Re: Is gray-listing a one-shot anti-spam measure?

[Russell Coker]

On Friday 10 December 2004 21:31, Adrian von Bidder <[EMAIL PROTECTED]> 
wrote:
> > >As has already been suggested it would be good to be able to configure
> > > the number of messages that come through before the client IP is
> > > white-listed.
> >
> > But I think the
> > problem of this would be that initial messages would be even more
> > delayed, depending on the sending server, than they are with normal
> > one-shot greylisting.
>
> I think you misunderstand Russel.  He does, afaict, not want the initial
> message be rejected multiple times, but he wants to see several messages
> coming through, with normal greylisting in effect, before the IP is
> whitelisted for all email.

You are correct.  My desire is to increase the number of messages that must be 
successfully delivered before white-listing, not to increase the number of 
attempts that is necessary to deliver a single message.

Also I would want to control the length of time that a white-list entry will 
remain if there is no appropriate traffic.  I think that a period of about a 
week of no traffic from that IP address is enough cause to remove the 
white-list entry.

The vast majority of email that I receive comes from a small set of IP 
addresses that send mail to me every day.  This includes the Debian list 
servers and other mailing lists.  A much smaller (but very significant) part 
of my email is from on-going discussions.  Sometimes I have email 
correspondence of 1-2 messages per day with one person for a period of a week 
or so, and often in those cases they use the same IP address to send all 
their email.

Finally an important part of my email is comprised of messages from people I 
know well, friends, relatives, and people I work with.  Assembling a 
permanent white-list of IP addresses that those people use would be 
reasonably easy.  Ideally the mail server would help in automating this by 
allowing me to white-list combinations of email address and IP address and 
then automatically remove them if mail stops from that address and starts 
coming from another.

We need a web-based front-end for managing these things so we can allow 
regular users to manage their white-list entries.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Is gray-listing a one-shot anti-spam measure?

[Adrian von Bidder]

On Tuesday 07 December 2004 20.41, mimo wrote:
> Russell Coker wrote:
> >On Friday 03 December 2004 20:07, Adrian 'Dagurashibanipal' von Bidder
> ><[EMAIL PROTECTED]> wrote:

> >>(And - this to Stephen Frost, I believe - there is a patch to postgrey
> >>which I will include in the next version, and I believe which will also
> >> be included in the next upstream, to whitelist a client IP as soon as
> >> one greylisted email came through.  So the load on legitimate
> >> mailservers will be even smaller.)
> >
> >As has already been suggested it would be good to be able to configure
> > the number of messages that come through before the client IP is
> > white-listed.

> But I think the
> problem of this would be that initial messages would be even more
> delayed, depending on the sending server, than they are with normal
> one-shot greylisting.

I think you misunderstand Russel.  He does, afaict, not want the initial 
message be rejected multiple times, but he wants to see several messages 
coming through, with normal greylisting in effect, before the IP is 
whitelisted for all email.

greetings
-- vbi

-- 
No caemos de sÃbito en la muerte, sino que a ella vamos minuto a minuto.
  -- SÃneca. (2 a.C-65) FilÃsofo latino.

Re: Is gray-listing a one-shot anti-spam measure?

[mimo]

Russell Coker wrote:

  On Friday 03 December 2004 20:07, Adrian 'Dagurashibanipal' von Bidder 
<[EMAIL PROTECTED]> wrote:
  
  
(And - this to Stephen Frost, I believe - there is a patch to postgrey
which I will include in the next version, and I believe which will also be
included in the next upstream, to whitelist a client IP as soon as one
greylisted email came through.  So the load on legitimate mailservers will
be even smaller.)

  
  
As has already been suggested it would be good to be able to configure the 
number of messages that come through before the client IP is white-listed.

Also it would be good to be able to configure the amount of time for which a 
white-list entry is valid.  What is a dedicated mail server today may be part 
of a dial-up IP address range next year...

  

In the implementation I wrote (mimo.gn.apc.org/gps) you would have to
modify some lines in db.cpp in the update method. But I think the
problem of this would be that initial messages would be even more
delayed, depending on the sending server, than they are with normal
one-shot greylisting. That already creates a problem (complaints etc
since users expect email to be immediate). Though this depends on the
configuration, the delays  on standard systems would be massive. exim4
on debian comes with this default:
F,2h,15m; G,16h,1h,1.5; F,4d,6h
Which probably means (I'm guessing) something like a 30 minute delay
for the initial message with retry = 2. 

mimo

Re: Is gray-listing a one-shot anti-spam measure?

