SPAM rejection query (server related)

I filter out spam on my server. The way it works is that I have a dynamic whitelist and a blacklist and the 'RCPT TO' command is used to check incoming mail. Up till recently anything that was blacklisted was just redirected to the 'no-one' mailbox (ie; downloaded but discarded). I decided that was wasting my bandwidth so have switched to rejecting those messages.

I was wondering if anyone thought it was a better or worse strategy? For email clients it's best to do nothing so as to avoid confirming that an address is valid but given this is a server there seems little merit in that argument. Obviously if the spammer gets as far as 'RCPT TO' they know they have found a server so there seems no point trying to hide the fact.

Thoughts?

Edited by Andrue (Fri 07-Sep-12 08:44:30)

Well, not knowing what server you're using but why not set up another account on the server and have the mail delivered to that. Then just have the server periodically purge that accounts mailbox?

In reply to a post by Gandalf:

Well, not knowing what server you're using but why not set up another account on the server and have the mail delivered to that. Then just have the server periodically purge that accounts mailbox?

That misses the point. The previous system downloaded the emails into a black hole. As far as the users are concerned that's fine. They never want to read them anyway. The purpose of this change is to not download them in the first place thereby saving some bandwidth. It might also reduce overall traffic although I suspect the spammers will just generate new random names as the old ones get rejected.

I just have this nagging feeling that responding to the spammer with 'Yeah, got that thanks' might be better than 'Get lost, I'm not delivering that'. It's a bit like dealing with insults is it better to ignore them and not let on or should you stand up to the deliverer and make it clear you'r annoyed?

I don't think it makes any odds either way. Using exim I reject at SMTP time to avoid having to use bandwidth up just to receive something that's going straight to a blackhole anyway.

So what if the spammers then start generating further random names? Those simply get rejected as well. The only possible side-effect is a few extra lines in a log file - although the alternative receive and blackhole option probably generates a similar amount of logging.

Just out of interest what is your whitelist / blacklist setup for?

Edited by deleted (Fri 07-Sep-12 16:23:19)

In reply to a post by GeeTee:

I don't think it makes any odds either way. Using exim I reject at SMTP time to avoid having to use bandwidth up just to receive something that's going straight to a blackhole anyway.

So what if the spammers then start generating further random names? Those simply get rejected as well. The only possible side-effect is a few extra lines in a log file - although the alternative receive and blackhole option probably generates a similar amount of logging.

Just out of interest what is your whitelist / blacklist setup for?

I'd just reject. You could also add a firewall rule to drop packets if you received more than a certain amount from a single ip address, to stop a spammer just trying several addresses.

In reply to a post by GeeTee:

Just out of interest what is your whitelist / blacklist setup for?

Every contact gets a unique address courtesy of the whitelist (which is actually a wildcard alias so no 'list' as such to maintain). The blacklist contains those addresses that have sent spam.

It's a system that has meant we almost never get any spam but don't need spam filter software.

One thing I noticed last night that amused me - one of the rejections is because someone has mis-spelt one of the addresses. At present the specific blacklist entry redirects to no-one but the the misspelling is rejected because it doesn't match the wildcard. It suggests somewhere in the spam chain someone is copying lists by hand