Re: Which Spam Block List to use for a network?
On Wed, Jun 30, 2004 at 08:53:40AM +0200, Matej Kovac wrote: :) Well, my approach is not that fancy. I just check if the callback passes the RCPT, and if not, issue a 550 with a short message telling that my host will not accept mail that cannot be answered. you are receiving a message and you start callback to the mx if he passes the rcpt test, but - the mx starts callback to you if you pass... [...] Actually that's not the case. The callback is done with MAIL FROM: Blu.
Re: Which Spam Block List to use for a network? [SCANNED]
On Wednesday 30 June 2004 23.15, David Thurman wrote: On 6/30/04 10:43 AM, Robert Cates wrote: Well I do not remember ever seeing on the evening news or morning news paper that somebody was hurt or worst killed from a Spam attack! Maybe no one has been killed, but given the human nature I am sure there will be some collateral effects that could come to death from all this. Some of the people traveling to Nigeria to reclaim their losses were actually killed. OTOH, it can be argued that anybody stupid enough to fall for a 419 deserves what he gets. Still, it's actual people being actually killed because of spam. cheers -- vbi -- featured product: the GNU Compiler Collection - http://gcc.gnu.org pgpf4UbHAJYj6.pgp Description: signature
Re: Which Spam Block List to use for a network? [SCANNED]
On Thu, 1 Jul 2004 09:04:01 +0200, Adrian wrote in message [EMAIL PROTECTED]: OTOH, it can be argued that anybody stupid enough to fall for a 419 deserves what he gets. Still, it's actual people being actually killed because of spam. ..it can also be argued the Nigerian 419 rule is racism, against _all_ other Africans, effectively denying them _any_ business opportunity over internet. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network? [SCANNED]
On Wednesday 30 June 2004 23.15, David Thurman wrote: On 6/30/04 10:43 AM, Robert Cates wrote: Well I do not remember ever seeing on the evening news or morning news paper that somebody was hurt or worst killed from a Spam attack! Maybe no one has been killed, but given the human nature I am sure there will be some collateral effects that could come to death from all this. Some of the people traveling to Nigeria to reclaim their losses were actually killed. OTOH, it can be argued that anybody stupid enough to fall for a 419 deserves what he gets. Still, it's actual people being actually killed because of spam. cheers -- vbi -- featured product: the GNU Compiler Collection - http://gcc.gnu.org pgp9WPl9xqkMz.pgp Description: signature
Re: Which Spam Block List to use for a network? [SCANNED]
On Thu, 1 Jul 2004 09:04:01 +0200, Adrian wrote in message [EMAIL PROTECTED]: OTOH, it can be argued that anybody stupid enough to fall for a 419 deserves what he gets. Still, it's actual people being actually killed because of spam. ..it can also be argued the Nigerian 419 rule is racism, against _all_ other Africans, effectively denying them _any_ business opportunity over internet. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case.
Re: Which Spam Block List to use for a network?
Hi, why don't you make life easier for yourself and forget trying to block Spam! Let your customers and/or users be responsible for blocking Spam! There is plenty of anti-spam software out there for both Windows and Linux platforms for the end-user to choose from and use to block Spam. I mean, I think this Spam problem should be left up to the individual, like so many other things in life, and stop having companies and/or organizations trying to control the e-mail aspect of the Internet. I feel that even companies large and small themselves (and I'm not talking about ISPs) should be the ones to control Spam, just like the (try) to control access to Porn sites. Even with all of the anit-spam solutions and Black Lists out there, I still get alot of Spam, but for me it's not much more of a problem than to just click the delete button/option, and empty my waste basket once a week. I really think there's people out there on the wrong track trying to tackle this Spam problem (in terms of ISPs and their services), and not (really, fully) realizing what effect this control has on the Internet. Look, when I go to the store, I can buy whatever TV is out there on the market, and I can bring it home and tune it in for all (or none) of the broadcast stations available in my area. I can pay for cable TV, or not. I can even control what gets seen and when, including all of the (Spammed) commercials. So I've controlled everything from choosing the TV, to watching what I want in the evening; not the store, not the station/channel I'm watching, but me. Spam Black (Block) Lists? Not a good thing in my opinion!! I mean, e-mail servers can be configured NOT to relay for unauthorized domains anyway. I'm not an advocate of e-mail Spamming. I just feel that the control or blocking should be left up to the individual user. Just like it's my choice which Office package I want to (buy and) use. ;-) -Robert - Original Message - From: Matej Kovac [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 30, 2004 8:53 AM Subject: Re: Which Spam Block List to use for a network? On Wed, Jun 23, 2004 at 07:33:52PM -0400, Blu wrote: On Wed, Jun 23, 2004 at 09:01:24PM +1000, Russell Coker wrote: On Wed, 23 Jun 2004 18:23, Blu [EMAIL PROTECTED] wrote: Well yes. Maybe I oversimplified. What I do is a callback to the MX of the envelope sender to see if it accepts mail to him/her. If not, the mail is rejected with an explicative 550. You aren't the only one who does that. I have found one other person who does that and who happens to have their mail server in an address range that's black-listed. So when I sent mail to them their mail server made a call-back to mine, my server rejected that and their mail server then generated a 55x code that tried to summarise the code from mine. Then my mail server took that and made it into a bounce message. Of course I am not the first one doing this. In fact Exim4 has buitin capability to do so. The resulting message was something that I could not decipher even though I have 10 years of experience running Internet mail servers! All I could do was post a message to a mailing list I knew the person was subscribed to and inform them that their server was borked in some unknown way. :) Well, my approach is not that fancy. I just check if the callback passes the RCPT, and if not, issue a 550 with a short message telling that my host will not accept mail that cannot be answered. you are receiving a message and you start callback to the mx if he passes the rcpt test, but - the mx starts callback to you if you pass... don't do this, this is a finger^H^H^H^H^H^H^Hn rcpt-war. and what is curious is... what if yahoo would do rcpt checks and I forge some yahoo email? you would try to rcpt-check yahoo? and they'd too... and I have put you in war with yahoo. -- matej kovac [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wed, 30 Jun 2004 23:54, Robert Cates [EMAIL PROTECTED] wrote: Spam Black (Block) Lists? Not a good thing in my opinion!! I mean, e-mail servers can be configured NOT to relay for unauthorized domains anyway. I'm not an advocate of e-mail Spamming. I just feel that the control or blocking should be left up to the individual user. Just like it's my choice which Office package I want to (buy and) use. ;-) Should we leave control of crime to the victim as well? Or do you think that a professional police force is better? When users try to deal with spam they often complain to the wrong people (think about joe-job's), they take the wrong actions (think about sending email to the remove address in a spam), and they don't have the competence to do it properly (think about the people who block postmaster mail etc, or who just block everything and complain to their ISP). It's better for the ISP to have an anti-spam system that blocks most of the spam that customers want blocked and gets a small enough number of false-positives that they don't mind. Some ISPs find that SpamCop's DNSBL fits this description... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Which Spam Block List to use for a network?
On Wednesday 30 June 2004 15.54, Robert Cates wrote: Hi, why don't you make life easier for yourself and forget trying to block Spam! Let your customers and/or users be responsible for blocking Spam! [...] Apart from what Russel says: are you prepared to pay for it? According to some (IIRC AOL published numbers like that) email blocked in the SMTP transaction reaches 80-90% of the mail delivery attempts in some cases (I have ca. 50%, I guess mainly because my domain is insignificant enough not to attract systematic dictionary attacks etc.) So, are you prepared to pay for - the additional storage used to store all the mail - the additional support personnel to answer phones when customers are annoyed that their mail quota is full again - the additional bandwidth used to transfer all that spam to the customers - the additional time spent by all customers (instead of just once by the ISP) to configure an anti-spam set up that will in 80% of the cases filter out all of the same messages for everybody (not to mention that such a set up has less information available, like crossassassin-style detection of the same message being delivered to many accounts, which is quite a good spam-sign in many cases). Lacking experience with large set ups, this is not hard data, but I'm quite confident that those who *have* experience with large set ups can confirm these thoughts. I agree that false positives are extremely annoying, so an ISP/corporate anti-spam policy will have to be more conservative than what some here use for their own email. cheers -- vbi -- Beware of the FUD - know your enemies. This week * The Alexis de Toqueville Institue * http://fortytwo.ch/opinion/ pgpFLisRRO7qO.pgp Description: signature
Re: Which Spam Block List to use for a network?
Should we leave control of crime to the victim as well? Or do you think that a professional police force is better? Well I do not remember ever seeing on the evening news or morning news paper that somebody was hurt or worst killed from a Spam attack! Have you ever been a victom of crime? Has somebody in your family been killed by a drunk driver? Can anybody who's been a victom of crime honestly say oh it's ok, but I sure wish a police was with me when it happened? Anyway, this is heading down another road, and yes, I am fully aware of the importance of our police department/force, in every country. When users try to deal with spam they often complain to the wrong people (think about joe-job's), they take the wrong actions (think about sending email to the remove address in a spam), and they don't have the competence to do it properly (think about the people who block postmaster mail etc, or who just block everything and complain to their ISP). Somebody who blocks everything, or ignorantly complains to their ISP, needs to be educated, not hand-held. That education in my mind is a service and responsibilty of the ISP, an if it's a matter of getting too many phone calls per day, there can easily be an FAQ posted on the ISP web site. Or maybe more appropriately it should be the responsibility of the software vendor providing the Anti-Spam software. It's better for the ISP to have an anti-spam system that blocks most of the spam that customers want blocked and gets a small enough number of false-positives that they don't mind. Some ISPs find that SpamCop's DNSBL fits this description... Who on the ISP side knows what the customer wants (blocked)? Are the ISPs calling all of their customers and asking? So the world will come to a day when all Internet users won't have much choice, won't know what's getting blocked, won't know who's controlling what, won't know who's making what decision, the largest ISP will take-over the competition, and before we know it, there will be an Internet monopoly much the same as the PC software industry of the past 20 or more years. - Original Message - From: Russell Coker [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Robert Cates [EMAIL PROTECTED] Sent: Wednesday, June 30, 2004 4:47 PM Subject: Re: Which Spam Block List to use for a network? On Wed, 30 Jun 2004 23:54, Robert Cates [EMAIL PROTECTED] wrote: Spam Black (Block) Lists? Not a good thing in my opinion!! I mean, e-mail servers can be configured NOT to relay for unauthorized domains anyway. I'm not an advocate of e-mail Spamming. I just feel that the control or blocking should be left up to the individual user. Just like it's my choice which Office package I want to (buy and) use. ;-) Should we leave control of crime to the victim as well? Or do you think that a professional police force is better? When users try to deal with spam they often complain to the wrong people (think about joe-job's), they take the wrong actions (think about sending email to the remove address in a spam), and they don't have the competence to do it properly (think about the people who block postmaster mail etc, or who just block everything and complain to their ISP). It's better for the ISP to have an anti-spam system that blocks most of the spam that customers want blocked and gets a small enough number of false-positives that they don't mind. Some ISPs find that SpamCop's DNSBL fits this description... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thu, 1 Jul 2004 01:43, Robert Cates [EMAIL PROTECTED] wrote: Well I do not remember ever seeing on the evening news or morning news paper that somebody was hurt or worst killed from a Spam attack! Have you I know many people who have a stated intention of killing a spammer if given a reasonable chance. It would really suck if one of those people accidentally killed a non-spammer by mistake! When users try to deal with spam they often complain to the wrong people (think about joe-job's), they take the wrong actions (think about sending email to the remove address in a spam), and they don't have the competence to do it properly (think about the people who block postmaster mail etc, or who just block everything and complain to their ISP). Somebody who blocks everything, or ignorantly complains to their ISP, needs to be educated, not hand-held. That education in my mind is a service and responsibilty of the ISP, an if it's a matter of getting too many phone calls per day, there can easily be an FAQ posted on the ISP web site. Or maybe more appropriately it should be the responsibility of the software vendor providing the Anti-Spam software. Sure. Next time you run an ISP with over a million customers and only three people who really know how email works you can try educating users. I'll stick to giving them what I and management think is best for them. Who on the ISP side knows what the customer wants (blocked)? I do because I'm the bofh! ;) Are the ISPs calling all of their customers and asking? No point. The customer doesn't know the answer either. So the world will come to a day when all Internet users won't have much choice, won't know what's getting blocked, won't know who's controlling what, won't know who's making what If a user finds that their ISP gives them th wrong mix of spam protection to false positives then they can find another ISP. ISPs that make the wrong choices will lose business and eventually go bankrupt or get bought out by better ISPs. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thu, 1 Jul 2004 01:34, Adrian 'Dagurashibanipal' von Bidder [EMAIL PROTECTED] wrote: I agree that false positives are extremely annoying, so an ISP/corporate anti-spam policy will have to be more conservative than what some here use for their own email. The correct solution to false positives (IMHO) is to be extremely conservative in regard to dropping email. Only a confirmed virus should be dropped on the floor. Any other rejection of a message should be a code 55x in the SMTP protocol. If you reject a message with a 55x and a suitable message then the author of the message can find another method of contact and there is no loss merely inconvenience. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
