LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-05-2009, 11:28 PM   #1
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Lubuntu, Slackware
Posts: 575

Rep: Reputation: 64
Kill a domain because of spam?


Nine years ago, I registered a domain for business purposes. I hosted it myself, it was all mine, so I also made a few personal addresses/mailboxes and used them all over the Web. Forums, lists, social networks, that kind of stuff.

The best part of creating my own addresses was dodging spam. Whenever one address became a frequent target, I would kill that mailbox and create a new one in seconds. I would sometimes go through a bit of a hassle changing my registration address at places, but no big deal really.

Today, I discovered that my domain is receiving an average 10,000 messages a day. I get a lot of mail, but it's a personal domain. It's for my business, but I am self-employed, I am the only one using it. I must get about 50 to 100 legitimate messages a day, everything else is spam. Not only the old, abandoned address get spam, there are plenty of messages sent to random strings like fdrbvhxc@domain.com. You know how that is. My anti-spam filter is awesome, I have no complaints, but I wonder how much stress 10,000 daily messages could be causing to my server.

So I have been thinking about killing that domain. Not the site, just the mail part. Completely remove that domain from the MTA's configuration and register a new one, then send out notifications to everyone I know that my address has changed. But then I don't know which is worse: have the MTA receive and a program/script parse and filter 10,000 messages a day or have the MTA bounce 10,000 messages a day.

Giving up the "brand" name associated to the domain in my email address is sad, but no big deal to me. I can deal with it. I am more worried about server performance. What do you folks think?

TIA
 
Old 08-06-2009, 02:17 AM   #2
settntrenz
Member
 
Registered: Aug 2009
Location: Orlando, Florida
Distribution: RHEL, Ubuntu
Posts: 49

Rep: Reputation: 19
It will depend on your choice for mitigating the spam. If you correctly configure your mail server, you should be able to drastically reduce the amount of processing needed to handle your mail. For instance, if you use low cost methods for dropping connections like null routing known spam ranges and using RBLs like spamhaus or njabl the connections will be dropped before the server has to do too much work. You could even rate limit incoming mail traffic. If you accept all the mail and then scan for both spam content and virus signatures your server will be doing a lot of work. If this type of configuration is above your skill level you could use a middle-man style service that filters mail before it hits your server.
 
1 members found this post helpful.
Old 08-06-2009, 07:46 AM   #3
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
The key here is having your MTA drop connection to known bad addresses etc... for instance we have postfix running here and in addition to using RBLs it drops mail for any email address not on a specified list, no NDR, no real processing power just oh I won't take mail for this person so bye-bye
 
Old 08-06-2009, 09:26 AM   #4
Suncoast
Member
 
Registered: Apr 2009
Location: Largo, Florida
Distribution: Slackware
Posts: 202

Rep: Reputation: 35
Quote:
Originally Posted by settntrenz View Post
For instance, if you use low cost methods for dropping connections like null routing known spam ranges
I was able to dramatically drop spam levels from this alone. I also took it one step further by completely blocking large ip ranges from certain countries like N. Korea and Nigeria.

I still see daily attempts to send mail to users that were deleted from my system over 10 years ago. And that same domain's MTA was down for over a year in 2003/4. When I brought the domain back up, the spam returned immediately.

I think the real problem is not processing power, but how much load it's putting on your WAN.
 
Old 08-06-2009, 12:18 PM   #5
settntrenz
Member
 
Registered: Aug 2009
Location: Orlando, Florida
Distribution: RHEL, Ubuntu
Posts: 49

Rep: Reputation: 19
Quote:
Originally Posted by Suncoast View Post
I think the real problem is not processing power, but how much load it's putting on your WAN.
Very true. Especially if you are hosting that mail server at a home or office via T1 or the likes. In that scenario you probably have no choice but to use an mx filter service that operates out of a data center with lots of cheap bandwidth.
 
Old 08-06-2009, 05:47 PM   #6
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Lubuntu, Slackware
Posts: 575

Original Poster
Rep: Reputation: 64
Thank you for all the comments so far. However, I have a few objections to pose:

settntrenz, I will never go with RBLs or anything like that. That's vigilantism and I do not support that. Once my domain was included in one of those lists and I couldn't send mail to one of my clients. Have you ever TRIED to get your name out of those lists? Have you ever had the displeasure of dealing with those people? "Arrogant" would be an understatement. They actually think they own the Internet and will remove your right to send mail from your own domain and won't listen to complaints. The same happened to two discussion list mates I have come across over these years. You think nothing of blocking blacklisted IPs until you suddenly find yourself at the other end of the barrel.

This comment also applies to Suncoast. I will never block entire IP ranges roughshod like that. Not everyone in Nigeria or North Korea is a scammer. I don't care about the statistics, I am not going to punish an entire nation for the wrongdoings of a few. I know my attitude is outdated, even considered naive, but I've had my own domain and hosting for years exactly because I don't agree with many such "numbers-only" measures that have become so common. I care about minorities, I care about individuals, EVERYONE should be able to reach my mailbox.

The load on my WAN is no big deal. I have a VPS account with a monthly quota of bandwidth and so far I have been using about 10 or 20% of it every month. I have plenty of bandwidth. What I don't have is plenty of memory and CPU. That is stringent, hence my question about whether to kill the domain or not. I really don't know what will demand more from the server: parsing and filtering or just bouncing 10,000 messages. That's my question.

scheidel21, I can't have the MTA drop connection to known bad addresses because I am using a catch-all scheme. That's how I create and kill those mailboxes so easily.

