From: "JoeHill" <[EMAIL PROTECTED]>
> > Ideally what I want to do is to get my server to just say "Bog off"
> > when the delivery attempt is made.
>
> Well, AFAIK, the only way to do that is with a bounce, and there's the
rub. When
> you bounce, you just doubled the 'damage' that the spam mail caused, and
as jdow
> so politely pointed out, you may be bouncing to someone who never sent
anything,
> unless you can bounce to the originating IP, but I haven't the faintest
idea how
> you could configure Postfix/Procmail/whatever to do something like that.
I'd
> like to do the same thing, I'm sure a lot of people very annoyed with spam
and
> viruses would, but...
I react rather strongly to being victimized by a "joe job" and the
bounces that people who've not spent 2 minutes to really think about
the problem send ME instead of the real originator. There is nothing
you can do about being a victim "joe job" other than to ride it out.
(Well, if you manage to find the real author of the joe job software
or the people who commissioned the joe job attacks and break a few
instructional bones it might do some good, briefly. {^_-}) The best
help you can provide for the "joe job" is not to facilitate the attack
by not bouncing emails like that. (It has gotten to the point it's not
a good policy to bounce anything except on a full mailbox. It can lead
to YOU getting attacked since a fair number of the "no such user"
emails you receive are fishing for real users, some are intended to
bounce and victimize the purported rather than actual sender, and the
small remaining number seem to be designed to either target or harrass
the system administrators.
There are ways to drop email cleanly. "Greylisting" is one such tactic
that has its rather vocal proponents. It tends to lead to delays in
receiving many legitimate emails. If those delays do not harm you then
greylisting is an excellent approach. It may be a little difficult to
setup, though. Another technique is to cull IP addresses from the
Received-From chains, check them with several black hole lists, and
if your "score" from these checks is high enough you terminate the
transaction. This can be very time consuming in your MTA. However,
if it is a one person setup that should be no particular problem. If
it is for an ISP with thousands of subscribers it could bring the
mail server machines to their knees fairly quickly.
All in all using a tool like a well trained SpamAssassin with some
carefully selected "SARE", SpamAssassin Rules Emporium, rule sets and
the SURBL black list can lead to VERY accurate spam tagging. I am
rather partial to spam tagging as opposed to simply dumping, at least
on a single user or very small office configuration. Some legitimate
emails can trigger rules that normally have very low miss rates. So
I score the spams and have OutlookExpunge sort the spam into a spam
folder. I look at the dozen or so lowest scoring spams to cull out
things like the rare LKML message that triggers too many "chickenpox"
or "tripwire" rules. Then I make a really quick scan of the rest to
see if anything looks "real" - or to be honest looks like it might
have some humor value. (Some of the recent spate from the Orient are
priceless for their translations into English that differ from the
plain text and HTML versions. Stilted is too polite a term for how
silly they get.) Then I may check the Bayes scores for a fwe of the
lower scoring items and feed them to Bayes if Bayes did not think they
were fairly spammy already. It all takes as little as 2 or 3 minutes
per day if I don't have time to mine it for the humor value. I can
spare that to avoid the rare critical message (say due to at least
one of AOL's mail tools misformatting messages in a spammy way) that
gets tagged as spam. I also expect one or two escaped spams to run
wild in my mailbox, like the set that just struck one of the Mandrake
lists. Spam evolves so fast it's hard for the spam fighters to win
all the time. But so far today in about 700 messages SA is managing
100%, though.
> > I had hoped that adding the IP or the sender details to the black list
> > of Spam Assassin might do this but it does not.
Typically with a joe job you are getting bounce messages from all over
the place. I've had to remove "Postmaster" and its synonyms from any
hint of whitelisting within SpamAssassin. Too many such messages are
simply joe job bounces or viruses. (NK-VIR suggested below is a good
bet. It's not 100%. (I turned off much of its "scam" filtering. I leave
that to SpamAssassin. Nigerian scam testing mal-triggers too often. Er,
and osm eof them are the funniest of all.) Setting up ClamAV plus
SpamAssassin reporedly works very well for viruses. It can be a bear
to setup, though.)