[no cc:s on list mail, please] On Wednesday 30 June 2004 18.17, Russell Coker wrote: If you reject a message with a 55x and a suitable message then the author of the message can find another method of contact and there is no loss merely inconvenience. While I personally agree, some people react extremely offended/aggressive when confronted with a rejection message (there are quite a few of these in the Debian project ;-/, and I've met one or two in my http://www.pool.ntp.org project (/plug)... Also, some people do not know that an email bounce is perfectly readable (these are people who perfectly know how to read and who understand english, but go run away screaming when confronted with a slightly technical-looking message - the 'it's techincal, I won't understand it anyway' mindset). In both cases, the result is that the 'other method of contact' does not usually happen, but the failure of communication is just being ignored. cheers -- vbi -- Available for key signing in Zürich and Basel, Switzerland (what's this? Look at http://fortytwo.ch/gpg/intro) pgpOYfkH2zIUS.pgp Description: signature
Re: Which Spam Block List to use for a network? [SCANNED]
On 6/30/04 10:43 AM, Robert Cates wrote: Well I do not remember ever seeing on the evening news or morning news paper that somebody was hurt or worst killed from a Spam attack! Wrong, you must not read the Industry trade magazines. Many people are (harmed) ripped off from spam, possible jailed from buying email prescriptions online, which was one of the issues on Rush Limbaugh, have had their identities stolen (TV ads) (Major newspapers), and much more. Maybe no one has been killed, but given the human nature I am sure there will be some collateral effects that could come to death from all this. I guess you have so much spam to delete you don't have time to read the paper, listen to the radio or TV. -- David Thurman The Web Presence Group http://www.the-presence.com Web Development/E-Commerce/CMS/Hosting/Dedicated Servers 800-399-6441/309-679-0774 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
Hi, why don't you make life easier for yourself and forget trying to block Spam! Let your customers and/or users be responsible for blocking Spam! There is plenty of anti-spam software out there for both Windows and Linux platforms for the end-user to choose from and use to block Spam. I mean, I think this Spam problem should be left up to the individual, like so many other things in life, and stop having companies and/or organizations trying to control the e-mail aspect of the Internet. I feel that even companies large and small themselves (and I'm not talking about ISPs) should be the ones to control Spam, just like the (try) to control access to Porn sites. Even with all of the anit-spam solutions and Black Lists out there, I still get alot of Spam, but for me it's not much more of a problem than to just click the delete button/option, and empty my waste basket once a week. I really think there's people out there on the wrong track trying to tackle this Spam problem (in terms of ISPs and their services), and not (really, fully) realizing what effect this control has on the Internet. Look, when I go to the store, I can buy whatever TV is out there on the market, and I can bring it home and tune it in for all (or none) of the broadcast stations available in my area. I can pay for cable TV, or not. I can even control what gets seen and when, including all of the (Spammed) commercials. So I've controlled everything from choosing the TV, to watching what I want in the evening; not the store, not the station/channel I'm watching, but me. Spam Black (Block) Lists? Not a good thing in my opinion!! I mean, e-mail servers can be configured NOT to relay for unauthorized domains anyway. I'm not an advocate of e-mail Spamming. I just feel that the control or blocking should be left up to the individual user. Just like it's my choice which Office package I want to (buy and) use. ;-) -Robert - Original Message - From: Matej Kovac [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Wednesday, June 30, 2004 8:53 AM Subject: Re: Which Spam Block List to use for a network? On Wed, Jun 23, 2004 at 07:33:52PM -0400, Blu wrote: On Wed, Jun 23, 2004 at 09:01:24PM +1000, Russell Coker wrote: On Wed, 23 Jun 2004 18:23, Blu [EMAIL PROTECTED] wrote: Well yes. Maybe I oversimplified. What I do is a callback to the MX of the envelope sender to see if it accepts mail to him/her. If not, the mail is rejected with an explicative 550. You aren't the only one who does that. I have found one other person who does that and who happens to have their mail server in an address range that's black-listed. So when I sent mail to them their mail server made a call-back to mine, my server rejected that and their mail server then generated a 55x code that tried to summarise the code from mine. Then my mail server took that and made it into a bounce message. Of course I am not the first one doing this. In fact Exim4 has buitin capability to do so. The resulting message was something that I could not decipher even though I have 10 years of experience running Internet mail servers! All I could do was post a message to a mailing list I knew the person was subscribed to and inform them that their server was borked in some unknown way. :) Well, my approach is not that fancy. I just check if the callback passes the RCPT, and if not, issue a 550 with a short message telling that my host will not accept mail that cannot be answered. you are receiving a message and you start callback to the mx if he passes the rcpt test, but - the mx starts callback to you if you pass... don't do this, this is a finger^H^H^H^H^H^H^Hn rcpt-war. and what is curious is... what if yahoo would do rcpt checks and I forge some yahoo email? you would try to rcpt-check yahoo? and they'd too... and I have put you in war with yahoo. -- matej kovac [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wed, 30 Jun 2004 23:54, Robert Cates [EMAIL PROTECTED] wrote: Spam Black (Block) Lists? Not a good thing in my opinion!! I mean, e-mail servers can be configured NOT to relay for unauthorized domains anyway. I'm not an advocate of e-mail Spamming. I just feel that the control or blocking should be left up to the individual user. Just like it's my choice which Office package I want to (buy and) use. ;-) Should we leave control of crime to the victim as well? Or do you think that a professional police force is better? When users try to deal with spam they often complain to the wrong people (think about joe-job's), they take the wrong actions (think about sending email to the remove address in a spam), and they don't have the competence to do it properly (think about the people who block postmaster mail etc, or who just block everything and complain to their ISP). It's better for the ISP to have an anti-spam system that blocks most of the spam that customers want blocked and gets a small enough number of false-positives that they don't mind. Some ISPs find that SpamCop's DNSBL fits this description... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Which Spam Block List to use for a network?
On Thu, 1 Jul 2004 01:43, Robert Cates [EMAIL PROTECTED] wrote: Well I do not remember ever seeing on the evening news or morning news paper that somebody was hurt or worst killed from a Spam attack! Have you I know many people who have a stated intention of killing a spammer if given a reasonable chance. It would really suck if one of those people accidentally killed a non-spammer by mistake! When users try to deal with spam they often complain to the wrong people (think about joe-job's), they take the wrong actions (think about sending email to the remove address in a spam), and they don't have the competence to do it properly (think about the people who block postmaster mail etc, or who just block everything and complain to their ISP). Somebody who blocks everything, or ignorantly complains to their ISP, needs to be educated, not hand-held. That education in my mind is a service and responsibilty of the ISP, an if it's a matter of getting too many phone calls per day, there can easily be an FAQ posted on the ISP web site. Or maybe more appropriately it should be the responsibility of the software vendor providing the Anti-Spam software. Sure. Next time you run an ISP with over a million customers and only three people who really know how email works you can try educating users. I'll stick to giving them what I and management think is best for them. Who on the ISP side knows what the customer wants (blocked)? I do because I'm the bofh! ;) Are the ISPs calling all of their customers and asking? No point. The customer doesn't know the answer either. So the world will come to a day when all Internet users won't have much choice, won't know what's getting blocked, won't know who's controlling what, won't know who's making what If a user finds that their ISP gives them th wrong mix of spam protection to false positives then they can find another ISP. ISPs that make the wrong choices will lose business and eventually go bankrupt or get bought out by better ISPs. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Which Spam Block List to use for a network?
On Thu, 1 Jul 2004 01:34, Adrian 'Dagurashibanipal' von Bidder [EMAIL PROTECTED] wrote: I agree that false positives are extremely annoying, so an ISP/corporate anti-spam policy will have to be more conservative than what some here use for their own email. The correct solution to false positives (IMHO) is to be extremely conservative in regard to dropping email. Only a confirmed virus should be dropped on the floor. Any other rejection of a message should be a code 55x in the SMTP protocol. If you reject a message with a 55x and a suitable message then the author of the message can find another method of contact and there is no loss merely inconvenience. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Which Spam Block List to use for a network?
[no cc:s on list mail, please] On Wednesday 30 June 2004 18.17, Russell Coker wrote: If you reject a message with a 55x and a suitable message then the author of the message can find another method of contact and there is no loss merely inconvenience. While I personally agree, some people react extremely offended/aggressive when confronted with a rejection message (there are quite a few of these in the Debian project ;-/, and I've met one or two in my http://www.pool.ntp.org project (/plug)... Also, some people do not know that an email bounce is perfectly readable (these are people who perfectly know how to read and who understand english, but go run away screaming when confronted with a slightly technical-looking message - the 'it's techincal, I won't understand it anyway' mindset). In both cases, the result is that the 'other method of contact' does not usually happen, but the failure of communication is just being ignored. cheers -- vbi -- Available for key signing in Zürich and Basel, Switzerland (what's this? Look at http://fortytwo.ch/gpg/intro) pgpEv5zix7jyr.pgp Description: signature
Re: Which Spam Block List to use for a network? [SCANNED]
On 6/30/04 10:43 AM, Robert Cates wrote: Well I do not remember ever seeing on the evening news or morning news paper that somebody was hurt or worst killed from a Spam attack! Wrong, you must not read the Industry trade magazines. Many people are (harmed) ripped off from spam, possible jailed from buying email prescriptions online, which was one of the issues on Rush Limbaugh, have had their identities stolen (TV ads) (Major newspapers), and much more. Maybe no one has been killed, but given the human nature I am sure there will be some collateral effects that could come to death from all this. I guess you have so much spam to delete you don't have time to read the paper, listen to the radio or TV. -- David Thurman The Web Presence Group http://www.the-presence.com Web Development/E-Commerce/CMS/Hosting/Dedicated Servers 800-399-6441/309-679-0774
Re: Which Spam Block List to use for a network?
On June 26, 2004 05:27 pm, Leonardo Boselli wrote: Just a note. Since these are infected machines, a first test could just to try to call back the other server, to see if it replyes to port 25. Being unable to connect to port 25 doesn't mean anything. AFAIK there is no RFC or other standard saying that to send email with smtp you must accept email by smtp. It is normal (or at least common) to verify that the sender's domain at least appears to accept mail but a given mail relay could be dedicated to outgoing mail and there's no reason that it must accept mail. -- Fraser Campbell [EMAIL PROTECTED] http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On June 26, 2004 05:27 pm, Leonardo Boselli wrote: Just a note. Since these are infected machines, a first test could just to try to call back the other server, to see if it replyes to port 25. Being unable to connect to port 25 doesn't mean anything. AFAIK there is no RFC or other standard saying that to send email with smtp you must accept email by smtp. It is normal (or at least common) to verify that the sender's domain at least appears to accept mail but a given mail relay could be dedicated to outgoing mail and there's no reason that it must accept mail. -- Fraser Campbell [EMAIL PROTECTED] http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Which Spam Block List to use for a network?
