Fellow postmasters (so people running mail servers), would you agree that fully blocking the .best and .shop TLD is a good way to reduce spam?
-
GΓΌnter :mildpanic:replied to Jan Wildeboer π·:krulorange: last edited by
@jwildeboer curious: what stack do you use for hosting mail?
-
Ramon Fincken πΊπ¦replied to Jan Wildeboer π·:krulorange: last edited by
@jwildeboer why not check IP ranges ?
-
Jan Wildeboer π·:krulorange:replied to GΓΌnter :mildpanic: last edited by
@lifeofguenter Nothing special. Dovecot and Postfix on a Linux box, with SPF, DKIM, DMARC configured and Crowdsec as firewall. See my blog series starting at https://jan.wildeboer.net/2022/08/Email-0-The-Journey-2022/ for more details
-
Jan Wildeboer π·:krulorange:replied to Ramon Fincken πΊπ¦ last edited by [email protected]
@ramonfincken I also do that. Typically waves coming from a /24 that I block after some checks (99% of spam trying to get to my server is IPv4, only a very few IPv6 thus far), but I also note that .shop and .best seem to be correlated quite heavily (100%
with only sending spam to my server. -
Ramon Fincken πΊπ¦replied to Jan Wildeboer π·:krulorange: last edited by
@jwildeboer hmm
issue is that what you experience .... can be "local" based on your customerdomains and/or geo location -
Jan Wildeboer π·:krulorange:replied to Ramon Fincken πΊπ¦ last edited by
@ramonfincken It definitely is. And that's why I'm reaching out to more postmasters and see what they think
-
MarjorieRreplied to Jan Wildeboer π·:krulorange: last edited by
@jwildeboer no doubt they are mostly spam however as a small family email server I'm not seeing any emails from either TLD. so for me not worth screening out.
At the moment I'm rejecting about 16% (737) and including 4.7.1 try again later of the 3861 message received over a 4 week period. Only about 2% (25) ended up in my users spam folders.
What is more annoying is the 9396 smtpd warnings (authentication failures or DNS fails through fail2ban blocks). Seems lots of spammers are trying to guess my user passwords and get a relay. -
Jan Wildeboer π·:krulorange:replied to MarjorieR last edited by
@marjolica Yep. AFAICS these are mostly (windows) botnets that are sending exactly one password guess per IP in a timeframe of around 6-14 days before they try again. By spreading out these tries across many IP addresses, they hope to stay under the detection radar. I block them after the first try for a year. So far some 40000 IPv4 addresses.
-
Jan Wildeboer π·:krulorange:replied to Jan Wildeboer π·:krulorange: last edited by
@marjolica And wrt .shop and .best, I see around 5-20 spam mails/day from them (well, trying to send spam, as I block them) from a small set of IP blocks, from countries like USA, Romania, China, the Netherlands and Germany. Mostly rather small hosting companies.
-
Grumpy Old Techie ποΈreplied to Jan Wildeboer π·:krulorange: last edited by
@jwildeboer I kind of retired from running mail servers. I mostly ran servers for orgs with between 50 and 200 users. False positives were always worse than false negatives. I tended to not block tlds or countries because some user always wanted mail from them.
I used postfixβs postscreen weighted RBLs feature to block spam. With a bit of tuning and the right selection of lists I managed to get rid of most spam. At some places I also ran spamassassin via mimedefang. -
Jan Wildeboer π·:krulorange:replied to Grumpy Old Techie ποΈ last edited by
@grumpyoldtechie Yes, I also have two RBLs enabled, though they don't catch much. Far more successful is that I do a reverse dns lookup on every connecting IP. No hostname, no connection. This lets me focus on the few that make it through and there I notice a significant uptick in .shop and .best in the past few weeks, hence my poll.