> > I guess the best thing would be to do a /dev/null in my procmail
> > script if I had the faintest idea how to do that.
(That is what I do with two chief annoyances, a site that I see in
too many (varies with mood) bounce messages come back from or a site
that expects me to jump through hoops so that my email, via a mailing
list, can be received at someone else's site. I figure the latter is
not somebody I want to talk to. I have maybe 6 sites currently blocked
for those kinds of behavior.)
> Something to check out:
>
> http://agriroot.aua.gr/~nikant/nkvir/
>
> Just add it to your .procmailrc, follow the instructions to make sure it's
> config'd properly, and you can /dev/null them if you want (though it's not
> recommended). I've been using this recipe for over a year and only had one
false
> positive.
As a note, nkvir is PURELY a procmail tool. It segregates the viruses
and if you elect several forms of scam, into a holding area. You need
to remember to check them in case there is a real email there. Although
that's only happened once, on a sample message to the SpamAssassin
mailing list. Spealing of which you can also use procmail rules to
leave selected mailing lists, like the SpamAssassin users or developers
lists, out of the scanning. So far no REAL spammer has been stupid
enough to try to send a spam through the list. Spam is the list's
FOOD not waste, which is something the Apache email system manager
has not quite figured out yet.
So - Joanne's anti-spam guide in short
1) Install SpamAssassin (3.0.2 is out now.)
2) Visit http://spamassassin.apache.org/ and read. Then read some more.
Visit the Wiki and read. SA is frustrating sometimes. The reading
will tell you why and how to deal with it. The Wiki will help you
deal with amavis, clamv, milter, qmail, postfix, sendmail, and other
tools or MTAs.
3) Turn off automatic whitelisting and Bayes training. (I have seen that
lead to too many corrupted filtering systems. I've not had that problem
in the year or two I've been running SA with Bayes and auto learning
options. I figure I was right to mustrust the concept from the start.
At least don't turn them on until after Bayes is well trained.)
4) Investigate the SpamAssassin Rule Emporium. (Google it.) Pick the
rule sets you think might fit your needs best ranging from very
aggressive to "safe for general ISPs. Install them, of course.
5) Setup an automated spam training plan. I use a cron job for myself
and my partner that runs at night when traffic levels are low. It is
rather involved and requires some special hacking because we both
use OutlookExpunge for convenience reasons. (We make our income off
that Redmond OS. Linux isn't up to our needs, YET. It's a sever OS
that can be pressed into Desktop use. It's not a multimedia OS.)
6) Setup a place to put sample ham and sample spam. Make sure this place
appears as a mailbox to the users so they can simply copy their spam
and random chunks of ham to tehse mailboxes for training. (Explain
the need for training and care doing so. Yeah, I know it's wasted
breath or keystrokes in many cases.... At least try.) Place a least
200 spam and 200 ham samples into those mailboxes then train based
on those emails.
For privacy reasons discard the ham automatically once the training
is completed. You can ALWAYS get large volumes of ham to train upon
out of most user's saved mail. Save the spam off to create a very
large spam corpus typical of your location. It sometimes helps
with retraining a messed up bayes database. Few users save spam.
7) Test your configuration on yourself, for a few weeks.
8) Place it into production, and keep using it yourself. Be prepared
to keep up to date with the various rule sets. You will also probably
want to develop some custom rules for yourself. (For example, some
tweeb got my email address associated with the name DANIEL HOFER on
many of the millions of names CDROMs. That has been one of my custom
filter rules since 2.44 days. Some good comes from all evil, even
joe jobs. Another good filter is your email address rot-13 or base-64
encoded.) If you are a real fanatic join the spamassassin users list
at spamassassin.apache.org.
Good luck and good spam fighting. And please PLEASE do not facilitate
joe jobs.
{^_^}
____________________________________________________
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________