On Thu, 24 Jun 2004 11:58, Jason Lim [EMAIL PROTECTED] wrote: most ISPs (and mail service providers like yahoo and hotmail), for instance, will never have SPF records in their DNS. they may use SPF checking on their own MX servers, but they won't have the records in their DNS. their users have legitimate needs to send mail using their address from any arbitrary location, which is exactly what SPF works to prevent. If someone wants to use a hotmail or yahoo email address when sending email to me then they will use hotmail/yahoo servers to send it. My mail server will prevent them doing otherwise, and has been doing so since before SPF started becoming popular. This also applies to most hosting companies. If your ISP prevents outgoing SMTP (port 25) to other mail servers and you are forced to use your ISP's mail servers, then the mail server is not going to match that of your hosting account or domain name. Thus SPF fails again in this case. You just have to enable the ISP's mail server in the SPF configuration. That allows a customer of the same ISP to joe-job you, but sorting THAT out should not be so difficult. I feel SPF is not going to be implemented many placed not because people don't wont to reduce spam, but because SPF just won't work in many cases. In fact, depending on how you look at it, it doesn't reduce spam at ALL (phising is certainly bad, but that is a separate problem). If it stops people from joe-jobbing me then that's enough reason to have it. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Sat, Jun 26, 2004 at 06:34:53PM +1000, Russell Coker wrote: On Thu, 24 Jun 2004 11:58, Jason Lim [EMAIL PROTECTED] wrote: most ISPs (and mail service providers like yahoo and hotmail), for instance, will never have SPF records in their DNS. they may use SPF checking on their own MX servers, but they won't have the records in their DNS. their users have legitimate needs to send mail using their address from any arbitrary location, which is exactly what SPF works to prevent. If someone wants to use a hotmail or yahoo email address when sending email to me then they will use hotmail/yahoo servers to send it. My mail server will prevent them doing otherwise, and has been doing so since before SPF started becoming popular. doesn't matter. hotmail and yahoo are only two domains out of millions that will never have SPF records in the DNS. some because the domain owners are lazy and/or ignorant, some (like debian.org) because they have a legitimate need to send mail from so many locations that it is impossible to specify all allowed hosts. I feel SPF is not going to be implemented many placed not because people don't wont to reduce spam, but because SPF just won't work in many cases. In fact, depending on how you look at it, it doesn't reduce spam at ALL (phising is certainly bad, but that is a separate problem). If it stops people from joe-jobbing me then that's enough reason to have it. that's a reason for you to have SPF records (well, it will be if/when enough MX servers implement SPF checking...in the meantime, it doesn't hurt to have them). like me, you *can* have SPF records for your domain because you *can* list all the hosts allowed to send mail claiming to be from your domain. that just isn't the case for many domains. that is why SPF will never be a generic anti-spam tool. it is a tightly-focussed anti-forgery tool of very limited use. craig -- craig sanders [EMAIL PROTECTED] The next time you vote, remember that Regime change begins at home -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thu, 24 Jun 2004 11:58, Jason Lim [EMAIL PROTECTED] wrote: most ISPs (and mail service providers like yahoo and hotmail), for instance, will never have SPF records in their DNS. they may use SPF checking on their own MX servers, but they won't have the records in their DNS. their users have legitimate needs to send mail using their address from any arbitrary location, which is exactly what SPF works to prevent. If someone wants to use a hotmail or yahoo email address when sending email to me then they will use hotmail/yahoo servers to send it. My mail server will prevent them doing otherwise, and has been doing so since before SPF started becoming popular. This also applies to most hosting companies. If your ISP prevents outgoing SMTP (port 25) to other mail servers and you are forced to use your ISP's mail servers, then the mail server is not going to match that of your hosting account or domain name. Thus SPF fails again in this case. You just have to enable the ISP's mail server in the SPF configuration. That allows a customer of the same ISP to joe-job you, but sorting THAT out should not be so difficult. I feel SPF is not going to be implemented many placed not because people don't wont to reduce spam, but because SPF just won't work in many cases. In fact, depending on how you look at it, it doesn't reduce spam at ALL (phising is certainly bad, but that is a separate problem). If it stops people from joe-jobbing me then that's enough reason to have it. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Which Spam Block List to use for a network?
Il 22 Jun 2004 alle 8:40 Adam Funk immise in rete This is a smarter way to do it. Wouldn't you admit that the problem is not from MTAs on dynamic IP addresses, but rather from infected Windows machines on dynamic IP addresses? Just a note. Since these are infected machines, a first test could just to try to call back the other server, to see if it replyes to port 25. If it does, the bet on accept, if not go ahead with checking ... -- Leonardo Boselli Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze tel +39 0554796431 cell +39 3488605348 fax +39 055495333 http://www.dicea.unifi.it/~leo
Re: Which Spam Block List to use for a network?
On Sat, Jun 26, 2004 at 06:34:53PM +1000, Russell Coker wrote: On Thu, 24 Jun 2004 11:58, Jason Lim [EMAIL PROTECTED] wrote: most ISPs (and mail service providers like yahoo and hotmail), for instance, will never have SPF records in their DNS. they may use SPF checking on their own MX servers, but they won't have the records in their DNS. their users have legitimate needs to send mail using their address from any arbitrary location, which is exactly what SPF works to prevent. If someone wants to use a hotmail or yahoo email address when sending email to me then they will use hotmail/yahoo servers to send it. My mail server will prevent them doing otherwise, and has been doing so since before SPF started becoming popular. doesn't matter. hotmail and yahoo are only two domains out of millions that will never have SPF records in the DNS. some because the domain owners are lazy and/or ignorant, some (like debian.org) because they have a legitimate need to send mail from so many locations that it is impossible to specify all allowed hosts. I feel SPF is not going to be implemented many placed not because people don't wont to reduce spam, but because SPF just won't work in many cases. In fact, depending on how you look at it, it doesn't reduce spam at ALL (phising is certainly bad, but that is a separate problem). If it stops people from joe-jobbing me then that's enough reason to have it. that's a reason for you to have SPF records (well, it will be if/when enough MX servers implement SPF checking...in the meantime, it doesn't hurt to have them). like me, you *can* have SPF records for your domain because you *can* list all the hosts allowed to send mail claiming to be from your domain. that just isn't the case for many domains. that is why SPF will never be a generic anti-spam tool. it is a tightly-focussed anti-forgery tool of very limited use. craig -- craig sanders [EMAIL PROTECTED] The next time you vote, remember that Regime change begins at home
Re: Which Spam Block List to use for a network?
Hi Craig, [BTW, debian.org does not have an SPF entry.] nor should it. there are over a thousand @debian.org addresses, belonging to over a thousand people, all of whom use their own internet connections to send mail. it would be impossible to specify all the hosts allowed to send mail claiming to be from @debian.org. that may be correct for @debian.org, but for sure the mailservers which are supposed to be sending @lists.debian.org are only certain ones. So there is even places where it might make sense to setup SPF for the debian domain. (like lists, ftp-master, security.debian.org maybe even etc.) -- Best regards, Kilian signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 10.26, Adrian 'Dagurashibanipal' von Bidder wrote: Finally, I keep postmaster always open, a thing that a lot of this happy blocking servers does not. Goes without saying. Additionally, as I said, the rejection message does contain a unblocked email address, too. So far, postmaster and abuse are not spammed. It may be quite off topic, but I am actually looking for a way to keep the postmaster address open, but until now I haven't succeeded. :-(I use rblsmtpd. Any clues or suggestions? Thanks! Jasper -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
Hi Craig, [BTW, debian.org does not have an SPF entry.] nor should it. there are over a thousand @debian.org addresses, belonging to over a thousand people, all of whom use their own internet connections to send mail. it would be impossible to specify all the hosts allowed to send mail claiming to be from @debian.org. that may be correct for @debian.org, but for sure the mailservers which are supposed to be sending @lists.debian.org are only certain ones. So there is even places where it might make sense to setup SPF for the debian domain. (like lists, ftp-master, security.debian.org maybe even etc.) -- Best regards, Kilian signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 10.26, Adrian 'Dagurashibanipal' von Bidder wrote: Finally, I keep postmaster always open, a thing that a lot of this happy blocking servers does not. Goes without saying. Additionally, as I said, the rejection message does contain a unblocked email address, too. So far, postmaster and abuse are not spammed. It may be quite off topic, but I am actually looking for a way to keep the postmaster address open, but until now I haven't succeeded. :-(I use rblsmtpd. Any clues or suggestions? Thanks! Jasper
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 20:51, Craig Sanders wrote: On Wed, Jun 23, 2004 at 12:05:57PM -0300, Yves Junqueira wrote: SPF is a proposed standard. http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt Even Microsoft seemed to drops its CallerID proposal in favor of SPF. Check spf.pobox.com SPF isn't a very effective tool for blocking spam or viruses. it is a tool for preventing some kinds of forgery. it is useful where the owner of a domain can strictly define which hosts are allowed to send mail claiming to be from their domain. it is not useful otherwise. I sense an implication that this is some small percentage of total non-spam email. Doesn't this cover a _huge_ percentage of valid email? Who does this rule out other than power users with an MTA on a their laptop or people using greeting card sites? Also, according to Meng Weng's Linux Journal article, SPF makes provisions for power users with their own MTA on dynamic IP's (even if Russel doesn't ;). In addition, if you are a power user that uses forward files, if you switch to remailing SPF will also work. These require using advanced SPF: the exists and include mechanisms. most ISPs (and mail service providers like yahoo and hotmail), for instance, will never have SPF records in their DNS. they may use SPF checking on their own MX servers, but they won't have the records in their DNS. their users have legitimate needs to send mail using their address from any arbitrary location, which is exactly what SPF works to prevent. Why do you say never? If it's good enough for aol and google, why not hotmail and yahoo? According to spf.pobox.com, Microsoft has endorsed SPF as a standard. Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 21:58, Jason Lim wrote: This also applies to most hosting companies. If your ISP prevents outgoing SMTP (port 25) to other mail servers and you are forced to use your ISP's mail servers, then the mail server is not going to match that of your hosting account or domain name. Thus SPF fails again in this case. I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
Hi Mark, Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06: I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... so you mean this will also cut down the secondary spam through mailinglists (which have a proper SPF most probably). How is that MTA gonna see within the MAIL FROM whom this was forwarded for? I mean, the general issue (for me) is not the spam i receive directly through my primary host, but those that's forwarding email-addresses, which have a whitelisted mx host re-sending me the spam they accepted (which would have been rejected if it was sent to my primary email address). For that problem I currently see no other way than doing content scanning. But please anybody enlighten me in case i have missed a point on SPF or the rest of the discussion. -- Best regards, Kilian signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Which Spam Block List to use for a network?
