[Dshield] Where should you start - I'll wrap it myself

Carboni, Chris ccarboni at azerty.com
Thu Apr 8 12:59:09 GMT 2004


The answer depends on your business situation and your budget.

Having an external load balanced mail gateway that proxies mail to your
internal servers (never a bad idea), and beefy(er) server(s) filtering spam
in front of your internal MTA are solutions that are fairly easy to
implement, scalable, and not extremely costly.

I've seen 2 firewalls load balanced via round robin DNS proxy mail to an
internal Red Hat 8 server running Sendmail, Mail Scanner and Spam Assassin
on a single processor server with 256MB easily handle upwards of 60,000
messages per day.

If you've got budget or not losing e-mail is important for your organization
and users, take that (2 way or more) load balanced gateway and send the mail
to a spam filtering cluster.  

I've got to agree that IMO blacklists in general and other external 'spam
verification' services such as Razor or Pyzor can be problematic and less
than completely reliable.

I've seen external services become unavailable and greatly slow down the
delivery of mail in a given day, and high(er) amounts of false positives
when compared to what can implemented in-house.  

Yeah, it takes some time to tweak your ruleset or whatever verification
mechanism you're using to identify and manage spam on a completely in house
solution, but the fact that I'm not giving up control of a single piece of
mail and that I can go look and see exactly what was blocked is important to
my organization.

That said, down here at Sans2004, a fiend of mine hosted a discussion on
e-mail, with an emphasis on spam and virus filtering techniques.

The room was fairly evenly divided between those who used (and loved) RBLs,
and those who didn't.

It's all about what's important in your situation. 


-Chris 
> -----Original Message-----
> From: Doug White [mailto:doug at clickdoug.com]
> Sent: Wednesday, April 07, 2004 11:54 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Where should you start - I'll wrap it myself
> 
> 
> 
> 
> : :
> : Um, no. The Dshield mailing list (this list), the Snort mailing list,
> : and many others have been blacklisted in the past by Spamcop. Obviously
> : this speaks to poor sanity checking.
> :
> :
> 
> And you won't blame the clueless user who erroneously reported this list,
> huh,
> but you blame the system.
> 
> What, may I ask is your solution?  Just allow the spew to tie up your
> resources?
> 
> Many hundreds of thousands of servers are possibly vulnerable to malicious
> users.  I suppose I am too!
> 
> _______________________________________________
> list mailing list
> list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list