RE: SPAM origin

[Clinton Goudie]

Something I read while I was researching the RBL was that often if the
address resolves that you should do a dns lookup of type text, for
example....
----------------------------------------------------------------------------
-
> set type=all
> 101.83.241.128.sbl.spamhaus.org
Server:  UnKnown
Address:  10.0.0.1

Non-authoritative answer:
101.83.241.128.sbl.spamhaus.org internet address = 127.0.0.2
101.83.241.128.sbl.spamhaus.org text =

        "Listed on SBL - see
http://spamhaus.org/SBL/sbl.lasso?query=SBX3120";
----------------------------------------------------------------------------
-

This is the text you're supposed to send back with the reply, although the
way James does it, it doesn't look up this information, rather I just sends
back the notice posted in the <notify> tag.

It might be valuable to collect this information when notifying the sender
that they are blacklisted... This information will immediately lead them to
why they are there, instead of just leaving some poor user, whose ISP has
ended up on the blacklist, out in the cold.

The ORDB and osirusoft are the good way to go.

Also, another good option is sbl.spamhaus.org. (
http://www.spamhaus.org/SBL/ ) I've added this rbl filter for my server, and
all I can say is they have an incredible spam kill rate. I've not seen a
spam message come through my server since I added this one, where as ORDB
and osirusoft do less of specific spam filtering types of things, and more
of the open relay prevention. These guys trace down the individuals sending
the spam and have some really interesting information about them.

On another note, I really like the idea of getting James to trace back
through the forwarding steps as an option and do rbl lookups on each one.

Something I found extremely handy was to create a separate processor in my
config.xml for blacklisted items so I could attempt to notify the sender in
specific ways, send it to a different repository, or just bit-bucket it.

This is when I got into trying to have the mailet notify sender from a
bit-bucket address instead of postmaster, as most of the sender addresses
were bogus, and then I end up receiving the spam through the postmaster
account as a delivery notification failure. If anyone knows how to configure
the send from address using the NotifySender mailet, please let me know. The
current alternative I'm using is to bit-bucket emails from postmaster to
postmaster.

I'd be happy to incorporate my changes in a well documented config.xml and
send them though should anyone be interested...


Clint



-----Original Message-----
From: Noel J. Bergman [mailto:[EMAIL PROTECTED]]
Sent: Sunday, June 02, 2002 10:22 PM
To: James Users List
Subject: RE: SPAM origin

Serge,

Well, as it happens, I received some e-mail fitting the criteria just
earlier today.  A legit host carried it from an open relay.

As for the DNS checks, I'm going to remove the mail-abuse checks, and pare
down to just relays.osirusoft.com and relays.ordb.org.

I'm thinking that it might be a good policy to tag possible SPAM with
X-Spam-Warning or X-RBL-Warning headers.  That would allow someone to pass
the e-mail along, but make it easy to filter on the client.  [More on this
in a James-Dev thread]

        --- Noel

-----Original Message-----
From: Serge Knystautas [mailto:[EMAIL PROTECTED]]
Sent: Sunday, June 02, 2002 23:20
To: James Users List
Cc: Russell Coker
Subject: Re: SPAM origin


It might be worth doing... the thing is, if there is an open relay, it's
probably getting to you from that open relay (as opposed to going from
one to another).  Downside though is it makes mail processing a lot
slower.  If you comment out the DNS related checks in your spool
processor, generally you'll see a huge increase in performance.  So
doubling or more the number of checks probably is overkill.  But it
certainly might be worth having as an option.
--
Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com/

Noel J. Bergman wrote:
> Right now InSpammerBlacklist checks the remote address of the proximate
> relay to see if it is open.  Is that sufficient?  We are trusting that
relay
> to filter out e-mail from open relay sources.
>
> Should we be (at least optionally) checking the entire series, and
rejecting
> if we find any open server in the chain?
>
>       --- Noel




--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>