From: Terry Carmen (terrycnysupport.com)
Date: Thu May 01 2008 - 08:37:48 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

M. Fioretti wrote:
> Exactly. From all Terry has said so far, it really sounds like:
>
> a) he continues to believe, or at least market to his client, the idea
> that "only accepting connections from **systems** inside the
> geographic area they service" is **equal** to "only accepting
> connections from **REAL** customers or potential customers who LIVE
> AND WORK "inside the geographic area they service""
>

OK. I was trying to be brief, but you guys just won't let this drop.

The customer, not me, selects which countries they wish to accept mail
from. I explained that the IP allocation lists were close, but not
perfect and that they will need to whitelist and blacklist various CIDR
blocks that are incorrectly allocated.

And I gave them a configuration application to do it from.

The countries that are blocked are by their choice, not mine and if
they're unhappy with the results, it only takes a click of a button to
turn it back on.
> Final note to Terry: if your clients are happy, OK. Although you're
> making them a disservice if you haven't clearly explained that the
> assumption in point a) above, upon which you are building the service
> you sell them, has very shaky basis in reality: *they* may still be
> one of the exceptions, I'm not in a position to deny it or to care at
> all, but they should be sure to be one of such exceptions.
>
I allow any IPs that have been manually whitelisted, which includes
Yahoo, GMail and customers/vendors that use IPs that are inside blocked
countries, blacklists, etc.
        check_client_access cidr:/etc/postfix/OK.cidr,

I deny all IPs that have an RDNS that matches a number of Dynamic-IP
regular expressions
        check_client_access regexp:/etc/postfix/spam_ip_regex,

I deny all IPs except those for those that are geo-located inside areas
they have allowed.
        check_client_access cidr:/etc/postfix/ok_countries.cidr,

I deny any IPs that are found on several RBLs

All denied connections get a reject message containing a toll-free phone
number. A phone call will result in being whitelisted immediately.

Mail that is accepted is scanned for spamminess and attachments. If it's
very spammy or contains anything but text or images, it's held for
manual inspection, then released or deleted.

This is all completely in their control, and they get a number of
reports every day showing which connections were blocked or allowed and
why, what was passed or deleted, as well as the normal postfix queue and
I/O stats, so if they're not happy with the results, all it takes is a
click of a button.

I did not sell a "magic box" that claims to "Eliminate Spam". I built a
system that met their requirements to block mail that originated outside
the areas they want to talk to, and gave them full control over it.

> The _only_ thing which made unhappy "a few people on this list" (or
> me, at least), is simply the idea to endorse, even by just being
> silent, the assumption in point a) as a general criterion valid in
> anything but very few, fery special situations.
>
>
While rejecting mail via geographic IP matching and regular expressions
is not perfect and may be "politically incorrect", it is quite
effective. It's use is a *business decision* not a technology decision.

The only thing that matters is that it complies with the RFCs and meets
the customer's requirements.

Terry

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]