Postfix anti-antivirus (was Re: [linux-elitists] procmail recipe for mydoom?)

Karsten M. Self
Mon Feb 9 14:28:34 PST 2004

on Mon, Feb 09, 2004 at 05:14:40PM -0500, Gerald Oskoboiny ( wrote:

> How do you easily discard spam at SMTP time in the MTA, without
> false positives?

Simple.  Very, very simple.

You don't.

You _do_ attempt to minimize false positives, if that's a value to you.
Or you don't, if you're using something like SPEWS and country-wide
blacklists (Korea, China, Brazil, Nigeria...).

What you _do_ get, with an SMTP-time reject, is a clear, evident,
immediate failure notification to legitimate senders who are blocked:

    Your mail wasn't delivered.  It triggered our spam blocking
    filters.  For some reason specified to a greater or lesser extent.
    Out-of-band contact information provided (or not).

The legitimate sender(s) can then opt to contact you, or not.  Which, of
course, breaks some stuff.  But the status quo breaks a hell of a lot of

On NANAE, there's been recent discussion of Chinese business and
government contacts handing out business cards.  With Hotmail accounts.
Yeah, that's right.  Hotmail's handling corporate and government traffic
out of China, because China's own email is sufficiently firewalled as to
be unreliable.  Them's the breaks.

> (maybe contact me off-list; I think that knowledge is currently
> worth a few billion dollars)

You can't prevent errors (fail-proof).

You *can* make errors evident, and offer an alternative (fail-safe).

In an environment in which the do-nothing alternative already breaks --
your users can't sort through spam, trigger viruses, lose legitimate
mail; your mailservers can't handle the load -- then the alternative of
taking some really wicked swipes at the problem is preferred.  Look at
my recently posted spam-by-ASN plots.  I can kill 25% of my spam, cold,
by blocking several major networks from which I personally see zero
legitmate traffice, to an arbitrary number of nines.  By several, I mean
six to ten.  That's a really cheap first cut at the problem.

> I agree that it's better to discard viruses that you can identify
> reliably, but that still makes me uncomfortable.

Life makes me uncomfortable.  What do you suggest?


Karsten M. Self <>
 What Part of "Gestalt" don't you understand?
   Verio webhosting?  Guaranteed downtime:,1283,57011,00.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : 

More information about the linux-elitists mailing list