On Thu, 24 Jun 2004, Mark Bucciarelli wrote: On Wednesday 23 June 2004 21:58, Jason Lim wrote: This also applies to most hosting companies. If your ISP prevents outgoing SMTP (port 25) to other mail servers and you are forced to use your ISP's mail servers, then the mail server is not going to match that of your hosting account or domain name. Thus SPF fails again in this case. I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... are you sure ? i never see such header ! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 08:23, Leonardo Boselli wrote: On Thu, 24 Jun 2004, Mark Bucciarelli wrote: On Wednesday 23 June 2004 21:58, Jason Lim wrote: This also applies to most hosting companies. If your ISP prevents outgoing SMTP (port 25) to other mail servers and you are forced to use your ISP's mail servers, then the mail server is not going to match that of your hosting account or domain name. Thus SPF fails again in this case. I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... are you sure ? i never see such header ! Yes. See http://spf.pobox.com/faq.html Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 08:17, Kilian Krause wrote: Hi Mark, Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06: I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... so you mean this will also cut down the secondary spam through mailinglists (which have a proper SPF most probably). No. I meant that I send my domain mail through my ISP's SMTP server and I can setup my domain's DNS txt record so this works with SPF. [BTW, debian.org does not have an SPF entry.] How is that MTA gonna see within the MAIL FROM whom this was forwarded for? I mean, the general issue (for me) is not the spam i receive directly through my primary host, but those that's forwarding email-addresses, which have a whitelisted mx host re-sending me the spam they accepted It's the other server's responsibility, not yours. I guess you have the option not to whitelist them, since they send you spam. Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thu, 24 Jun 2004, Mark Bucciarelli wrote: I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... are you sure ? i never see such header ! Yes. See http://spf.pobox.com/faq.html that is mail from: not mail-from: how can i see it as a recipient ? I do not trust other systems for filtering ! After all, there is no problem in giving a fake address as mail from so you on the end should test if the alleged from is conformat with the originatin host, and yopu are agin in teroble is someone send a message from another domain . -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
Hi Mark, It's the other server's responsibility, not yours. I guess you have the option not to whitelist them, since they send you spam. That's technically correct. However it lacks the important bit. It's my *problem* not theirs. (for i still get the spam, even if they *SHOULD* be blocking it) Thus I still want to eliminate it, for telling they shouldn't be sending it to me in the first place doesn't delete it, does it? -- Best regards, Kilian signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 08:48, Leonardo Boselli wrote: On Thu, 24 Jun 2004, Mark Bucciarelli wrote: I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... are you sure ? i never see such header ! Yes. See http://spf.pobox.com/faq.html that is mail from: not mail-from: how can i see it as a recipient ? I do not trust other systems for filtering ! After all, there is no problem in giving a fake address as mail from so you on the end should test if the alleged from is conformat with the originatin host, and yopu are agin in teroble is someone send a message from another domain . Somewhere along the mail trail, the spammer forged the MAIL FROM header and sent an email from a server not associated with the forged domain. That's where SPF can work. Once that email is accepted by the receiving server, the game is over. For most cases, it doesn't cost anything to implement SPF now. And if you do it, and tell two friends, and they tell two friends ... There are only two significant problem that I know of with SPF: (1) traditional UNIX .forward files and /etc/aliases files [1] don't change the return-path address in the envelop. (2) greeting card sites and e-mail me this news article sites use your email address in the envelop as well as the From: header. For (1), you can use remailing instead. For (2), you have to ask the site to change their policy. Newer sites may already work (for example, Orkut doesn't have this problem). [1] Linux Journal, May 2004, p. 53 Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 20:51, Craig Sanders wrote: most ISPs (and mail service providers like yahoo and hotmail), for instance, will never have SPF records in their DNS. they may use SPF checking on their own MX servers, but they won't have the records in their DNS. Looks like you can use SPF with Hotmail since February. February 26th 2004: The latest version of Mail::SPF::Query will parse Caller-ID records! SPF-enabled MTAs can now read Hotmail and Microsoft.com's records and translate them into SPF format. [1] Q: Do all hotmail accounts have Caller-ID records? Regards, Mark [1] http://spf.pobox.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
Hi Mark, For most cases, it doesn't cost anything to implement SPF now. And if you do it, and tell two friends, and they tell two friends ... well, this may be correct. However i miss the config sniplet to drop into exim4 in spf.pobox.com. So how do i make my MTA verify SPF? (setting up the DNS is easy enough, but i also want to check the others, wouldn't i? *g*) -- Best regards, Kilian signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 10:09, Kilian Krause wrote: Hi Mark, For most cases, it doesn't cost anything to implement SPF now. And if you do it, and tell two friends, and they tell two friends ... well, this may be correct. However i miss the config sniplet to drop into exim4 in spf.pobox.com. So how do i make my MTA verify SPF? (setting up the DNS is easy enough, but i also want to check the others, wouldn't i? *g*) http://spf.pobox.com/downloads.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thu, 24 Jun 2004 09:19:41 -0400, Mark Bucciarelli [EMAIL PROTECTED] wrote: Q: Do all hotmail accounts have Caller-ID records? (Sorry about the broken replying in my last message) It's not about hotmail *accounts*, it's either hotmail.com has published SPF/Caller-ID records or not. I can't check from where I am now, but try: # host -t MX hotmail.com Also, try: # host -t MX gmail.com The last time I checked, hotmail didn't have any TXT records anymore, either Caller-ID nor SPF. I am almost sure it had published Caller-ID records before. In the other hand, Gmail has a -all SPF record, which is nice for us mail admins, who could block fake @gmail.com - like those @yahoo, @msn, @hotmail that come all the time. They are usually blocked by some other methods, but some pass. I disagree with Craig Sanders. I understand that their users have legitimate needs to send mail using their address from any arbitrary location, which is exactly what SPF works to prevent., but that's why there is ~all and other partial, graylisting options. And the *hope* is mail servers that doesn't use SASL authentication to do so. I think SPF can help a lot, because phishing and spamming are very related. One can be fooled to read a mail from [EMAIL PROTECTED] just because he thinks it is legitimate. This happens all the time. (it could be hotmail.com or any other domain) Btw, a very important feature I use in some implementations is that the mail server will not accept mail from its own domains if the user is not authenticated, even if the final destination is a valid user. I've noticed a lot of spam comes with a MAIL FROM (or From, I'm not sure) faked to the 'domain.tld' part of the smtp server greeting. This seems to work for me in most scenarios (all my users already have to authenticate using SASL, anyway). What are your thoughts? A small contribution: For those who are still in doubt, the idea of SPF is: one can only send mails with a @gmail.com sender address from those servers specified by SPF records in the gmail.com TXT domain record. If you want to send e-mail from somewhere else, you must ideally authenticate to gmail's SMTP server (SASL is the keyword here). If you send e-mail from somewhere else, my server will block you, since it has an SPF checker (postfix's spf policyd). This is been a very informative discussion. Thanks! -- Yves Junqueira www.lynx.com.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Thu, Jun 24, 2004 at 08:46:20AM -0400, Mark Bucciarelli wrote: On Thursday 24 June 2004 08:17, Kilian Krause wrote: Hi Mark, Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06: I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... so you mean this will also cut down the secondary spam through mailinglists (which have a proper SPF most probably). No. I meant that I send my domain mail through my ISP's SMTP server and I can setup my domain's DNS txt record so this works with SPF. yes. SPF is useful for small domains, including small businesses, SOHO, and vanity domains. it's also useful for corporations that have mail gateways through which ALL of their outbound mail is supposed to pass. it's not much use in any other circumstance. e.g. i have SPF records in my home domains. it is appropriate to have them there because i *KNOW* with absolute 100% certainty which hosts are allowed to send mail claiming to be from those domains. i also have them because the cost of having them is negligible (a few minutes of time to create them) even if there aren't many mail servers which actually check them (hopefully that will change in future) - in other words, they're not much use at the moment but it didn't cost me much to publish the SPF TXT records. i don't have SPF records in any of the thousands of domains on my name-server at work (an ISP) because i do not and can not know which hosts should be allowed to send mail claiming to be from these domains. [BTW, debian.org does not have an SPF entry.] nor should it. there are over a thousand @debian.org addresses, belonging to over a thousand people, all of whom use their own internet connections to send mail. it would be impossible to specify all the hosts allowed to send mail claiming to be from @debian.org. as mentioned before, SPF is only useful where the owner of a domain can define exactly which hosts are allowed to send mail claiming to be from that domain. as you correctly deduced earlier (but incorrectly dismissed), it IS a very small percentage of domains which can do this. for every domain that can have SPF records, there are tens of thousands that can't...and for every domain that actually does have them, there are millions that don't. that will always be the case. SPF is not useful as a generic anti-spam/anti-virus tool. it is a specifically focused anti-forgery tool with a very limited and small set of domains where it can be used. sorry to burst your bubble, but wishful thinking won't make it any different. craig ps: more on SPF records for debian.org..it's a good idea to think about the consequences of any action *BEFORE* doing it. jumping on the bandwagon just because it's fashionable or because it's all shiny and new is stupid. -- craig sanders [EMAIL PROTECTED] The next time you vote, remember that Regime change begins at home -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 21:58, Jason Lim wrote: This also applies to most hosting companies. If your ISP prevents outgoing SMTP (port 25) to other mail servers and you are forced to use your ISP's mail servers, then the mail server is not going to match that of your hosting account or domain name. Thus SPF fails again in this case. I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... Regards, Mark
Re: Which Spam Block List to use for a network?
Hi Mark, Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06: I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... so you mean this will also cut down the secondary spam through mailinglists (which have a proper SPF most probably). How is that MTA gonna see within the MAIL FROM whom this was forwarded for? I mean, the general issue (for me) is not the spam i receive directly through my primary host, but those that's forwarding email-addresses, which have a whitelisted mx host re-sending me the spam they accepted (which would have been rejected if it was sent to my primary email address). For that problem I currently see no other way than doing content scanning. But please anybody enlighten me in case i have missed a point on SPF or the rest of the discussion. -- Best regards, Kilian signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Which Spam Block List to use for a network?
On Thu, 24 Jun 2004, Mark Bucciarelli wrote: On Wednesday 23 June 2004 21:58, Jason Lim wrote: This also applies to most hosting companies. If your ISP prevents outgoing SMTP (port 25) to other mail servers and you are forced to use your ISP's mail servers, then the mail server is not going to match that of your hosting account or domain name. Thus SPF fails again in this case. I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... are you sure ? i never see such header !
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 08:48, Leonardo Boselli wrote: On Thu, 24 Jun 2004, Mark Bucciarelli wrote: I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... are you sure ? i never see such header ! Yes. See http://spf.pobox.com/faq.html that is mail from: not mail-from: how can i see it as a recipient ? I do not trust other systems for filtering ! After all, there is no problem in giving a fake address as mail from so you on the end should test if the alleged from is conformat with the originatin host, and yopu are agin in teroble is someone send a message from another domain . Somewhere along the mail trail, the spammer forged the MAIL FROM header and sent an email from a server not associated with the forged domain. That's where SPF can work. Once that email is accepted by the receiving server, the game is over. For most cases, it doesn't cost anything to implement SPF now. And if you do it, and tell two friends, and they tell two friends ... There are only two significant problem that I know of with SPF: (1) traditional UNIX .forward files and /etc/aliases files [1] don't change the return-path address in the envelop. (2) greeting card sites and e-mail me this news article sites use your email address in the envelop as well as the From: header. For (1), you can use remailing instead. For (2), you have to ask the site to change their policy. Newer sites may already work (for example, Orkut doesn't have this problem). [1] Linux Journal, May 2004, p. 53 Regards, Mark
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 08:17, Kilian Krause wrote: Hi Mark, Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06: I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... so you mean this will also cut down the secondary spam through mailinglists (which have a proper SPF most probably). No. I meant that I send my domain mail through my ISP's SMTP server and I can setup my domain's DNS txt record so this works with SPF. [BTW, debian.org does not have an SPF entry.] How is that MTA gonna see within the MAIL FROM whom this was forwarded for? I mean, the general issue (for me) is not the spam i receive directly through my primary host, but those that's forwarding email-addresses, which have a whitelisted mx host re-sending me the spam they accepted It's the other server's responsibility, not yours. I guess you have the option not to whitelist them, since they send you spam. Regards, Mark
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 20:51, Craig Sanders wrote: most ISPs (and mail service providers like yahoo and hotmail), for instance, will never have SPF records in their DNS. they may use SPF checking on their own MX servers, but they won't have the records in their DNS. Looks like you can use SPF with Hotmail since February. February 26th 2004: The latest version of Mail::SPF::Query will parse Caller-ID records! SPF-enabled MTAs can now read Hotmail and Microsoft.com's records and translate them into SPF format. [1] Q: Do all hotmail accounts have Caller-ID records? Regards, Mark [1] http://spf.pobox.com/
Re: Which Spam Block List to use for a network?
On Thu, 24 Jun 2004, Mark Bucciarelli wrote: I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... are you sure ? i never see such header ! Yes. See http://spf.pobox.com/faq.html that is mail from: not mail-from: how can i see it as a recipient ? I do not trust other systems for filtering ! After all, there is no problem in giving a fake address as mail from so you on the end should test if the alleged from is conformat with the originatin host, and yopu are agin in teroble is someone send a message from another domain .
Re: Which Spam Block List to use for a network?
Hi Mark, For most cases, it doesn't cost anything to implement SPF now. And if you do it, and tell two friends, and they tell two friends ... well, this may be correct. However i miss the config sniplet to drop into exim4 in spf.pobox.com. So how do i make my MTA verify SPF? (setting up the DNS is easy enough, but i also want to check the others, wouldn't i? *g*) -- Best regards, Kilian signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Which Spam Block List to use for a network?
Hi again, Am Do, den 24.06.2004 schrieb Kilian Krause um 16:09: Hi Mark, For most cases, it doesn't cost anything to implement SPF now. And if you do it, and tell two friends, and they tell two friends ... well, this may be correct. However i miss the config sniplet to drop into exim4 in spf.pobox.com. So how do i make my MTA verify SPF? (setting up the DNS is easy enough, but i also want to check the others, wouldn't i? *g*) well, i seem to just have found it after clicking send. http://spf.pobox.com/exim4.spf.acl-2.09.txt However when installing libmail-spf-query-perl there's no /etc/init.d script to launch spfd. Is there any plans to add this? Is the spfd version even recommended? Afterall that's exim4-daemon-heavy running sa-exim already, so it should be able to deal with the perl module itself, shouldn't it? Any configs out there already? -- Best regards, Kilian signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: Which Spam Block List to use for a network?
On Thursday 24 June 2004 10:09, Kilian Krause wrote: Hi Mark, For most cases, it doesn't cost anything to implement SPF now. And if you do it, and tell two friends, and they tell two friends ... well, this may be correct. However i miss the config sniplet to drop into exim4 in spf.pobox.com. So how do i make my MTA verify SPF? (setting up the DNS is easy enough, but i also want to check the others, wouldn't i? *g*) http://spf.pobox.com/downloads.html
Re: Which Spam Block List to use for a network?
On Thu, 24 Jun 2004 09:19:41 -0400, Mark Bucciarelli [EMAIL PROTECTED] wrote: Q: Do all hotmail accounts have Caller-ID records? (Sorry about the broken replying in my last message) It's not about hotmail *accounts*, it's either hotmail.com has published SPF/Caller-ID records or not. I can't check from where I am now, but try: # host -t MX hotmail.com Also, try: # host -t MX gmail.com The last time I checked, hotmail didn't have any TXT records anymore, either Caller-ID nor SPF. I am almost sure it had published Caller-ID records before. In the other hand, Gmail has a -all SPF record, which is nice for us mail admins, who could block fake @gmail.com - like those @yahoo, @msn, @hotmail that come all the time. They are usually blocked by some other methods, but some pass. I disagree with Craig Sanders. I understand that their users have legitimate needs to send mail using their address from any arbitrary location, which is exactly what SPF works to prevent., but that's why there is ~all and other partial, graylisting options. And the *hope* is mail servers that doesn't use SASL authentication to do so. I think SPF can help a lot, because phishing and spamming are very related. One can be fooled to read a mail from [EMAIL PROTECTED] just because he thinks it is legitimate. This happens all the time. (it could be hotmail.com or any other domain) Btw, a very important feature I use in some implementations is that the mail server will not accept mail from its own domains if the user is not authenticated, even if the final destination is a valid user. I've noticed a lot of spam comes with a MAIL FROM (or From, I'm not sure) faked to the 'domain.tld' part of the smtp server greeting. This seems to work for me in most scenarios (all my users already have to authenticate using SASL, anyway). What are your thoughts? A small contribution: For those who are still in doubt, the idea of SPF is: one can only send mails with a @gmail.com sender address from those servers specified by SPF records in the gmail.com TXT domain record. If you want to send e-mail from somewhere else, you must ideally authenticate to gmail's SMTP server (SASL is the keyword here). If you send e-mail from somewhere else, my server will block you, since it has an SPF checker (postfix's spf policyd). This is been a very informative discussion. Thanks! -- Yves Junqueira www.lynx.com.br
Re: Which Spam Block List to use for a network?
