I remember when I first setup my mail servers, a client forwarded me a rejected message. I contacted the systems administrator about it – it was a mismatched reverse DNS record and the host name of the mail server. I requested a bypass, and the sysadmin was polite, but incredibly firm that there was no way it was going to happen.

That made an impact, and since then, I’ve been quite serious and detailed about how all our email networks are setup.

Therefore, I support your position. Though my documentation is a bit sloppy, I’ve written up a lot of my spam prevention strategies here:

http://www.docunext.com/blog/2006/12/13/postfix-uce-spam-settings-page-1/

I guess McColo proved that was the case for most of the growth in spam in the last year. I have two servers, with similar numbers of domains pointed at them, one rejects twice as many emails a day as the other.

The utility of email is probably more threatened by badly done spam solutions. A good blacklist, a decent MTA, and greylisting will kill the bulk of spam (with little risk of error), and a Bayes filter in your email client will kill most of the rest (with some risk of error).

I’m more worried that as spam filtering gets better the bad guys will switch botnets to other roles.

I get more grief from our users about SPF stopping genuine email (and we don’t use SPF), and Hotmail deleting genuine emails, than I do about spam that gets through.

Qmail is anti-social in that it will bounce spam to non-existent addresses.

SPF is good for protecting the reputation of the sender and protecting against joe-jobs. But any spammer can register a domain like peypel.com, put in a valid SPF record and start sending out SPF compliant mail.

DKIM (the successor to DomainKeys) is similar in benefits to SPF but uses cryptographic signing instead of a list of valid sender addresses.

Helmut: Yesterday my mail server rejected 8335 messages, that’s 5.8 per minute. While there are some other accounts in my domain, the vast majority of spam is targeted at me personally.

Regarding the whois list, I have idly considered configuring my mail server to use the whois list for all top level domains other than .au, .de, and any others in a similar situation.

In any case is is good to hear that you don’t use whois based block lists (they block the de first level domain among others) (reponse to your last entry on this topic), so it looks like at least my server would be “enough” compliant to work with yours. %-)

Helmut

We’re all fucked, and I have no idea what the answer is*

–jj

*I have some ideas, but none of them are _the_ answer. And they all suck. I’d make SPF work, but it’s hard to make work right with upstream. Domainkeys requires MTA patching that is a pain for qmail. changing MTA’s is also a pain. etc. Killing the spammers is neither violent enough nor painful enough.