Re: [IMail Forum] SpamCannibal (was another topic)
On Thursday, January 27, 2005, 20:58:57, Jeff Hitchcock wrote: You know, since my last name reall is Hitchcock, you'd think that I'd have experienced that problem -- but I cannot recall a single instance of my email being rejected because of part of my last name. What's obscene about hitch? :-) -- [EMAIL PROTECTED] The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. Ambassador Kosh To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
Re: [IMail Forum] SpamCannibal (was another topic)
At 11:09 AM 1/27/2005, you wrote: Gary, This is NOT like some arbitrary DOS attack. The sending server would only be choking on their -OWN- spam. As soon as the server admin kills all attempts to send spam from their server to my server (and others), everything goes back to normal. The tarpitting ONLY occurs as long as spam is actively being delivered from their server. Hi William, Yes, but while you are attacking the offending server you are also interfering with the processing of legitimate email. This action may cause loss of customers and result in legal action. How would you feel if I was crashing your server because IMail had a bug (what are the odds of that :-) ) that someone had exploited and was sending SPAM through your server? I just had someone exploit a statistic server running on one of our machines. We received several reports of spam related to one of our IP's. We were able to track down the problem and fix it quickly. I realize that all providers are not so responsive. If someone had managed to crash the machine it would have taken 100+ websites offline and punished many people who were not at fault (not to mention it would really pizz me off :-)). All a real spammer would have to do is block your IP and go back to business. This is the same premise behind RBLs, in that if everyone used an RBL, an offensive spamming server would not be able to send mail (spam or legit) to anyone. In this case, the program simply throttles or kills the servers ability to send spam or other traffic until they have dealt with the issue and STOPPED SPAMMING. RBL's are elective (we use them) and only affect delivery to our customers. This is a completely different thing than attacking someone else's server. Also, this is a two-step process. A spamming server already has to have been blacklisted for spamming previously/recently before the daemon will be triggered. By the time it gets to that point, an admin should already know what's going on, and has had an opportunity to do something about it. As soon as they stop sending spam, the problem goes away. Seems fair enough to me. FYI, I am only considering installing this on my secondary MX, where absolutely NO legit traffic belongs in the first place. If everyone installed this program on their secondary MX, the abuse of secondaries would quickly vanish. Believe me, I hate spam and spammers as much as anyone but I don't want to crash legitimate servers that have been exploited. If I see a certain source of persistent spam I have no problem with its IP being blocked (our IP blocking expires after a time so if the problem is resolved the IP becomes useable again) or it being reported to an RBL. But I completely understand how you feel and I used to feel the same way before I had products like Declude (in my case) that have at least made the problem more manageable. Cheers, Gary William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Brumm Sent: Thursday, January 27, 2005 10:31 AM To: IMail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] Filanet InterJak 200 At 10:02 AM 1/27/2005, you wrote: Len, Was wondering if you had taken a look at something called SpamCannibal at http://www.spamcannibal.org . It is something akin to the Anvil feature you describe, but with a twist. The stated aim of the daemon on its website is, SpamCannibal's TCP/IP tarpit stops spam by telling the spam server to send very small packets. SpamCannibal then causes the spam server to retry sending over and over - ideally bringing the spam server to a virtual halt for a long time or perhaps indefinitely. and if you bring down a server that was exploited through no fault of the owner then what? They trace the problem to software you intentionally installed on your server knowing it would crash other peoples servers.and you are reported to your upstream provider or you are sued. This is a very bad idea. Delete incoming SPAM, block the IP, report it to the source, or to SpamCop, ect., but please don't try to crash servers that may be victims of exploits without anymore information other than SPAM was delivered from this address. I haven't tried setting up a Postfix box for this yet, but it sounds like fun. :-) William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Wednesday, January 26, 2005 7:22 AM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] Filanet InterJak 200 If you're willing to get your hands dirty and learn a bit of *nix I recommend pf on OpenBSD which is _very_ flexible and will let you 'tarpit' spammers (with spamd) if you wish. It's free and it'll run very well on a pII 350mhz with 128m of RAM. It is a
Re: [IMail Forum] SpamCannibal (was another topic)
On Thursday, January 27, 2005, 14:09:10, William Van Hefner wrote: ... FYI, I am only considering installing this on my secondary MX, where absolutely NO legit traffic belongs in the first place. You'll have to clarify this one for me. If there's a network hiccup, or you're rebooting, or whatever that prevents a server from connecting to your primary MTA they're going to try connecting to your secondary. How can this not be considered legit traffic? -- [EMAIL PROTECTED] The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. Ambassador Kosh To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
RE: [IMail Forum] SpamCannibal (was another topic)
Rod, The only time that any legitimate traffic should flow through our secondary MX is when the primary is down completely. Our downtime on the primary network is so negligible that the more restrictive anti-spam filtering is really not worth worrying about. Keep in mind, even if our primary was down for hours, the only servers that would be affected are those that are already blacklisted from having sent e-mail to spam traps recently. In reality, the secondary MX I am talking about will actually be our LAST MX (tertiary???), which is at a different location on a different feed. A true second MX will be on that same circuit, and will act as the primary back up. I probably should have stated that previously, but couldn't figure out the word for third MX. :-) In the event of any failure of our primary circuit/server, all traffic should go to the secondary. Never, ever, ever should a single piece of legitimate e-mail go to the third MX. There is absolutely no conceivable circumstance (outside of a deranged sysadmin, who should probably be fired) that any legitimate mail server would ever connect to an MX with a priority of 50, when a server with a priority of 10 or even 30 is available. I am having this box reject pretty much everything, and will put the SapmCannibal there. That's the perfect position for it, IMHO. William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Dorman Sent: Thursday, January 27, 2005 1:09 PM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] SpamCannibal (was another topic) On Thursday, January 27, 2005, 14:09:10, William Van Hefner wrote: ... FYI, I am only considering installing this on my secondary MX, where absolutely NO legit traffic belongs in the first place. You'll have to clarify this one for me. If there's a network hiccup, or you're rebooting, or whatever that prevents a server from connecting to your primary MTA they're going to try connecting to your secondary. How can this not be considered legit traffic? -- [EMAIL PROTECTED] The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. ? Ambassador Kosh To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
RE: [IMail Forum] SpamCannibal (was another topic)
The only time that any legitimate traffic should flow through our secondary MX is when the primary is down completely. never, ever ??? not very humble, you IMHO In practice, simply not true, so don't bet any money on it. I admin several ISPs' MX1/2 where I see legit traffic hitting mx2 when mx1 has been up and handling traffic constantly. If there were a mx3, I would expect it to get traffic, too. yes, MOST of the traffic to backup MXs is crap, but surprisingly large amt is legit. Another error on your part: the MX preference field is sorted numerically ascending, such that 1, 2, 3 is effectively the same as 1, 2, 3000. Len _ http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
RE: [IMail Forum] SpamCannibal (was another topic)
The only time that any legitimate traffic should flow through our secondary MX is when the primary is down completely. never, ever ??? not very humble, you IMHO In practice, simply not true, so don't bet any money on it. You are correct -- it the *remote* mailserver has a temporary problem with their Internet connection, the connection to the primary may fail, and the mailserver will contact the backup. So legitimate traffic definitely can go to the backup. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
RE: [IMail Forum] SpamCannibal (was another topic)
Len, Point taken on the numbering thing. My bad. Maybe I should have said there never should be any legit traffic, rather than there never is any. Technically, there is no legitimate reason for any traffic to hit such a box. Other than a purposefully misconfigured mail server, how/why would mail pass up a server with a priority of 20 vs. one of 50 on the same network, sitting right next to each other? I am guessing that your servers are probably on different networks? If someone has purposefully violated RFCs to modify their mail server to deliver to the server with the lowest priority first, they deserve to be blocked as far as I am concerned. If they are on a blacklist on top of that, AND are spamming me, well, they get what they deserve. William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Thursday, January 27, 2005 1:59 PM To: IMail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] SpamCannibal (was another topic) The only time that any legitimate traffic should flow through our secondary MX is when the primary is down completely. never, ever ??? not very humble, you IMHO In practice, simply not true, so don't bet any money on it. I admin several ISPs' MX1/2 where I see legit traffic hitting mx2 when mx1 has been up and handling traffic constantly. If there were a mx3, I would expect it to get traffic, too. yes, MOST of the traffic to backup MXs is crap, but surprisingly large amt is legit. Another error on your part: the MX preference field is sorted numerically ascending, such that 1, 2, 3 is effectively the same as 1, 2, 3000. Len _ http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
Re: [IMail Forum] SpamCannibal (was another topic)
I have found that some newsletters/legitimate bulk-mailing software will hit lower priority MX's, possibly by design (some setups don't have spam blocking configured for backups which makes them more desirable to hit, but also some software doesn't bother with MX priority, they just take the first entry returned). Because zombie spamware regularly ignores MX priorities, we set up 4 MX records with 4 different priorities and made sure that our DNS was round-robined, meaning that the records would be returned in random order, but that doesn't matter to a complaint SMTP server which should choose the proper priority. Spamware seems to just simply choose the first MX record returned, so when round-robined, that means that zombie spamware is evenly divided over our 4 records. This is effective enough that we then use Declude to filter for hits on all but the primary MX record, and we add points for such hits. It is very effective since hits to our MX3 and MX4 are 99.9% spam. Hits on our MX2 are scored lower since their is more legitimate traffic that may hit it and it is on a separate box on a separate network. MX3 and MX4 are on the same box as MX1, so technically, those should almost never be hit by anything remotely legitimate. Matt R. Scott Perry wrote: The only time that any legitimate traffic should flow through our secondary MX is when the primary is down completely. never, ever ??? not very humble, you IMHO In practice, simply not true, so don't bet any money on it. You are correct -- it the *remote* mailserver has a temporary problem with their Internet connection, the connection to the primary may fail, and the mailserver will contact the backup. So legitimate traffic definitely can go to the backup. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
RE: [IMail Forum] SpamCannibal (was another topic)
Scott, Exactly. That is why I am putting this on a server with a priority of 50. There is a primary with a priority of 10 (on another network), and a secondary with a priority of 30 sitting right next to it on the same network. Even if the primary server or entire circuit is down, it should still not skip the secondary with an MX of 30. William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, January 27, 2005 2:06 PM To: IMail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] SpamCannibal (was another topic) The only time that any legitimate traffic should flow through our secondary MX is when the primary is down completely. never, ever ??? not very humble, you IMHO In practice, simply not true, so don't bet any money on it. You are correct -- it the *remote* mailserver has a temporary problem with their Internet connection, the connection to the primary may fail, and the mailserver will contact the backup. So legitimate traffic definitely can go to the backup. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
RE: [IMail Forum] SpamCannibal (was another topic)
Matt, I do not consider ANY bulk mailer that purposefully violates RFCs legitimate. Heck, AOL will delete or bounce your mail just for not having a properly configured PTR. In my mind, purposefully violating RFCs for the express intent of deceiving/avoiding spam filters is enough reason to reject their mail, if they are doing it on a consistent basis. I mean, why have RFCs, if some admins feel that they don't apply to them? At least with PTRs, you can chalk some of those cases up to temporary problems of switching underlying networks or simple mistakes by admins. In order to send out bulk mailings to MXs in reverse order, you have to go WAY out of your way to modify a mail server or software to do something like that. There are no legit mail servers that do this in the default configuration. INTENT TO DECEIVE your mail server to accept their mail is the only reason someone would do something like this. In the end, its really all about money to these people though. If your solution works for you, great. On my system, 100% of the mail sent to the second or third MX is spam, or is sent by some shady bulk mailer. I have a much, much lower threshold for deleting spam on those servers. Any bulk mailers that want to get their garbage through the last MX (third) server will need to be whitelisted in the future, or pay me extra for the privilege of relaying their mailings via a server that they shouldn't even have to exist. William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, January 27, 2005 2:22 PM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] SpamCannibal (was another topic) I have found that some newsletters/legitimate bulk-mailing software will hit lower priority MX's, possibly by design (some setups don't have spam blocking configured for backups which makes them more desirable to hit, but also some software doesn't bother with MX priority, they just take the first entry returned). Because zombie spamware regularly ignores MX priorities, we set up 4 MX records with 4 different priorities and made sure that our DNS was round-robined, meaning that the records would be returned in random order, but that doesn't matter to a complaint SMTP server which should choose the proper priority. Spamware seems to just simply choose the first MX record returned, so when round-robined, that means that zombie spamware is evenly divided over our 4 records. This is effective enough that we then use Declude to filter for hits on all but the primary MX record, and we add points for such hits. It is very effective since hits to our MX3 and MX4 are 99.9% spam. Hits on our MX2 are scored lower since their is more legitimate traffic that may hit it and it is on a separate box on a separate network. MX3 and MX4 are on the same box as MX1, so technically, those should almost never be hit by anything remotely legitimate. Matt R. Scott Perry wrote: The only time that any legitimate traffic should flow through our secondary MX is when the primary is down completely. never, ever ??? not very humble, you IMHO In practice, simply not true, so don't bet any money on it. You are correct -- it the *remote* mailserver has a temporary problem with their Internet connection, the connection to the primary may fail, and the mailserver will contact the backup. So legitimate traffic definitely can go to the backup. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http
RE: [IMail Forum] SpamCannibal (was another topic)
William, I believe that reporting to a RBL, blocking an IP, or deleting email that you classify as spam is relatively passive as opposed to disabling someone's server which is a bit more of an active approach (IMHO). I see that you appear to be a small provider (as am I) and are located in California. As a fellow Californian I am sure you are aware that in this state more than just about anywhere else a lawsuit doesn't have to make sense to be filed or even won. If you take down a server from a company with deep pockets they can bankrupt you even if they don't win just by running up the cost of your defense. For the record this is one of the things that I absolutely hate about this state but it is an unfortunate reality at this time. I would give it a great deal of thought before using doing something that could potentially damage another companies business. I hope your frustration with the spam problem doesn't backfire on you. If you ever receive spam from one of our servers please forward the details and we will fix it (we don't like being hijacked anymore than we like receiving spam:-)). Regards, Gary At 01:57 PM 1/27/2005, you wrote: Gary, I think that we vastly differ on what constitutes an attack. This is not revenge, as you probably see it. It is pure defense, from my point of view. Keep in mind, the spamming server can stop the tarpitting AT ANY TIME, simply by stopping the stream of spam they are sending to me. He stops, I stop. Period. No revenge. No vigilante party. I am purely reflecting the attack back at them. Just as my own mail servers can be slowed down to a crawl or stopped entirely by spammers, I am simply shifting the burden back where it actually belongs. I am sending their spam back to them, with postage due. THEY are the ones launching the attack on MY server, not the other way around! All I am doing is making them choke on their OWN messages. I am no more blocking the delivery of legitimate e-mail than blacklists or RBLs are. These people are illegally trespassing on my property. Anyone reading our anti-spam policies knows that they are unwanted, and the vast majority of spams are in violation of the wussy CAN-SPAM Act. In my home, and on my servers, anyone attempting to break-in is shot on sight. Questions asked later. If other admins don't like it, all they have to do is kill the queued spam they are sending to me and to others. It's the incompetent admin who is responsible if their other subscriber's e-mails don't get through, not me, just as it is for mail admins who run open relays. No jury in the world who has ever received spam would convict me! William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Brumm Sent: Thursday, January 27, 2005 12:37 PM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] SpamCannibal (was another topic) At 11:09 AM 1/27/2005, you wrote: Gary, This is NOT like some arbitrary DOS attack. The sending server would only be choking on their -OWN- spam. As soon as the server admin kills all attempts to send spam from their server to my server (and others), everything goes back to normal. The tarpitting ONLY occurs as long as spam is actively being delivered from their server. Hi William, Yes, but while you are attacking the offending server you are also interfering with the processing of legitimate email. This action may cause loss of customers and result in legal action. How would you feel if I was crashing your server because IMail had a bug (what are the odds of that :-) ) that someone had exploited and was sending SPAM through your server? I just had someone exploit a statistic server running on one of our machines. We received several reports of spam related to one of our IP's. We were able to track down the problem and fix it quickly. I realize that all providers are not so responsive. If someone had managed to crash the machine it would have taken 100+ websites offline and punished many people who were not at fault (not to mention it would really pizz me off :-)). All a real spammer would have to do is block your IP and go back to business. This is the same premise behind RBLs, in that if everyone used an RBL, an offensive spamming server would not be able to send mail (spam or legit) to anyone. In this case, the program simply throttles or kills the servers ability to send spam or other traffic until they have dealt with the issue and STOPPED SPAMMING. RBL's are elective (we use them) and only affect delivery to our customers. This is a completely different thing than attacking someone else's server. Also, this is a two-step process. A spamming server already has to have been blacklisted for spamming previously/recently before the daemon will be triggered. By the time it gets to that point, an admin should already know what's going
Re: [IMail Forum] SpamCannibal (was another topic)
Hey, do whatever you want, it's your server and your customers, and as long as you are bouncing this stuff, it's no skin off my back. I was merely describing the realities of what is going on with lower priority MX hits. This supports most of your assertion, however here is a very big difference between 100% and 99.9% accuracy, or what I would consider to be about 99.5% accuracy with our second priority server. My view as a spam and virus blocking service is that delivering the good E-mail is my first priority, and blocking the bad is the second. We have few problems with either, and we don't have to take heavy handed tactics like this to achieve our goals. We don't penalize people for being stupid, we work around it. In fact, it's the lack of sophistication, practices, or the improper priorities of other companies that makes us look so good in comparison. The 99.7% block rates with 0.03% false positives for the typical domain doesn't hurt either :) Matt William Van Hefner wrote: Matt, I do not consider ANY bulk mailer that purposefully violates RFCs "legitimate". Heck, AOL will delete or bounce your mail just for not having a properly configured PTR. In my mind, purposefully violating RFCs for the express intent of deceiving/avoiding spam filters is enough reason to reject their mail, if they are doing it on a consistent basis. I mean, why have RFCs, if some admins feel that they don't apply to them? At least with PTRs, you can chalk some of those cases up to temporary problems of switching underlying networks or simple mistakes by admins. In order to send out bulk mailings to MXs in reverse order, you have to go WAY out of your way to modify a mail server or software to do something like that. There are no legit mail servers that do this in the default configuration. INTENT TO DECEIVE your mail server to accept their mail is the only reason someone would do something like this. In the end, its really all about money to these people though. If your solution works for you, great. On my system, 100% of the mail sent to the second or third MX is spam, or is sent by some shady bulk mailer. I have a much, much lower threshold for deleting spam on those servers. Any bulk mailers that want to get their garbage through the last MX (third) server will need to be whitelisted in the future, or pay me extra for the privilege of relaying their mailings via a server that they shouldn't even have to exist. William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, January 27, 2005 2:22 PM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] SpamCannibal (was another topic) I have found that some newsletters/legitimate bulk-mailing software will hit lower priority MX's, possibly by design (some setups don't have spam blocking configured for backups which makes them more desirable to hit, but also some software doesn't bother with MX priority, they just take the first entry returned). Because zombie spamware regularly ignores MX priorities, we set up 4 MX records with 4 different priorities and made sure that our DNS was round-robined, meaning that the records would be returned in random order, but that doesn't matter to a complaint SMTP server which should choose the proper priority. Spamware seems to just simply choose the first MX record returned, so when round-robined, that means that zombie spamware is evenly divided over our 4 records. This is effective enough that we then use Declude to filter for hits on all but the primary MX record, and we add points for such hits. It is very effective since hits to our MX3 and MX4 are 99.9% spam. Hits on our MX2 are scored lower since their is more legitimate traffic that may hit it and it is on a separate box on a separate network. MX3 and MX4 are on the same box as MX1, so technically, those should almost never be hit by anything remotely legitimate. Matt R. Scott Perry wrote: The only time that any legitimate traffic should flow through our "secondary MX" is when the primary is down completely. "never, ever" ??? not very humble, you "IMHO" In practice, simply not true, so don't bet any money on it. You are correct -- it the *remote* mailserver has a temporary problem with their Internet connection, the connection to the primary may fail, and the mailserver will contact the backup. So legitimate traffic definitely can go to the backup. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been m
RE: [IMail Forum] SpamCannibal (was another topic)
You are correct -- it the *remote* mailserver has a temporary problem with their Internet connection, the connection to the primary may fail, and the mailserver will contact the backup. So legitimate traffic definitely can go to the backup. Exactly. That is why I am putting this on a server with a priority of 50. There is a primary with a priority of 10 (on another network), and a secondary with a priority of 30 sitting right next to it on the same network. Even if the primary server or entire circuit is down, it should still not skip the secondary with an MX of 30. If that temporary problem lasts a few extra seconds, the attempt to the 2nd mailserver can fail too, causing the remote mailserver to hit the 3rd mailserver. Rare, yes. Probably rare enough to have very strict spam control on the 3rd mailserver (but not rare enough to delete it, at least for most people). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
RE: [IMail Forum] SpamCannibal (was another topic)
Scott, If I had two different servers at two different locations (and feeds) both tank simultaneously, I'd probably have more problems to worry about than spam. :-) Seriously, my backup servers (everything but the primary) are located in my house, so I keep a pretty close eye on them. If the second server ever went down, I would likely be 10 feet away and could closely monitor any traffic hitting the third server. William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, January 27, 2005 3:18 PM To: IMail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] SpamCannibal (was another topic) You are correct -- it the *remote* mailserver has a temporary problem with their Internet connection, the connection to the primary may fail, and the mailserver will contact the backup. So legitimate traffic definitely can go to the backup. Exactly. That is why I am putting this on a server with a priority of 50. There is a primary with a priority of 10 (on another network), and a secondary with a priority of 30 sitting right next to it on the same network. Even if the primary server or entire circuit is down, it should still not skip the secondary with an MX of 30. If that temporary problem lasts a few extra seconds, the attempt to the 2nd mailserver can fail too, causing the remote mailserver to hit the 3rd mailserver. Rare, yes. Probably rare enough to have very strict spam control on the 3rd mailserver (but not rare enough to delete it, at least for most people). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
RE: [IMail Forum] SpamCannibal (was another topic)
Gary, I could only hope that the spammer who targets me resides in California, as criminal code pertaining to hacking and spamming make what most spammers do within this state a felony, not just some piddly civil offense. As far as I know, the CAN-SPAM Act can only override state civil laws, and not criminal ones. Fortunately, I have a good attorney, and am not too worried about getting sued by a spammer, let alone an ISP that got tarpitted. I'm sure that I would be the least of their worries if they got their mail server owned by a spammer anyway. I don't think that SpamCannibal could possibly kill any reasonably designed mail server that was trying to deliver a single message to my server. It would take hitting multiple SpamCannibal servers in order to do any actual damage, if you want to call it that. My server would only slow them down a bit and stop their spam delivery to me. That's certainly nothing that they could collect any damages for. William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Brumm Sent: Thursday, January 27, 2005 3:02 PM To: IMail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] SpamCannibal (was another topic) William, I believe that reporting to a RBL, blocking an IP, or deleting email that you classify as spam is relatively passive as opposed to disabling someone's server which is a bit more of an active approach (IMHO). I see that you appear to be a small provider (as am I) and are located in California. As a fellow Californian I am sure you are aware that in this state more than just about anywhere else a lawsuit doesn't have to make sense to be filed or even won. If you take down a server from a company with deep pockets they can bankrupt you even if they don't win just by running up the cost of your defense. For the record this is one of the things that I absolutely hate about this state but it is an unfortunate reality at this time. I would give it a great deal of thought before using doing something that could potentially damage another companies business. I hope your frustration with the spam problem doesn't backfire on you. If you ever receive spam from one of our servers please forward the details and we will fix it (we don't like being hijacked anymore than we like receiving spam:-)). Regards, Gary At 01:57 PM 1/27/2005, you wrote: Gary, I think that we vastly differ on what constitutes an attack. This is not revenge, as you probably see it. It is pure defense, from my point of view. Keep in mind, the spamming server can stop the tarpitting AT ANY TIME, simply by stopping the stream of spam they are sending to me. He stops, I stop. Period. No revenge. No vigilante party. I am purely reflecting the attack back at them. Just as my own mail servers can be slowed down to a crawl or stopped entirely by spammers, I am simply shifting the burden back where it actually belongs. I am sending their spam back to them, with postage due. THEY are the ones launching the attack on MY server, not the other way around! All I am doing is making them choke on their OWN messages. I am no more blocking the delivery of legitimate e-mail than blacklists or RBLs are. These people are illegally trespassing on my property. Anyone reading our anti-spam policies knows that they are unwanted, and the vast majority of spams are in violation of the wussy CAN-SPAM Act. In my home, and on my servers, anyone attempting to break-in is shot on sight. Questions asked later. If other admins don't like it, all they have to do is kill the queued spam they are sending to me and to others. It's the incompetent admin who is responsible if their other subscriber's e-mails don't get through, not me, just as it is for mail admins who run open relays. No jury in the world who has ever received spam would convict me! William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Brumm Sent: Thursday, January 27, 2005 12:37 PM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] SpamCannibal (was another topic) At 11:09 AM 1/27/2005, you wrote: Gary, This is NOT like some arbitrary DOS attack. The sending server would only be choking on their -OWN- spam. As soon as the server admin kills all attempts to send spam from their server to my server (and others), everything goes back to normal. The tarpitting ONLY occurs as long as spam is actively being delivered from their server. Hi William, Yes, but while you are attacking the offending server you are also interfering with the processing of legitimate email. This action may cause loss of customers
RE: [IMail Forum] SpamCannibal (was another topic)
Matt, Fortunately, if you want to call it that, I am small enough so that I can keep a very close eye on what makes it way through our servers. I go through logs every night. Our block rates are very similar to yours, though the term false positives can often be in the eye of the beholder. :-) Fortunately, it is rare that false positives are an issue, and most of my customers are pretty ecstatic about the amount of spam reduction we bring them. With the addition of whitelisting, false-positives are rare, indeed. FWIW, I managed to write one rule in the past year that backfired on me by deleting anything with Cialis in the Subject: line. As it turns out, one of our subscribers receives a newsletter aimed at soCIALISts. I wonder how many of you will get this message trapped? :-) Fortunately, I saw this message get trapped in the logs and fixed the problem the same day. William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, January 27, 2005 3:17 PM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] SpamCannibal (was another topic) Hey, do whatever you want, it's your server and your customers, and as long as you are bouncing this stuff, it's no skin off my back. I was merely describing the realities of what is going on with lower priority MX hits. This supports most of your assertion, however here is a very big difference between 100% and 99.9% accuracy, or what I would consider to be about 99.5% accuracy with our second priority server. My view as a spam and virus blocking service is that delivering the good E-mail is my first priority, and blocking the bad is the second. We have few problems with either, and we don't have to take heavy handed tactics like this to achieve our goals. We don't penalize people for being stupid, we work around it. In fact, it's the lack of sophistication, practices, or the improper priorities of other companies that makes us look so good in comparison. The 99.7% block rates with 0.03% false positives for the typical domain doesn't hurt either :) Matt William Van Hefner wrote: Matt, I do not consider ANY bulk mailer that purposefully violates RFCs legitimate. Heck, AOL will delete or bounce your mail just for not having a properly configured PTR. In my mind, purposefully violating RFCs for the express intent of deceiving/avoiding spam filters is enough reason to reject their mail, if they are doing it on a consistent basis. I mean, why have RFCs, if some admins feel that they don't apply to them? At least with PTRs, you can chalk some of those cases up to temporary problems of switching underlying networks or simple mistakes by admins. In order to send out bulk mailings to MXs in reverse order, you have to go WAY out of your way to modify a mail server or software to do something like that. There are no legit mail servers that do this in the default configuration. INTENT TO DECEIVE your mail server to accept their mail is the only reason someone would do something like this. In the end, its really all about money to these people though. If your solution works for you, great. On my system, 100% of the mail sent to the second or third MX is spam, or is sent by some shady bulk mailer. I have a much, much lower threshold for deleting spam on those servers. Any bulk mailers that want to get their garbage through the last MX (third) server will need to be whitelisted in the future, or pay me extra for the privilege of relaying their mailings via a server that they shouldn't even have to exist. William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, January 27, 2005 2:22 PM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] SpamCannibal (was another topic) I have found that some newsletters/legitimate bulk-mailing software will hit lower priority MX's, possibly by design (some setups don't have spam blocking configured for backups which makes them more desirable to hit, but also some software doesn't bother with MX priority, they just take the first entry returned). Because zombie spamware regularly ignores MX priorities, we set up 4 MX records with 4 different priorities and made sure that our DNS was round-robined, meaning that the records would be returned in random order, but that doesn't matter to a complaint SMTP server which should choose the proper priority. Spamware seems to just simply choose the first MX record returned, so when round-robined, that means that zombie spamware is evenly divided over our 4 records. This is effective enough that we then use Declude to filter for hits on all but the primary MX record, and we add points for such hits. It is very effective since hits to our MX3 and MX4 are 99.9% spam. Hits on our MX2 are scored lower since
RE: [IMail Forum] SpamCannibal (was another topic)
If that temporary problem lasts a few extra seconds, the attempt to the 2nd mailserver can fail too, causing the remote mailserver to hit the 3rd mailserver. If I had two different servers at two different locations (and feeds) both tank simultaneously, I'd probably have more problems to worry about than spam. :-) I think you misunderstood. I wasn't saying that there was a problem with *your* mailservers. I'm saying that if I send you an E-mail, the same problem that could cause me to go to your 2nd mailserver (a temporary connection problem on my end preventing me from reaching your 1st mailserver) could easily cause a problem reaching the 2nd mailserver (but successfully reaching the third). Let's say my Internet connection is out for a minute. My mailserver tries your primary, and times out after 30 seconds. It then tries the secondary, and times out after 30 more seconds. It then tries your 3rd mailserver, which it is now able to successfully connect to. Seriously, my backup servers (everything but the primary) are located in my house, so I keep a pretty close eye on them. If the second server ever went down, I would likely be 10 feet away and could closely monitor any traffic hitting the third server. The issue isn't an issue on *your* end. The issue is an issue on the remote end. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
Re: [IMail Forum] SpamCannibal (was another topic)
On Thursday, January 27, 2005, 18:31:57, William Van Hefner wrote: ... Seriously, my backup servers (everything but the primary) are located in my house, so I keep a pretty close eye on them. If the second server ever went down, I would likely be 10 feet away and could closely monitor any traffic hitting the third server. But your network and servers aren't the only points of failure. It could be anywhere in between you and them, you have no control over router flaps happening out in the rest of the world. -- [EMAIL PROTECTED] The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. Ambassador Kosh To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
RE: [IMail Forum] SpamCannibal (was another topic)
FWIW, I managed to write one rule in the past year that backfired on me by deleting anything with Cialis in the Subject: line. As it turns out, one of our subscribers receives a newsletter aimed at soCIALISts. I wonder how many of you will get this message trapped? :-) ... and specialist, which is more common. Of course, this is also an issue for Mr. Dick Hitchcock, the sexy chardonney-drinking assassin (who is a specialist in analyzing things), whose E-mail is often deleted by the filtering crowd (at least 8 oft-filtered words are lurking in that phrase). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
RE: [IMail Forum] SpamCannibal (was another topic)
You know, since my last name reall is Hitchcock, you'd think that I'd have experienced that problem -- but I cannot recall a single instance of my email being rejected because of part of my last name. Jeff Hitchcock - [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, January 27, 2005 7:28 PM To: IMail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] SpamCannibal (was another topic) FWIW, I managed to write one rule in the past year that backfired on me by deleting anything with Cialis in the Subject: line. As it turns out, one of our subscribers receives a newsletter aimed at soCIALISts. I wonder how many of you will get this message trapped? :-) ... and specialist, which is more common. Of course, this is also an issue for Mr. Dick Hitchcock, the sexy chardonney-drinking assassin (who is a specialist in analyzing things), whose E-mail is often deleted by the filtering crowd (at least 8 oft-filtered words are lurking in that phrase). -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
RE: [IMail Forum] SpamCannibal (was another topic)
Scott, I definitely misunderstood your point. Thanks for clarifying. Your scenario seems like a remote possibility, but one that I will definitely take into account. I regularly go through the spam traps on my secondary and have gone so many months without anything even close to credible being stopped (even the bulk mailers that purposefully target the secondary are either whitelisted or do not rate high enough a score to warrant deletion) that I do tend to think in black and white terms at times. Admittedly, my user base is small enough that remote possibilities don't tend to happen in my version of the real world very often. I'm sure that if I handled tens or hundreds of thousands of messages each day that I would be more likely to see these types of oddities occur. I'll experiment with the SpamCannibal project on my back up servers and see what kind of results that I get. If nothing else, it should at least be a source of personal amusement. :-) William Van Hefner Network Administrator Vantek Communications, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Thursday, January 27, 2005 3:54 PM To: IMail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] SpamCannibal (was another topic) If that temporary problem lasts a few extra seconds, the attempt to the 2nd mailserver can fail too, causing the remote mailserver to hit the 3rd mailserver. If I had two different servers at two different locations (and feeds) both tank simultaneously, I'd probably have more problems to worry about than spam. :-) I think you misunderstood. I wasn't saying that there was a problem with *your* mailservers. I'm saying that if I send you an E-mail, the same problem that could cause me to go to your 2nd mailserver (a temporary connection problem on my end preventing me from reaching your 1st mailserver) could easily cause a problem reaching the 2nd mailserver (but successfully reaching the third). Let's say my Internet connection is out for a minute. My mailserver tries your primary, and times out after 30 seconds. It then tries the secondary, and times out after 30 more seconds. It then tries your 3rd mailserver, which it is now able to successfully connect to. Seriously, my backup servers (everything but the primary) are located in my house, so I keep a pretty close eye on them. If the second server ever went down, I would likely be 10 feet away and could closely monitor any traffic hitting the third server. The issue isn't an issue on *your* end. The issue is an issue on the remote end. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