On Thu, Jun 24, 2004 at 08:46:20AM -0400, Mark Bucciarelli wrote: On Thursday 24 June 2004 08:17, Kilian Krause wrote: Hi Mark, Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06: I'm pretty sure this is incorrect. SPF checks the MAIL-FROM: header, not From:, so I think this case should work fine ... so you mean this will also cut down the secondary spam through mailinglists (which have a proper SPF most probably). No. I meant that I send my domain mail through my ISP's SMTP server and I can setup my domain's DNS txt record so this works with SPF. yes. SPF is useful for small domains, including small businesses, SOHO, and vanity domains. it's also useful for corporations that have mail gateways through which ALL of their outbound mail is supposed to pass. it's not much use in any other circumstance. e.g. i have SPF records in my home domains. it is appropriate to have them there because i *KNOW* with absolute 100% certainty which hosts are allowed to send mail claiming to be from those domains. i also have them because the cost of having them is negligible (a few minutes of time to create them) even if there aren't many mail servers which actually check them (hopefully that will change in future) - in other words, they're not much use at the moment but it didn't cost me much to publish the SPF TXT records. i don't have SPF records in any of the thousands of domains on my name-server at work (an ISP) because i do not and can not know which hosts should be allowed to send mail claiming to be from these domains. [BTW, debian.org does not have an SPF entry.] nor should it. there are over a thousand @debian.org addresses, belonging to over a thousand people, all of whom use their own internet connections to send mail. it would be impossible to specify all the hosts allowed to send mail claiming to be from @debian.org. as mentioned before, SPF is only useful where the owner of a domain can define exactly which hosts are allowed to send mail claiming to be from that domain. as you correctly deduced earlier (but incorrectly dismissed), it IS a very small percentage of domains which can do this. for every domain that can have SPF records, there are tens of thousands that can't...and for every domain that actually does have them, there are millions that don't. that will always be the case. SPF is not useful as a generic anti-spam/anti-virus tool. it is a specifically focused anti-forgery tool with a very limited and small set of domains where it can be used. sorry to burst your bubble, but wishful thinking won't make it any different. craig ps: more on SPF records for debian.org..it's a good idea to think about the consequences of any action *BEFORE* doing it. jumping on the bandwagon just because it's fashionable or because it's all shiny and new is stupid. -- craig sanders [EMAIL PROTECTED] The next time you vote, remember that Regime change begins at home
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 03.27, Blu wrote: In my server, my policy is to reject mail from hosts which are blocking me. [...] blocking mail which cannot be answered blocks a lot of forged sender spam too, something like 80% here, being conservative. You did say two different things here. I block mail which can't be answered, too, by requiring the send domains to exist. After an upgrade to postfix 2.1 I will consider verifying the user part of sender addresses, too, if greylisting doesn't get the spam down far enough. I've never had my mail rejected by some mailserver, yet, but I don't think I would just block mail from mailservers blocking me - when my block produces false positives, I'm glad if people tell me (the 550 message tells them how to contact me by email without being blocked.) So I like to extend the same courtsy to the operator of the other box. As was said in this thread by somebody, it's all about enabling communication, and not about making it impossible. And blocking spam just keeps email a useful medium. cheers -- vbi -- Fernsehen ist die Rache des Theaters an der Filmindustrie. -- Sir Peter Ustinov pgpkkYSMPJObb.pgp Description: signature
Re: Which Spam Block List to use for a network?
On Wed, Jun 23, 2004 at 08:32:17AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote: On Wednesday 23 June 2004 03.27, Blu wrote: In my server, my policy is to reject mail from hosts which are blocking me. [...] blocking mail which cannot be answered blocks a lot of forged sender spam too, something like 80% here, being conservative. You did say two different things here. I block mail which can't be answered, too, by requiring the send domains to exist. After an upgrade to postfix 2.1 I will consider verifying the user part of sender addresses, too, if greylisting doesn't get the spam down far enough. Well, if a host blocks mail from me, mail from that host is in fact unanswerable mail. It is just a subset of mail which can't be answered. I've never had my mail rejected by some mailserver, yet, but I don't think I would just block mail from mailservers blocking me - when my block produces false positives, I'm glad if people tell me (the 550 message tells them how to contact me by email without being blocked.) So I like to extend the same courtsy to the operator of the other box. As was said in this thread by somebody, it's all about enabling communication, and not about making it impossible. And blocking spam just keeps email a useful medium. My 550 tells people that it is HIS host which is blocking mail from mine and that I will accept mail from them as soon they stop blocking me. I run a number of public service servers and in the past, from the perspective of an user of a server which blocks mail from mine, the mails were being blackholed at my host. They never got an answer or even a bounce. Now, at least they know what is going on and know that the problem is their side, not mine. Finally, I keep postmaster always open, a thing that a lot of this happy blocking servers does not. Blu. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wed, Jun 23, 2004 at 08:32:17AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote: Well, if a host blocks mail from me, mail from that host is in fact unanswerable mail. It is just a subset of mail which can't be answered. I think the important part here is not the host, but the domain. If the domain does not exist or does not have any MX records, fair enough, but just because a host doesn't want to receive mail, thats another story... Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wed, Jun 23, 2004 at 10:05:50AM +0200, Andrew Miehs wrote: On Wed, Jun 23, 2004 at 08:32:17AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote: Well, if a host blocks mail from me, mail from that host is in fact unanswerable mail. It is just a subset of mail which can't be answered. I think the important part here is not the host, but the domain. If the domain does not exist or does not have any MX records, fair enough, but just because a host doesn't want to receive mail, thats another story... Well yes. Maybe I oversimplified. What I do is a callback to the MX of the envelope sender to see if it accepts mail to him/her. If not, the mail is rejected with an explicative 550. Blu. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 09.51, Blu wrote: I run a number of public service servers and in the past, from the perspective of an user of a server which blocks mail from mine, the mails were being blackholed at my host. They never got an answer or even a bounce. Huh? Either your servers are/were severely misconfigured, or you don't mean the same thing as I when you talk about blocking. block == reject with 5xx error code in the SMTP transaction. Or possibly block at firewall level. So it's the task of the upstream mailserver to generate a bounce (and since the upstream mailserver in most cases belongs to the administrative domain where the mail originally comes from, there's fair chance that the bounce actually gets to the sender of the mail.) How did your users not receive a bounce? (... and users not able to read bounce messages are a different topic, of course ...) Finally, I keep postmaster always open, a thing that a lot of this happy blocking servers does not. Goes without saying. Additionally, as I said, the rejection message does contain a unblocked email address, too. So far, postmaster and abuse are not spammed. cheers -- vbi -- Computer analyst to programmer: You start coding. I'll go find out what they want. pgpIKvqjnJyri.pgp Description: signature
Re: Which Spam Block List to use for a network?
On Wed, Jun 23, 2004 at 10:26:49AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote: On Wednesday 23 June 2004 09.51, Blu wrote: I run a number of public service servers and in the past, from the perspective of an user of a server which blocks mail from mine, the mails were being blackholed at my host. They never got an answer or even a bounce. Huh? Either your servers are/were severely misconfigured, or you don't mean the same thing as I when you talk about blocking. block == reject with 5xx error code in the SMTP transaction. Or possibly block at firewall level. Yes, rejection with 5xx error, we are talking the same. So it's the task of the upstream mailserver to generate a bounce (and since the upstream mailserver in most cases belongs to the administrative domain where the mail originally comes from, there's fair chance that the bounce actually gets to the sender of the mail.) How did your users not receive a bounce? First, I live in a place where ISP mail servers are not trustable, so I generaly maintain my own MX servers. Until not so long ago, my MXs were accepting mail from hosts which were themselves blocking mail from them. The result were that my servers received mail normaly, but then they found that they cannot answer. From the perspective of the remote user sending mail to my server, the message simply disappeared because my users or even myself had no means to inform the remote user of the fate of the message, at least by email. Having mail driven automatic services, my mailbox was full of complains and questions about the service being down, questions which I cannot even answer because the MXs of those users didn't like me. At present, rejecting those mails with an axplicative 5xx message, those users at least (if they are able to read a bounce), know that it is not my problem, it is theirs. Blu. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wed, Jun 23, 2004 at 09:56:02AM +1000, Craig Sanders wrote: You want to block spam or viruses, this is OK but you are on the wrong way. no, it's absolutely the right way. a large percentage of spam and almost all viruses come direct from dynamic IP addresses. I repeat for the last time: the fact that your block is effective to your problem does not metter that you are on the rigth way. You are arbitrarily dividing the IP address space in two: those that can originate SMTP and those that can't. As far I know SMTP works because thare are RFCs at which the community agree. You can happily do whatever you want outside the RFCs, just do not pretend to be absolutely the right way. No RFC exists that define what a dynamic IP address is, nor that those addresses are to be treated differently by an SMTP server. After all, how long should a lease last to be considered static? One year? One week? Hours? You are ignoring this problem leaving to the ISP the burden to declare what is dynamic. Please correct me if I'm wrong; I'm searching for RFCs which propose effective ways to block spam and viruses. And please, do not confuse your convenience with absolutely the right way. -- Niccolo Rigacci Firenze - Italy War against Iraq? Not in my name! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wed, 23 Jun 2004 18:23, Blu [EMAIL PROTECTED] wrote: Well yes. Maybe I oversimplified. What I do is a callback to the MX of the envelope sender to see if it accepts mail to him/her. If not, the mail is rejected with an explicative 550. You aren't the only one who does that. I have found one other person who does that and who happens to have their mail server in an address range that's black-listed. So when I sent mail to them their mail server made a call-back to mine, my server rejected that and their mail server then generated a 55x code that tried to summarise the code from mine. Then my mail server took that and made it into a bounce message. The resulting message was something that I could not decipher even though I have 10 years of experience running Internet mail servers! All I could do was post a message to a mailing list I knew the person was subscribed to and inform them that their server was borked in some unknown way. What would the average Internet user do in such a situation? The typical 55x message about a DNSBL rejection is clear enough that most people can get some idea of what to do (IE phone the person, use a different mail server, etc). The call-back idea may be good if you have a domain totally full of clueless morons who only receive mail from skilled administrators who have experience in dealing with call-back systems. But if you have average people exchanging email with other average people (the common case) then it will make things worse not better. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
SPF is a proposed standard. http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt Even Microsoft seemed to drops its CallerID proposal in favor of SPF. Check spf.pobox.com On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci [EMAIL PROTECTED] wrote: Please correct me if I'm wrong; I'm searching for RFCs which propose effective ways to block spam and viruses. -- Yves Junqueira www.lynx.com.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
You mean http://www.ietf.org/internet-drafts/draft-mengwong-spf-01.txt. Very nice idea to perhaps avoid some percent of spam. The only problem: It has nothing to do with the reality out in the world and net respectively. It's only shifting the job of blacklisting ip's to domains. Sit back a while and try to think about a realistic number of email addresses/domains today ... ... and you will forget any kind of such academic solution. I'm getting some hundreds of spams every day - all flavor of spam, really! And I know some customers of the compnay I'm working for with nearly the same amount. Now my answer is a combination of a couple of tools integrated into the mailer daemon we're using today and a weighting scheme of all at the end: Today I'm dealing with about 0,1 % false positives/negatives. So I would say the answer to all methods should be some reasonable regular updated mixture of them. It's a war not a problem! And I think if somebody is tryning to write some RFC for that the same would be obsolete before he's able publish it. Christian - Original Message - From: Yves Junqueira [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Craig Sanders [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 5:05 PM Subject: Re: Which Spam Block List to use for a network? SPF is a proposed standard. http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt Even Microsoft seemed to drops its CallerID proposal in favor of SPF. Check spf.pobox.com On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci [EMAIL PROTECTED] wrote: Please correct me if I'm wrong; I'm searching for RFCs which propose effective ways to block spam and viruses. -- Yves Junqueira www.lynx.com.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
This could be also of interest. Although it is old (feb 99), most of its recomendations are valid. Others have not yet come to a consensus, like using 4xx error codes instead of 5xx for denying spam. Anyway, it instigates more profund analysis from the mail admin. http://www.faqs.org/rfcs/rfc2505.html What are your thoughts, readers? On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci [EMAIL PROTECTED] wrote: Please correct me if I'm wrong; I'm searching for RFCs which propose effective ways to block spam and viruses. -- Yves Junqueira www.lynx.com.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
It's a good paper to start for learning about basics of spam blocking. As you already mentioned: most of it is still a must for every mailserver today. But interesting: 4xx instead of 5xx is used successful by greylisting! Christian - Original Message - From: Yves Junqueira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 24, 2004 12:12 AM Subject: Re: Which Spam Block List to use for a network? This could be also of interest. Although it is old (feb 99), most of its recomendations are valid. Others have not yet come to a consensus, like using 4xx error codes instead of 5xx for denying spam. Anyway, it instigates more profund analysis from the mail admin. http://www.faqs.org/rfcs/rfc2505.html What are your thoughts, readers? On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci [EMAIL PROTECTED] wrote: Please correct me if I'm wrong; I'm searching for RFCs which propose effective ways to block spam and viruses. -- Yves Junqueira www.lynx.com.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wed, Jun 23, 2004 at 12:05:57PM -0300, Yves Junqueira wrote: SPF is a proposed standard. http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt Even Microsoft seemed to drops its CallerID proposal in favor of SPF. Check spf.pobox.com On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci [EMAIL PROTECTED] wrote: Please correct me if I'm wrong; I'm searching for RFCs which propose effective ways to block spam and viruses. SPF isn't a very effective tool for blocking spam or viruses. it is a tool for preventing some kinds of forgery. it is useful where the owner of a domain can strictly define which hosts are allowed to send mail claiming to be from their domain. it is not useful otherwise. this means it is very useful for, say, banks and other corporations to prevent/limit phishing style scams. it is also useful for small businesses and home vanity domains. it is not useful as a general anti-spam/anti-virus tool because spammers and viruses can just forge addresses in any of the millions of domains that don't have (and never will have) SPF records. most ISPs (and mail service providers like yahoo and hotmail), for instance, will never have SPF records in their DNS. they may use SPF checking on their own MX servers, but they won't have the records in their DNS. their users have legitimate needs to send mail using their address from any arbitrary location, which is exactly what SPF works to prevent. SPF is useful and a *part* of the solution for *some* of the problem. it is not a magic bullet. craig PS: (standard quote information file) please learn to quote properly. your reply goes UNDERNEATH the quoted material, not above it. this allows the quoted message to be read in sequential order rather than reverse chronological order. top-posting screws up the chronological order of the replies making it a jarring chore to make sense of them - you have to scroll backwards and forwards trying to match who said what to whom and when. the longer a thread goes on, the worse it gets. -- craig sanders [EMAIL PROTECTED] The next time you vote, remember that Regime change begins at home -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
most ISPs (and mail service providers like yahoo and hotmail), for instance, will never have SPF records in their DNS. they may use SPF checking on their own MX servers, but they won't have the records in their DNS. their users have legitimate needs to send mail using their address from any arbitrary location, which is exactly what SPF works to prevent. This also applies to most hosting companies. If your ISP prevents outgoing SMTP (port 25) to other mail servers and you are forced to use your ISP's mail servers, then the mail server is not going to match that of your hosting account or domain name. Thus SPF fails again in this case. SPF is useful and a *part* of the solution for *some* of the problem. it is not a magic bullet. I feel SPF is not going to be implemented many placed not because people don't wont to reduce spam, but because SPF just won't work in many cases. In fact, depending on how you look at it, it doesn't reduce spam at ALL (phising is certainly bad, but that is a separate problem). Jas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wednesday 23 June 2004 03.27, Blu wrote: In my server, my policy is to reject mail from hosts which are blocking me. [...] blocking mail which cannot be answered blocks a lot of forged sender spam too, something like 80% here, being conservative. You did say two different things here. I block mail which can't be answered, too, by requiring the send domains to exist. After an upgrade to postfix 2.1 I will consider verifying the user part of sender addresses, too, if greylisting doesn't get the spam down far enough. I've never had my mail rejected by some mailserver, yet, but I don't think I would just block mail from mailservers blocking me - when my block produces false positives, I'm glad if people tell me (the 550 message tells them how to contact me by email without being blocked.) So I like to extend the same courtsy to the operator of the other box. As was said in this thread by somebody, it's all about enabling communication, and not about making it impossible. And blocking spam just keeps email a useful medium. cheers -- vbi -- Fernsehen ist die Rache des Theaters an der Filmindustrie. -- Sir Peter Ustinov pgpsSwgT7GghQ.pgp Description: signature
Re: Which Spam Block List to use for a network?
On Wed, Jun 23, 2004 at 10:26:49AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote: On Wednesday 23 June 2004 09.51, Blu wrote: I run a number of public service servers and in the past, from the perspective of an user of a server which blocks mail from mine, the mails were being blackholed at my host. They never got an answer or even a bounce. Huh? Either your servers are/were severely misconfigured, or you don't mean the same thing as I when you talk about blocking. block == reject with 5xx error code in the SMTP transaction. Or possibly block at firewall level. Yes, rejection with 5xx error, we are talking the same. So it's the task of the upstream mailserver to generate a bounce (and since the upstream mailserver in most cases belongs to the administrative domain where the mail originally comes from, there's fair chance that the bounce actually gets to the sender of the mail.) How did your users not receive a bounce? First, I live in a place where ISP mail servers are not trustable, so I generaly maintain my own MX servers. Until not so long ago, my MXs were accepting mail from hosts which were themselves blocking mail from them. The result were that my servers received mail normaly, but then they found that they cannot answer. From the perspective of the remote user sending mail to my server, the message simply disappeared because my users or even myself had no means to inform the remote user of the fate of the message, at least by email. Having mail driven automatic services, my mailbox was full of complains and questions about the service being down, questions which I cannot even answer because the MXs of those users didn't like me. At present, rejecting those mails with an axplicative 5xx message, those users at least (if they are able to read a bounce), know that it is not my problem, it is theirs. Blu.
Re: Which Spam Block List to use for a network?
SPF is a proposed standard. http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt Even Microsoft seemed to drops its CallerID proposal in favor of SPF. Check spf.pobox.com On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci [EMAIL PROTECTED] wrote: Please correct me if I'm wrong; I'm searching for RFCs which propose effective ways to block spam and viruses. -- Yves Junqueira www.lynx.com.br
Re: Which Spam Block List to use for a network?
This could be also of interest. Although it is old (feb 99), most of its recomendations are valid. Others have not yet come to a consensus, like using 4xx error codes instead of 5xx for denying spam. Anyway, it instigates more profund analysis from the mail admin. http://www.faqs.org/rfcs/rfc2505.html What are your thoughts, readers? On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci [EMAIL PROTECTED] wrote: Please correct me if I'm wrong; I'm searching for RFCs which propose effective ways to block spam and viruses. -- Yves Junqueira www.lynx.com.br
Re: Which Spam Block List to use for a network?
You mean http://www.ietf.org/internet-drafts/draft-mengwong-spf-01.txt. Very nice idea to perhaps avoid some percent of spam. The only problem: It has nothing to do with the reality out in the world and net respectively. It's only shifting the job of blacklisting ip's to domains. Sit back a while and try to think about a realistic number of email addresses/domains today ... ... and you will forget any kind of such academic solution. I'm getting some hundreds of spams every day - all flavor of spam, really! And I know some customers of the compnay I'm working for with nearly the same amount. Now my answer is a combination of a couple of tools integrated into the mailer daemon we're using today and a weighting scheme of all at the end: Today I'm dealing with about 0,1 % false positives/negatives. So I would say the answer to all methods should be some reasonable regular updated mixture of them. It's a war not a problem! And I think if somebody is tryning to write some RFC for that the same would be obsolete before he's able publish it. Christian - Original Message - From: Yves Junqueira [EMAIL PROTECTED] To: debian-isp@lists.debian.org; Craig Sanders [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 5:05 PM Subject: Re: Which Spam Block List to use for a network? SPF is a proposed standard. http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt Even Microsoft seemed to drops its CallerID proposal in favor of SPF. Check spf.pobox.com On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci [EMAIL PROTECTED] wrote: Please correct me if I'm wrong; I'm searching for RFCs which propose effective ways to block spam and viruses. -- Yves Junqueira www.lynx.com.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
It's a good paper to start for learning about basics of spam blocking. As you already mentioned: most of it is still a must for every mailserver today. But interesting: 4xx instead of 5xx is used successful by greylisting! Christian - Original Message - From: Yves Junqueira [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Thursday, June 24, 2004 12:12 AM Subject: Re: Which Spam Block List to use for a network? This could be also of interest. Although it is old (feb 99), most of its recomendations are valid. Others have not yet come to a consensus, like using 4xx error codes instead of 5xx for denying spam. Anyway, it instigates more profund analysis from the mail admin. http://www.faqs.org/rfcs/rfc2505.html What are your thoughts, readers? On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci [EMAIL PROTECTED] wrote: Please correct me if I'm wrong; I'm searching for RFCs which propose effective ways to block spam and viruses. -- Yves Junqueira www.lynx.com.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wed, Jun 23, 2004 at 09:01:24PM +1000, Russell Coker wrote: On Wed, 23 Jun 2004 18:23, Blu [EMAIL PROTECTED] wrote: Well yes. Maybe I oversimplified. What I do is a callback to the MX of the envelope sender to see if it accepts mail to him/her. If not, the mail is rejected with an explicative 550. You aren't the only one who does that. I have found one other person who does that and who happens to have their mail server in an address range that's black-listed. So when I sent mail to them their mail server made a call-back to mine, my server rejected that and their mail server then generated a 55x code that tried to summarise the code from mine. Then my mail server took that and made it into a bounce message. Of course I am not the first one doing this. In fact Exim4 has buitin capability to do so. The resulting message was something that I could not decipher even though I have 10 years of experience running Internet mail servers! All I could do was post a message to a mailing list I knew the person was subscribed to and inform them that their server was borked in some unknown way. :) Well, my approach is not that fancy. I just check if the callback passes the RCPT, and if not, issue a 550 with a short message telling that my host will not accept mail that cannot be answered. I don't expect end users to read a bounce, but many of them forwards the bounce to customer service instead and in some cases it has been enough to whitelist a server. What would the average Internet user do in such a situation? The typical 55x message about a DNSBL rejection is clear enough that most people can get some idea of what to do (IE phone the person, use a different mail server, etc). In my experience, end users in general are not able to interpret a bounce message and they complain to admins in the best case. In the worst case, they do nothing. The call-back idea may be good if you have a domain totally full of clueless morons who only receive mail from skilled administrators who have experience in dealing with call-back systems. But if you have average people exchanging email with other average people (the common case) then it will make things worse not better. I am not willing to deal with all the sites which reject mail from my servers for the most diverse reasons and every one with a different way of dealing with the problem, if any. If a foreign server is rejecting mail from me, without me having done anything harmful, then the problem is theirs and not mine. It is the administrator of that server who has to explain to his users why he is rejecting legitimate email. Blu.
Re: Which Spam Block List to use for a network?
On Wed, Jun 23, 2004 at 11:45:40AM +0200, Niccolo Rigacci wrote: On Wed, Jun 23, 2004 at 09:56:02AM +1000, Craig Sanders wrote: You want to block spam or viruses, this is OK but you are on the wrong way. no, it's absolutely the right way. a large percentage of spam and almost all viruses come direct from dynamic IP addresses. I repeat for the last time: the fact that your block is effective to your problem does not metter that you are on the rigth way. i'm so glad it's the last time. it's very tiresome when someone is both wrong and repetitive. craig -- craig sanders [EMAIL PROTECTED] The next time you vote, remember that Regime change begins at home
Re: Which Spam Block List to use for a network?