Last edited by lucmove; 08-06-2009 at 05:55 PM. Reason: typo
 
Old 08-06-2009, 06:03 PM   #7
forubu
LQ Newbie
 
Registered: Jul 2009
Location: Trondheim, Norway
Distribution: Ubuntu
Posts: 28

Rep: Reputation: 16
Then you might want to consider greylisting.
A lot of spammers try only once. That might reduce your spam by a significant number.

Just a thought.
 
Old 08-06-2009, 07:10 PM   #8
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Lubuntu, Slackware
Posts: 575

Original Poster
Rep: Reputation: 64
Greylisting still uses CPU. It's also parsing, isn't it?
 
Old 08-06-2009, 11:49 PM   #9
settntrenz
Member
 
Registered: Aug 2009
Location: Orlando, Florida
Distribution: RHEL, Ubuntu
Posts: 49

Rep: Reputation: 19
Quote:
Originally Posted by lucmove View Post
settntrenz, I will never go with RBLs or anything like that. That's vigilantism and I do not support that. Once my domain was included in one of those lists and I couldn't send mail to one of my clients. Have you ever TRIED to get your name out of those lists? Have you ever had the displeasure of dealing with those people? "Arrogant" would be an understatement. They actually think they own the Internet and will remove your right to send mail from your own domain and won't listen to complaints. The same happened to two discussion list mates I have come across over these years. You think nothing of blocking blacklisted IPs until you suddenly find yourself at the other end of the barrel.
I work for a hosting company so yes I am familiar with dealing with blacklists. Despite thorough background investigations of potential clients, we infrequently get a customer who slips by our scum-radar and spams with a dedicated server. We then have to clean up the mess they made of our IP space and reputation so we can re-issue the IP space to legitimate customers. I will agree that some RBL maintainers are arrogant or simply don't keep up with the list. My suggestion is not to use THOSE RBLs. NJABL is very fair about removals of blacklisted IP's. In fact, it's automated. If you can follow directions and fix whatever caused you to be blacklisted in the first place your IP space will get removed. Also, RBL maintainers do not remove your right to send mail from your domain, the users of the RBL actually choose not to receive any mail you might try to send them. Keep in mind that this is all by willing participants who choose to use the RBLs. If you feel inclined not to implement black lists or null route IP space that is entirely your decision. The beauty of maintaining your own server is that you get to make the decisions about who and what you accept. Either way, I hope everything works out for the best for you.

Cheers
 
Old 08-08-2009, 08:53 AM   #10
Suncoast
Member
 
Registered: Apr 2009
Location: Largo, Florida
Distribution: Slackware
Posts: 202

Rep: Reputation: 35
There is a big difference between a data center grade MTA server that has subscribers, and a SOHO MTA server that serves a small group of email addresses that are not expecting email from all over the world. I would never endorse blacklisting entire countries outside of a personal server or Corporate server setting where the decision to block has not been made at the executive level.

Last edited by Suncoast; 08-08-2009 at 08:55 AM.
 
Old 08-08-2009, 03:47 PM   #11
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Lubuntu, Slackware
Posts: 575

Original Poster
Rep: Reputation: 64
I am a translator. That's what I do. I expect email from all over the world.
 
Old 08-09-2009, 09:07 PM   #12
DaveG
Member
 
Registered: Nov 2001
Location: London, UK
Distribution: Fedora 16
Posts: 160

Rep: Reputation: 43
One blacklisting method you may want to consider is to reject connections from dial-up IP ranges. They SHOULD be sending their mail via their ISP services and a connection failure notice to that effect should point valid correspondents in the right direction. Bypassing the ISP's MTA usually implies SPAM, either directly or through infected 'bot machines.

If you still want to accept messages from anywhere, to any user name in your domain then I can only see your SPAM load increasing. Would a virtual hosting MTA configuration be possible to distinguish between valid and invalid user names and route valid ones to your central account? You could then reject all messages to the old, outdated addresses or use them as a honey-pot for learning SPAM signatures.

Just a though,
--DaveG
 
Old 08-10-2009, 12:49 AM   #13
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Lubuntu, Slackware
Posts: 575

Original Poster
Rep: Reputation: 64
Distinguish between valid and invalid user names? My catch-all filter already does that. Old, invalid addresses are rejected. But that uses CPU.
 
Old 08-10-2009, 07:36 AM   #14
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
Well why can't you move that filtering to the outerside of your mail server and let them be rejected out of hand by the mail server saving CPU cycles. But aside from that if you are really concerned about CPU usage and resource usage, why don't you try ssh-ing to it and monitoring top for a while see what the usage is. I would recommend something like cacti, but it would eat up additional resources and opening up snmp on a machine on a VPS host like that could be a security issue. While I've come across numerous monitoring utilities for network utilization I haven't had much need outside top for system utilization, perhaps someone here knows a decent solution to record system resource utilization over a given period so you can analyze it later.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mails from my domain going to spam bkcreddy17 Linux - Networking 9 06-26-2009 12:35 PM
How to kill file synchronization with XP clients and Samba domain controller? gimili Linux - Server 4 06-01-2009 07:58 AM
SPAM spoofed from my domain jantman Linux - Networking 10 02-07-2007 01:29 PM
My domain in a spam blacklist gabsik Linux - Networking 8 01-24-2007 01:03 AM
Gotta kill this SPAM permanently. How? WorldBuilder Linux - Networking 9 03-13-2005 10:00 PM


All times are GMT -5. The time now is 01:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration