I feel that banning an IP or domain is a last resort type thing. It is a total failure in communications and should only be done as a last resort. This is why I don't use outside RBLs or the like. If someone is going to be banned, I have to be sure the reason is good. The process I take may be a long one, but it results in a sure ban. Every spam message I get results in a message to the TRUE domain the spam came from. In many cases I have to hunt down the true domain and in some I can't find them. In a few cases I've got personal messages telling me that the account has been closed or the relay fixed. In most I get an automatic response which I ignore. In a few I get error messages telling me that one or the other account is not in existence and I basically take it on trust that it'll be looked at. When I get a message of both accounts being non-existent, that's when I start doing more investigations. In a very few cases this results in a banning. In most it does not. It takes more time, but it's better to be sure. Anyway, I rely on the pattern machine a lot more than any banned list. :) As for links within a spam message, I ignore them. I've been sent spamcop messages because a site I was working with was in a message wrongly flagged as spam. I'm against draconian rules like they have.
The point of all this is to be very light on the admin side, totally self contained and very processor light. The rules I have now are ONLY for the headers of the message. If you put in body scan rules as well, then you'll get almost 100%. All that's needed is 1 person generating proper rules for all and then an admin just to look over the spam subjects/results. I've got an admin for myself that allows me to look at 20 spam messages at a time, show why its spam, what the subject/to/from was and allows me to do something with it. One step operation to process the spam and email the spamming domains. Not perfect yet, but.... Ah, if only I trusted the other spam fighting tools to do the job I wanted. :) > If I understand that correctly, that is pretty arcane, especially if the domain > is either spoofed or "joe-jobbed" which would put them in an innocent bystander > category. Operating against the IP number, while not always perfect, is more > perfect that using a domain name. > > However, there is something else to consider too, and that is reporting the > spamvertised web sites, which requires deobfuscating the URL encoding that some > of the more clueless spammers do. > > I also have found that most of the open relay/open proxy block lists only > actually offer a partial listing of actual relays. This is the reason that for > a blocker to be effective, one must choose several from a long list of databases > in order to do the job you want to do. Most of them allow access at no charge. > some are self-updating, and others never update and consequently get stricter > and stricter, which is not a good thing. > > Now, filtering rules, are something else again, and that is a good thing to > spend effort on, to score the subject and content, and when a threshold is > reached the mail is isolated. The open relay stuff is checked first, and if an > IP appears on one of them then that mail is not even allowed a connection. For > rules to apply, the email must be downloaded to apply the rules, and once > downloaded, either dumped into dev/null (deleted) or routed to a spam folder. > for periodic review to guard against false positives. > > I have been involved in anti-spamming for several years, and I recognize the > yeoman's job you are doing to create a workable application, and hopefully will > not require a heavy administrative burden for the user. > > The one good thing that can come from the occasional good email that has been > blocked is the pressure the ISP's customer can directly apply to them to rigidly > enforce their Terms of Service. The most effective tool for reducing the > endless spew of spam will be when the ISP can no longer make a profit by either > hosting it or allowing it to pass through their systems at the expense of losing > their regular customers. > > My experience is that the smaller, regional service providers are the most > responsive to spam complaints and are pretty quick about terminating accounts, > whereas the larger providers are so swamped with complaints, they are, for the > most part, unresponsive. Another problem is misconfigured mail servers that are > operating as open relays, mostly off shore, that do not follow the RFC's which > require them to report accurately the origin of email transiting their servers. > The cause may be that so much software overseas is pirated, it is not kept up to > date, but I am only guessing here. The result in those cases is that one can > never trace all the way back to the origin the source of the spam. > > > ====================================== > Stop spam on your domain, use our gateway! > For hosting solutions http://www.clickdoug.com > ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772 > ====================================== > If you are not satisfied with my service, my job isn't done! > > ----- Original Message ----- > From: "Michael Dinowitz" <[EMAIL PROTECTED]> > To: "CF-Community" <[EMAIL PROTECTED]> > Sent: Thursday, June 12, 2003 5:41 PM > Subject: Re: iMS CFUG Edition > > > | As a side note, this is one of the reasons for banning a domain. When I get > spam > | from a domain I email both their postmaster and abuse accounts. When I get an > | email like this, the domain gets flagged as needing a once over. If, after a > | once over, I can't get any response from them (even a recorded message), then > | it's banned. > | This place happens to be a substance abuse center. I'll then go into the spam > | message to see if they were sending it or if they have an open relay. If they > | sent it, then they're spammers and are blocked. If it's a relay, I'll try to > | hunt down their admin to report it. > | > | <[EMAIL PROTECTED]>: host posti.a-klinikka.fi[193.64.139.107] said: 550 > 5.7.1 > | Unable to relay for [EMAIL PROTECTED] > | > | <[EMAIL PROTECTED]>: host posti.a-klinikka.fi[193.64.139.107] said: 550 > | 5.7.1 Unable to relay for [EMAIL PROTECTED] > | > | > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=5 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=5 Host with the leader in ColdFusion hosting. Voted #1 ColdFusion host by CF Developers. Offering shared and dedicated hosting options. www.cfxhosting.com/default.cfm?redirect=10481 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5
