one, would/could be sending out thousands or tens of thousands of requests per day for blacklist support.

I tried to figure out how many iterations it would take to get to "kbrill" if you started from 'a' and then 'aa' and so on, I failed. Without knowing the length of the name involved the numbers are astronomical. Even if you know you were looking for a 6 character name it would be 1 million (I think).

Or... if it is that I am just wrong here, couldn't another answer be some sort of local cache. Maybe a 1 or 2 day cache that keep positive email spammers local, as I get the same ones over and overs again. Then if they are a spammer, I only have to check every day or two instead of every message. Then after that day or two it would drop off the list in case they were delisted for some reason.
Previous Topic: Online black lists.
Next Topic: SMTP ports Destination in Higher range?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 17 20:40:39 CET 2017

Total time taken to generate the page: 0.00481 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.