On Wed, Jun 23, 2004 at 12:05:57PM -0300, Yves Junqueira wrote: SPF is a proposed standard. http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt Even Microsoft seemed to drops its CallerID proposal in favor of SPF. Check spf.pobox.com On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci [EMAIL PROTECTED] wrote: Please correct me if I'm wrong; I'm searching for RFCs which propose effective ways to block spam and viruses. SPF isn't a very effective tool for blocking spam or viruses. it is a tool for preventing some kinds of forgery. it is useful where the owner of a domain can strictly define which hosts are allowed to send mail claiming to be from their domain. it is not useful otherwise. this means it is very useful for, say, banks and other corporations to prevent/limit phishing style scams. it is also useful for small businesses and home vanity domains. it is not useful as a general anti-spam/anti-virus tool because spammers and viruses can just forge addresses in any of the millions of domains that don't have (and never will have) SPF records. most ISPs (and mail service providers like yahoo and hotmail), for instance, will never have SPF records in their DNS. they may use SPF checking on their own MX servers, but they won't have the records in their DNS. their users have legitimate needs to send mail using their address from any arbitrary location, which is exactly what SPF works to prevent. SPF is useful and a *part* of the solution for *some* of the problem. it is not a magic bullet. craig PS: (standard quote information file) please learn to quote properly. your reply goes UNDERNEATH the quoted material, not above it. this allows the quoted message to be read in sequential order rather than reverse chronological order. top-posting screws up the chronological order of the replies making it a jarring chore to make sense of them - you have to scroll backwards and forwards trying to match who said what to whom and when. the longer a thread goes on, the worse it gets. -- craig sanders [EMAIL PROTECTED] The next time you vote, remember that Regime change begins at home
Re: Which Spam Block List to use for a network?
most ISPs (and mail service providers like yahoo and hotmail), for instance, will never have SPF records in their DNS. they may use SPF checking on their own MX servers, but they won't have the records in their DNS. their users have legitimate needs to send mail using their address from any arbitrary location, which is exactly what SPF works to prevent. This also applies to most hosting companies. If your ISP prevents outgoing SMTP (port 25) to other mail servers and you are forced to use your ISP's mail servers, then the mail server is not going to match that of your hosting account or domain name. Thus SPF fails again in this case. SPF is useful and a *part* of the solution for *some* of the problem. it is not a magic bullet. I feel SPF is not going to be implemented many placed not because people don't wont to reduce spam, but because SPF just won't work in many cases. In fact, depending on how you look at it, it doesn't reduce spam at ALL (phising is certainly bad, but that is a separate problem). Jas
Re: Which Spam Block List to use for a network?
On Mon, Jun 21, 2004 at 12:46:01PM +0200, Francisco Borges wrote: ? On Sat, Jun 19, 2004 at 08:15:11AM +, Adam Funk wrote: On Friday 18 June 2004 15:40, Francisco Borges wrote: THE QUESTION: We need to use some form of Block List at the connection level, Whatever you do, don't be one of those ignorant, asinine admins who block mail from all dynamic IPs. No, I don't intend to do that. yeah, good decision. blocking mail from dynamic/dialup IP addresses is the right thing to do, but it's much better to be an informed, intelligent and suave admin who does that than an ignorant, asinine one (but that's true of everything, isn't it?). Interestingly enough, *today* I got a note from a colleague has started doing it at his network. smart colleague. I don't know the axact number by heart but we are above 1500 users here; blocking dynamic IPs would be a disaster. permit your own dynamic/dialup IP addresses, same as you (should) do with other restrictions (e.g. rejecting non-fqdn hostnames...good thing to block from external sources, but not a good idea to block from your own users). reject other dyn/dialups - they should use their own ISP or mail server. in postfix, you do that by putting the permit_mynetworks rule *before* the reject_rbl_client rule. craig -- craig sanders [EMAIL PROTECTED] The next time you vote, remember that Regime change begins at home -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Tue, 22 Jun 2004 16:13, Craig Sanders [EMAIL PROTECTED] wrote: reject other dyn/dialups - they should use their own ISP or mail server. I second this. A user has no business making direct connections to mail servers. One thing on my todo list is to use the ODF module of NetFilter to prevent Windows users from connecting to my mail servers when they get viruses. No dial-up list is complete so there are always some Windows users who are accidentally allowed to connect. The URL is below: http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-osf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Tuesday 22 June 2004 09:11, Russell Coker wrote: On Tue, 22 Jun 2004 16:13, Craig Sanders [EMAIL PROTECTED] wrote: reject other dyn/dialups - they should use their own ISP or mail server. I second this. A user has no business making direct connections to mail servers. Maybe in your area you can get a residential ISP whose mailrouters are always reliable. Where I live there is one cable modem provider with no competition; its mailrouters usually work but do not always warn you in good time that mail is queued. With my own MTA I can tell right away whether mail has been delivered or not -- except when I'm forced to dumbhost my mail through my ISP's mailrouter. One thing on my todo list is to use the ODF module of NetFilter to prevent Windows users from connecting to my mail servers when they get viruses. No dial-up list is complete so there are always some Windows users who are accidentally allowed to connect. The URL is below: This is a smarter way to do it. Wouldn't you admit that the problem is not from MTAs on dynamic IP addresses, but rather from infected Windows machines on dynamic IP addresses? -- Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Tuesday 22 June 2004 09:11, Russell Coker wrote: On Tue, 22 Jun 2004 16:13, Craig Sanders [EMAIL PROTECTED] wrote: reject other dyn/dialups - they should use their own ISP or mail server. I second this. A user has no business making direct connections to mail servers. Maybe in your area you can get a residential ISP whose mailrouters are always reliable. Where I live there is one cable modem provider with no competition; its mailrouters usually work but do not always warn you in good time that mail is queued. With my own MTA I can tell right away whether mail has been delivered or not -- except when I'm forced to dumbhost my mail through my ISP's mailrouter. One thing on my todo list is to use the ODF module of NetFilter to prevent Windows users from connecting to my mail servers when they get viruses. No dial-up list is complete so there are always some Windows users who are accidentally allowed to connect. The URL is below: This is a smarter way to do it. Wouldn't you admit that the problem is not from MTAs on dynamic IP addresses, but rather from infected Windows machines on dynamic IP addresses? -- Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Tuesday 22 June 2004 11.37, Niccolo Rigacci wrote: You say that because unwanted mail comes often from a dynamic address, you will block all dinamic addresses. What do you tink if I block all the mail originated from a Windows machine, simply because many Windows machine are infected and send viruses/spam? blocking spam is all about maximizing false negatives while minimizing false positives while spending as little effort as possible on the problem. As it happens, blocking dynamic IP ranges does this to some extent. Blocking mail from Windows machines probably would get the false negatives up quite some way, but unfortunately would probably get a higher false positive rate, as there is probably more mail coming from Windows company mailservers than from dynamic IPs. But of course, you need to analyze if that's in your situation. If you find that the false positives are low enough, be my guest, start blocking by OS. Additionally, the information regarding dynamic IP ranges is readily available. Information on IPs of Microsoft boxes is available only to Microsoft, if at all (or, of course, vendors of other spyware running on Windows.) I work for a firm and we ave about 150 Debian servers installed to customers sites, they are connected with adsl [...] It would probably be a good idea to provide a mail relay to them, if the ISPs mailserver is unusable. [...] They have purchased bare adsl connectivity, why do you want force them to purchase also smtp service from an ISP? Honest question: does this ADSL provider really not provide SMTP service? You are following an unexistant cause-effect link and you are wasting your time. For a virus writer it is a metter of an hour to change his code to post to the isp's smtp server instead of posting directly. Now you have an huge infrastructure (dynaddr lists) perfectly useless that do big harm to the network. Cause-effect link doesn't matter. Correlation does. Viruses are currently written to directly connect to the target MX, so currently dynamic IP ranges correlate well with badly maintained spam-sending machines. If Virus writers change, or if home users suddenly start paying attention to basic computer security, the correlation will go away, and so will the usefullness of dynamic IP ranges as spam indicator. That said, personally, I don't block on dynamic IPs - too many of my friends run mailservers at home, so I'd be hurting myself too much. cheers -- vbi (For illustration: the same argument can be made for blocking whole countries: I don't know anybody in Brazil, or Venezuela, or China, or Korea. Blocking those IP ranges eliminates a lot of spam. Again: there is no cause-effect link, but still, depending on requirements, blocking such ranges is a useful tool.) -- Beware of the FUD - know your enemies. This week * Patent Law, and how it is currently abused. * http://fortytwo.ch/ pgpBjgWSRxuqE.pgp Description: signature
Re: Which Spam Block List to use for a network?
On Tue, 22 Jun 2004 19:37, Niccolo Rigacci [EMAIL PROTECTED] wrote: I second this. A user has no business making direct connections to mail servers. I disagree. You say that because unwanted mail comes often from a dynamic address, you will block all dinamic addresses. What do you tink if I block all the mail originated from a Windows machine, simply because many Windows machine are infected and send viruses/spam? Blocking mail from Win95, Win98, etc is a good thing to do. I plan to do so as soon as practical. The only reason why I haven't done it is that my kernels for mail servers already have enough patches and it's too difficult to manage more. I work for a firm and we ave about 150 Debian servers installed to customers sites, they are connected with adsl. The IP ranges are owned by the largest Italian provider and they are listed as dynamic ones, despite the fact that they are assigned in a static way. Our customers run their own mail server with SMTP, POP3, IMAP, and webmail. That's unfortunate. The best thing to do is to obtain an IP address that's correctly listed and use it as an outbound mail relay. Other people have done this to solve the same problem, there is no reason why you can't do it too. You have to explain to me why you are blocking their mails. Bad luck for them. Most legit mail is sent from server machines that are known as such. Most legit mail that is sent from machines that aren't known as servers is because the administrators are too stubborn to work around the problem. You also have to explain to me why do you want to force them to use a smart host for their outgoing mails. I'm not forcing them to use a smart host. If their actions get their email classified as spam then it's their choice. They can always use a webmail system such as hotmail or yahoo mail. They have purchased bare adsl connectivity, why do you want force them to purchase also smtp service from an ISP? The usual practice is to get SMTP service along with DSL. You are following an unexistant cause-effect link and you are wasting your time. Not wasting my time, successfully blocking lots of spam and viruses and taking no time to do it. The only time it takes me is explaining it to other people. For a virus writer it is a metter of an hour to change his code to post to the isp's smtp server instead of posting directly. However they have not done so, and there is a simple reason. If you run an ISP with a million customers you can't block port 25 selectively on machines that send viruses, it's too much work to consider. If the policy of the ISP is to allow customers to make outbound port 25 connections (a bad policy IMHO) then you just have to live with tens of thousands of your customers being infected because more machines get infected faster than you can inform them and get them fixed. However adding a virus scanner to the outbound mail relay is easy. Making the outbound mail relay not allow more than X recipients per email, making it delay a few seconds for each RCPT TO line, and making it not allow more than one TCP connection from each customer IP address are not so difficult to do. So an ISP mail server becomes a serious bottleneck to any virus or spammer, and complaints about the small volume of spam and virus going through it are taken very seriously. Anyone who wants to send spam or viruses has to connect directly. I'm speaking from personal experience in running an ISP with 1M customers and dealing with these issues. Now you have an huge infrastructure (dynaddr lists) perfectly useless that do big harm to the network. You can believe that if you wish. I'll keep blocking dialup's. If you want your customers to be able to send mail to machines I run then YOU will have to solve YOUR problem. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Tue, 22 Jun 2004 18:41, Adam Funk [EMAIL PROTECTED] wrote: On Tuesday 22 June 2004 09:11, Russell Coker wrote: A user has no business making direct connections to mail servers. Maybe in your area you can get a residential ISP whose mailrouters are always reliable. Where I live there is one cable modem provider with no competition; its mailrouters usually work but do not always warn you in good time that mail is queued. So find someone else who can relay mail for you. In the past when such things have been discussed people have made offers of a free mail relay service for Debian people. This is a smarter way to do it. Wouldn't you admit that the problem is not from MTAs on dynamic IP addresses, but rather from infected Windows machines on dynamic IP addresses? MTAs on dynamic addresses is an entirely different problem. At one ISP I worked for we had a problem of people installing mail servers on their PCs as open relays. It was decided not to block port 25 inbound, so I planned a scheme where the outbound mail relay would attempt a port 25 connection to the workstation before accepting mail from it. If the port 25 connection succeeded then the mail would be rejected... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Which Spam Block List to use for a network?
On Tue, 22 Jun 2004 20:49, Adrian 'Dagurashibanipal' von Bidder [EMAIL PROTECTED] wrote: That said, personally, I don't block on dynamic IPs - too many of my friends run mailservers at home, so I'd be hurting myself too much. The solution to that is simple. You configure your mail server to allow mail from the IP addresses used by your friends before checking the dial-up list! (For illustration: the same argument can be made for blocking whole countries: I don't know anybody in Brazil, or Venezuela, or China, or Korea. Blocking those IP ranges eliminates a lot of spam. Again: there is no cause-effect link, but still, depending on requirements, blocking such ranges is a useful tool.) That is different. When someone chooses the cheapest ISP in their area and has email problems we are not under any obligation to pander to them (in effect spending our own money to compensate for them being cheap). Blocking out an entire country makes it very difficult for a good person to find another way of getting email through. I have blocked some ISPs in China, Korea, and Brazil that were particularly active in spamming me. Most of those countries are not blocked in my configuration apart from SpamCop etc so it is still possible for people from those countries to send me email. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
Hello Craig, Am 2004-06-22 16:13:18, schrieb Craig Sanders: yeah, good decision. blocking mail from dynamic/dialup IP addresses is the right thing to do, but it's much better to be an informed, intelligent and suave admin who does that than an ignorant, asinine one (but that's true of everything, isn't it?). Question: is there somthing like XBL but for DUL ? craig Greetings Michelle -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: Which Spam Block List to use for a network?
