From: "JoeHill" <[EMAIL PROTECTED]> > > Ideally what I want to do is to get my server to just say "Bog off" > > when the delivery attempt is made. > > Well, AFAIK, the only way to do that is with a bounce, and there's the rub. When > you bounce, you just doubled the 'damage' that the spam mail caused, and as jdow > so politely pointed out, you may be bouncing to someone who never sent anything, > unless you can bounce to the originating IP, but I haven't the faintest idea how > you could configure Postfix/Procmail/whatever to do something like that. I'd > like to do the same thing, I'm sure a lot of people very annoyed with spam and > viruses would, but...
I react rather strongly to being victimized by a "joe job" and the bounces that people who've not spent 2 minutes to really think about the problem send ME instead of the real originator. There is nothing you can do about being a victim "joe job" other than to ride it out. (Well, if you manage to find the real author of the joe job software or the people who commissioned the joe job attacks and break a few instructional bones it might do some good, briefly. {^_-}) The best help you can provide for the "joe job" is not to facilitate the attack by not bouncing emails like that. (It has gotten to the point it's not a good policy to bounce anything except on a full mailbox. It can lead to YOU getting attacked since a fair number of the "no such user" emails you receive are fishing for real users, some are intended to bounce and victimize the purported rather than actual sender, and the small remaining number seem to be designed to either target or harrass the system administrators. There are ways to drop email cleanly. "Greylisting" is one such tactic that has its rather vocal proponents. It tends to lead to delays in receiving many legitimate emails. If those delays do not harm you then greylisting is an excellent approach. It may be a little difficult to setup, though. Another technique is to cull IP addresses from the Received-From chains, check them with several black hole lists, and if your "score" from these checks is high enough you terminate the transaction. This can be very time consuming in your MTA. However, if it is a one person setup that should be no particular problem. If it is for an ISP with thousands of subscribers it could bring the mail server machines to their knees fairly quickly. All in all using a tool like a well trained SpamAssassin with some carefully selected "SARE", SpamAssassin Rules Emporium, rule sets and the SURBL black list can lead to VERY accurate spam tagging. I am rather partial to spam tagging as opposed to simply dumping, at least on a single user or very small office configuration. Some legitimate emails can trigger rules that normally have very low miss rates. So I score the spams and have OutlookExpunge sort the spam into a spam folder. I look at the dozen or so lowest scoring spams to cull out things like the rare LKML message that triggers too many "chickenpox" or "tripwire" rules. Then I make a really quick scan of the rest to see if anything looks "real" - or to be honest looks like it might have some humor value. (Some of the recent spate from the Orient are priceless for their translations into English that differ from the plain text and HTML versions. Stilted is too polite a term for how silly they get.) Then I may check the Bayes scores for a fwe of the lower scoring items and feed them to Bayes if Bayes did not think they were fairly spammy already. It all takes as little as 2 or 3 minutes per day if I don't have time to mine it for the humor value. I can spare that to avoid the rare critical message (say due to at least one of AOL's mail tools misformatting messages in a spammy way) that gets tagged as spam. I also expect one or two escaped spams to run wild in my mailbox, like the set that just struck one of the Mandrake lists. Spam evolves so fast it's hard for the spam fighters to win all the time. But so far today in about 700 messages SA is managing 100%, though. > > I had hoped that adding the IP or the sender details to the black list > > of Spam Assassin might do this but it does not. Typically with a joe job you are getting bounce messages from all over the place. I've had to remove "Postmaster" and its synonyms from any hint of whitelisting within SpamAssassin. Too many such messages are simply joe job bounces or viruses. (NK-VIR suggested below is a good bet. It's not 100%. (I turned off much of its "scam" filtering. I leave that to SpamAssassin. Nigerian scam testing mal-triggers too often. Er, and osm eof them are the funniest of all.) Setting up ClamAV plus SpamAssassin reporedly works very well for viruses. It can be a bear to setup, though.) > > I guess the best thing would be to do a /dev/null in my procmail > > script if I had the faintest idea how to do that. (That is what I do with two chief annoyances, a site that I see in too many (varies with mood) bounce messages come back from or a site that expects me to jump through hoops so that my email, via a mailing list, can be received at someone else's site. I figure the latter is not somebody I want to talk to. I have maybe 6 sites currently blocked for those kinds of behavior.) > Something to check out: > > http://agriroot.aua.gr/~nikant/nkvir/ > > Just add it to your .procmailrc, follow the instructions to make sure it's > config'd properly, and you can /dev/null them if you want (though it's not > recommended). I've been using this recipe for over a year and only had one false > positive. As a note, nkvir is PURELY a procmail tool. It segregates the viruses and if you elect several forms of scam, into a holding area. You need to remember to check them in case there is a real email there. Although that's only happened once, on a sample message to the SpamAssassin mailing list. Spealing of which you can also use procmail rules to leave selected mailing lists, like the SpamAssassin users or developers lists, out of the scanning. So far no REAL spammer has been stupid enough to try to send a spam through the list. Spam is the list's FOOD not waste, which is something the Apache email system manager has not quite figured out yet. So - Joanne's anti-spam guide in short 1) Install SpamAssassin (3.0.2 is out now.) 2) Visit http://spamassassin.apache.org/ and read. Then read some more. Visit the Wiki and read. SA is frustrating sometimes. The reading will tell you why and how to deal with it. The Wiki will help you deal with amavis, clamv, milter, qmail, postfix, sendmail, and other tools or MTAs. 3) Turn off automatic whitelisting and Bayes training. (I have seen that lead to too many corrupted filtering systems. I've not had that problem in the year or two I've been running SA with Bayes and auto learning options. I figure I was right to mustrust the concept from the start. At least don't turn them on until after Bayes is well trained.) 4) Investigate the SpamAssassin Rule Emporium. (Google it.) Pick the rule sets you think might fit your needs best ranging from very aggressive to "safe for general ISPs. Install them, of course. 5) Setup an automated spam training plan. I use a cron job for myself and my partner that runs at night when traffic levels are low. It is rather involved and requires some special hacking because we both use OutlookExpunge for convenience reasons. (We make our income off that Redmond OS. Linux isn't up to our needs, YET. It's a sever OS that can be pressed into Desktop use. It's not a multimedia OS.) 6) Setup a place to put sample ham and sample spam. Make sure this place appears as a mailbox to the users so they can simply copy their spam and random chunks of ham to tehse mailboxes for training. (Explain the need for training and care doing so. Yeah, I know it's wasted breath or keystrokes in many cases.... At least try.) Place a least 200 spam and 200 ham samples into those mailboxes then train based on those emails. For privacy reasons discard the ham automatically once the training is completed. You can ALWAYS get large volumes of ham to train upon out of most user's saved mail. Save the spam off to create a very large spam corpus typical of your location. It sometimes helps with retraining a messed up bayes database. Few users save spam. 7) Test your configuration on yourself, for a few weeks. 8) Place it into production, and keep using it yourself. Be prepared to keep up to date with the various rule sets. You will also probably want to develop some custom rules for yourself. (For example, some tweeb got my email address associated with the name DANIEL HOFER on many of the millions of names CDROMs. That has been one of my custom filter rules since 2.44 days. Some good comes from all evil, even joe jobs. Another good filter is your email address rot-13 or base-64 encoded.) If you are a real fanatic join the spamassassin users list at spamassassin.apache.org. Good luck and good spam fighting. And please PLEASE do not facilitate joe jobs. {^_^}
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________