On Tue, Jun 22, 2004 at 08:57:36PM +1000, Russell Coker wrote: I'm not forcing them to use a smart host. If their actions get their email classified as spam then it's their choice. Here is your error: they sent no spam, in no way, ever! So you definitively got a false positive. I'm speaking from personal experience in running an ISP with 1M customers and dealing with these issues. I'm not impressed by your numbers, here in Italy we have a joke that says that if thousands of millions of flies eat shit, this should be the right thing. I think no so... I don't dubt that your way is effective on blocking spam with little hassle for you. I don't dubt too that your customers don't care (or even are not aware) of loosing legitimate mails. I just say that you are not doing the right thing. I'll keep blocking dialup's. If you want your customers to be able to send mail to machines I run then YOU will have to solve YOUR problem. Thanks, very kind of you, but I think that email is communication, and if communication fails it is a problem of both. Your approch is quite rude, I can reverse the argumentation: if you want your customers to be able to receive mails from my customers YOU have to solve YOUR problem, period. You win just because you weigh times me, not because you are doing the right thing. Ciao -- Niccolo Rigacci Firenze - Italy War against Iraq? Not in my name! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wed, 23 Jun 2004 00:23, Niccolo Rigacci [EMAIL PROTECTED] wrote: On Tue, Jun 22, 2004 at 08:57:36PM +1000, Russell Coker wrote: I'm not forcing them to use a smart host. If their actions get their email classified as spam then it's their choice. Here is your error: they sent no spam, in no way, ever! So you definitively got a false positive. Bummer. I know what it's like, I've been in the same situation. I fixed my problems, they can fix their's. I'm speaking from personal experience in running an ISP with 1M customers and dealing with these issues. I'm not impressed by your numbers, here in Italy we have a joke that says that if thousands of millions of flies eat shit, this should be the right thing. I think no so... That's what we always say about Windows popularity. I don't dubt that your way is effective on blocking spam with little hassle for you. I don't dubt too that your customers don't care (or even are not aware) of loosing legitimate mails. I just say that you are not doing the right thing. When running the million-user ISP I asked management to hire someone to deal with spam issues. They refused because it would cost too much. So I did what I could with the resources available. No legitimate email is lost. Mail is rejected with a SMTP code 5xx and it's up to the sending machine to notify the originator of the problem. I'll keep blocking dialup's. If you want your customers to be able to send mail to machines I run then YOU will have to solve YOUR problem. Thanks, very kind of you, but I think that email is communication, and if communication fails it is a problem of both. Your approch is quite rude, I can reverse the argumentation: if you want your customers to be able to receive mails from my customers YOU have to solve YOUR problem, period. Being able to receive email from people who are too stubborn to get statically allocated IP address space correctly recognised as such isn't a big priority for me. You win just because you weigh times me, not because you are doing the right thing. No. I win because a large number of people who run mail servers implement the same policy, they do the same thing as me for the same reasons. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network? [SCANNED]
On 6/22/04 4:37 AM, Niccolo Rigacci wrote: You have to explain to me why you are blocking their mails. You also have to explain to me why do you want to force them to use a smart host for their outgoing mails. They have purchased bare adsl connectivity, why do you want force them to purchase also smtp service from an ISP? You are following an unexistant cause-effect link and you are wasting your time. For a virus writer it is a metter of an hour to change his code to post to the isp's smtp server instead of posting directly. Now you have an huge infrastructure (dynaddr lists) perfectly useless that do big harm to the network. I can see his frustration with the dynamic range, as we also are pondering additional steps to stop the constant flood of virus infected machines that then flood our networks here with emails. Maybe if more ISP's would take a proactive approach and monitor or filter their networks when they see large floods originating from themselves we wouldn't be having this discussion. My weak 2$ -- David Thurman The Web Presence Group http://www.the-presence.com Web Development/E-Commerce/CMS/Hosting/Dedicated Servers 800-399-6441/309-679-0774 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Which Spam Block List to use for a network?
Ciao Niccolo In my investigations of the price and availability of static IP addresses and the like in Italy, I found that Tiscali, Infostrada, and FastWeb all provided static IP addresses and domain name/MX record management, as part of at least one of their tariff plans associated with ADSL or fibre. I have also successfully mailed out from PC's in NAT networks managed by debian under a single dynamically assigned IP address from these providers using their base 'home ADSL' tariff plans. In all cases I use the SMTP server provided by the ISP at no extra cost, because they recognise that you couldn't e-mail from a PC in any other way. Also, as you can see from my e-mail address (which is in Australia), I don't use the e-mail addresses the Italian ISP's give to me for free to receive e-mail to, just as a means to authorize access to ADSL and to their SMTP servers to send e-mail. If your need is as simple as mine, then you can get by with the base ISP offerings. If, though, you have a need to set up a corporate identity with your own recognised domain names for both IP and MX, then I think you can't really avoid getting a static IP address and a 'business ADSL' tariff, which is available from at least those three providers I mentioned above, but obviously not at 'home ADSL' prices. Regards Peter K. Peter Klavins Datalon SrL [EMAIL PROTECTED] Viale Giuseppe Mazzini 114/A 00195 Roma RM -Original Message- From: Niccolo Rigacci [mailto:[EMAIL PROTECTED] Sent: Tuesday, 22 June 2004 11:38 AM To: [EMAIL PROTECTED] Cc: Russell Coker Subject: Re: Which Spam Block List to use for a network? On Tue, Jun 22, 2004 at 05:59:54PM +1000, Russell Coker wrote: On Tue, 22 Jun 2004 16:13, Craig Sanders [EMAIL PROTECTED] wrote: reject other dyn/dialups - they should use their own ISP or mail server. I second this. A user has no business making direct connections to mail servers. I disagree. You want to block spam or viruses, this is OK but you are on the wrong way. You say that because unwanted mail comes often from a dynamic address, you will block all dinamic addresses. What do you tink if I block all the mail originated from a Windows machine, simply because many Windows machine are infected and send viruses/spam? I work for a firm and we ave about 150 Debian servers installed to customers sites, they are connected with adsl. The IP ranges are owned by the largest Italian provider and they are listed as dynamic ones, despite the fact that they are assigned in a static way. Our customers run their own mail server with SMTP, POP3, IMAP, and webmail. You have to explain to me why you are blocking their mails. You also have to explain to me why do you want to force them to use a smart host for their outgoing mails. They have purchased bare adsl connectivity, why do you want force them to purchase also smtp service from an ISP? You are following an unexistant cause-effect link and you are wasting your time. For a virus writer it is a metter of an hour to change his code to post to the isp's smtp server instead of posting directly. Now you have an huge infrastructure (dynaddr lists) perfectly useless that do big harm to the network. -- Niccolo Rigacci Firenze - Italy War against Iraq? Not in my name! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] This email was sent from Netspace Webmail: http://www.netspace.net.au -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
Doesn't seem like a very scaleable solution... Can't wait for IPv6! :-) I am just too lazy to keep this type of list up-to date... Found an Interesting link while 'surfing' http://www.declude.com/Articles.asp?ID=97 And has anyone got any opinions on http://www.space.net/~maex/Drafts/dns-mtamark/draft-stumpf-dns-mtamark -01.html Regards Andrew On 22.06.2004, at 16:48, Russell Coker wrote: Being able to receive email from people who are too stubborn to get statically allocated IP address space correctly recognised as such isn't a big priority for me. No. I win because a large number of people who run mail servers implement the same policy, they do the same thing as me for the same reasons. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wed, Jun 23, 2004 at 09:56:02AM +1000, Craig Sanders wrote: On Tue, Jun 22, 2004 at 11:37:41AM +0200, Niccolo Rigacci wrote: You want to block spam or viruses, this is OK but you are on the wrong way. no, it's absolutely the right way. a large percentage of spam and almost all viruses come direct from dynamic IP addresses. block mail from them and you instantly block most of the problem. And you block a lot of legitimate email too. In my server, my policy is to reject mail from hosts which are blocking me. This way, the sender recives a bounce with a 550 explaining that their ISP is blocking legitimate email from us. A lot of customers are not even aware of the fact that their ISP is blocking legitimate email at their backs. I have been able to white list my server in a number servers without moving a finger, just angry users calling customer service. Blu. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Tue, Jun 22, 2004 at 09:04:03PM -0400, Blu wrote: On Wed, Jun 23, 2004 at 09:56:02AM +1000, Craig Sanders wrote: On Tue, Jun 22, 2004 at 11:37:41AM +0200, Niccolo Rigacci wrote: You want to block spam or viruses, this is OK but you are on the wrong way. no, it's absolutely the right way. a large percentage of spam and almost all viruses come direct from dynamic IP addresses. block mail from them and you instantly block most of the problem. And you block a lot of legitimate email too. actually, almost none. the number of geeks who want to run their own mail server from a dynamic IP address is vanishingly small. the number of false positives from blocking dynamic IPs is not just lost in the noise of all the spam and viruses coming from dynamics, it is completely indistinguishable from noise. far less than 1 in a million messages. a very small price to pay to block an enormous quantity of spam and viruses, especially when those legitimate mailers who are affected can, if they could be bothered, work around it quite easily and cheaply. In my server, my policy is to reject mail from hosts which are blocking me. good for you. your server, your rules. sounds like a stupid thing to do, but you are entirely within your rights to do so. craig -- craig sanders [EMAIL PROTECTED] The next time you vote, remember that Regime change begins at home -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Wed, Jun 23, 2004 at 11:19:19AM +1000, Craig Sanders wrote: In my server, my policy is to reject mail from hosts which are blocking me. good for you. your server, your rules. sounds like a stupid thing to do, but you are entirely within your rights to do so. Thanks for the compliment. In fact, blocking mail which cannot be answered blocks a lot of forged sender spam too, something like 80% here, being conservative. Blu. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Which Spam Block List to use for a network?
On Mon, Jun 21, 2004 at 12:46:01PM +0200, Francisco Borges wrote: ? On Sat, Jun 19, 2004 at 08:15:11AM +, Adam Funk wrote: On Friday 18 June 2004 15:40, Francisco Borges wrote: THE QUESTION: We need to use some form of Block List at the connection level, Whatever you do, don't be one of those ignorant, asinine admins who block mail from all dynamic IPs. No, I don't intend to do that. yeah, good decision. blocking mail from dynamic/dialup IP addresses is the right thing to do, but it's much better to be an informed, intelligent and suave admin who does that than an ignorant, asinine one (but that's true of everything, isn't it?). Interestingly enough, *today* I got a note from a colleague has started doing it at his network. smart colleague. I don't know the axact number by heart but we are above 1500 users here; blocking dynamic IPs would be a disaster. permit your own dynamic/dialup IP addresses, same as you (should) do with other restrictions (e.g. rejecting non-fqdn hostnames...good thing to block from external sources, but not a good idea to block from your own users). reject other dyn/dialups - they should use their own ISP or mail server. in postfix, you do that by putting the permit_mynetworks rule *before* the reject_rbl_client rule. craig -- craig sanders [EMAIL PROTECTED] The next time you vote, remember that Regime change begins at home
Re: Which Spam Block List to use for a network?
On Tue, 22 Jun 2004 16:13, Craig Sanders [EMAIL PROTECTED] wrote: reject other dyn/dialups - they should use their own ISP or mail server. I second this. A user has no business making direct connections to mail servers. One thing on my todo list is to use the ODF module of NetFilter to prevent Windows users from connecting to my mail servers when they get viruses. No dial-up list is complete so there are always some Windows users who are accidentally allowed to connect. The URL is below: http://www.netfilter.org/patch-o-matic/pom-base.html#pom-base-osf
Re: Which Spam Block List to use for a network?
On Tuesday 22 June 2004 09:11, Russell Coker wrote: On Tue, 22 Jun 2004 16:13, Craig Sanders [EMAIL PROTECTED] wrote: reject other dyn/dialups - they should use their own ISP or mail server. I second this. A user has no business making direct connections to mail servers. Maybe in your area you can get a residential ISP whose mailrouters are always reliable. Where I live there is one cable modem provider with no competition; its mailrouters usually work but do not always warn you in good time that mail is queued. With my own MTA I can tell right away whether mail has been delivered or not -- except when I'm forced to dumbhost my mail through my ISP's mailrouter. One thing on my todo list is to use the ODF module of NetFilter to prevent Windows users from connecting to my mail servers when they get viruses. No dial-up list is complete so there are always some Windows users who are accidentally allowed to connect. The URL is below: This is a smarter way to do it. Wouldn't you admit that the problem is not from MTAs on dynamic IP addresses, but rather from infected Windows machines on dynamic IP addresses? -- Adam