[Adrian 'Dagurashibanipal' von Bidder]

On Friday 03 December 2004 19.03, Stephen Gran wrote:
> This one time, at band camp, Adrian 'Dagurashibanipal' von Bidder said:
> > (And - this to Stephen Frost, I believe - there is a patch to postgrey
> > which I will include in the next version, and I believe which will also
> > be included in the next upstream, to whitelist a client IP as soon as
> > one greylisted email came through.  So the load on legitimate
> > mailservers will be even smaller.)
>
> Is there a way to make the number of succesful retries before
> whitelisting configurable for postgrey?

Hmm. Haven't looked at that patch for a while, but I agree with you that 
this would be a fine idea.

cheers
-- vbi


-- 
Don't let the computer bugs bite!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Is gray-listing a one-shot anti-spam measure?

[Russell Coker]

On Friday 03 December 2004 20:07, Adrian 'Dagurashibanipal' von Bidder 
<[EMAIL PROTECTED]> wrote:
> (And - this to Stephen Frost, I believe - there is a patch to postgrey
> which I will include in the next version, and I believe which will also be
> included in the next upstream, to whitelist a client IP as soon as one
> greylisted email came through.  So the load on legitimate mailservers will
> be even smaller.)

As has already been suggested it would be good to be able to configure the 
number of messages that come through before the client IP is white-listed.

Also it would be good to be able to configure the amount of time for which a 
white-list entry is valid.  What is a dedicated mail server today may be part 
of a dial-up IP address range next year...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Is gray-listing a one-shot anti-spam measure?

[Stephen Gran]

This one time, at band camp, Adrian 'Dagurashibanipal' von Bidder said:
> (And - this to Stephen Frost, I believe - there is a patch to postgrey which 
> I will include in the next version, and I believe which will also be 
> included in the next upstream, to whitelist a client IP as soon as one 
> greylisted email came through.  So the load on legitimate mailservers will 
> be even smaller.)

Is there a way to make the number of succesful retries before whitelisting
configurable for postgrey?  I use a different implementation of
greylisting alltogether, so it doesn't really concern me too much,
but it seems like a good idea.

The reason for the request being that while it is quite possible for
a zombie machine to accidentally resend the same mail from/rcpt to
combination by accident on a second spam run, the odds of it sending
10 or 15 (or some number, depending on your circumstances, I guess)
are vanishingly small.  Only a mechanism with a real queue runner would
get more than a few successes, and those are the ones that should be
whitelisted.
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


pgpqLctW6P752.pgp
Description: PGP signature

Re: Is gray-listing a one-shot anti-spam measure?

[Adrian 'Dagurashibanipal' von Bidder]

On Friday 03 December 2004 09.44, Russell Coker wrote:

> accept mail) on a spam-trap will be fine.  The Postfix implementation of
> gray-listing postgrey does not send it's 450 code until after the rcpt
> to:,

Just for completeness.  Greylisting, as the term was defined in the original 
paper, always uses (client IP/envelope sender/envelope rcpt) triples to 
block on, so every greylisting implementation needs to wait until RCPT TO 
before it can return 450.

postfix and postgrey can, additionally, return '450-if-accepted' which 
allows postgrey to be included early in the mail processing (so it adds all 
data point to its database), but if a mail would be rejected anyway by a 
later restriction (DNSBL, whatever), *that* rejection is the one seen by 
clients, and not the one from the greylisting.  Note: I'm not really sure 
what the benefit is of this - if mail is rejected anyway on a DNSBL or 
whatever, there's not much point in adding the data to postgrey's database.  
But that's how postgrey works.

(And - this to Stephen Frost, I believe - there is a patch to postgrey which 
I will include in the next version, and I believe which will also be 
included in the next upstream, to whitelist a client IP as soon as one 
greylisted email came through.  So the load on legitimate mailservers will 
be even smaller.)


greetings
-- vbi

[some people on this list have been cc:ing me in the past. Please don't.]

-- 
Don't hit the keys so hard, it hurts.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Is gray-listing a one-shot anti-spam measure?

[Russell Coker]

On Friday 03 December 2004 19:10, Henrique de Moraes Holschuh <[EMAIL 
PROTECTED]> 
wrote:
> > A delay of transmission means more time for the spamming IP address to be
> > added to black-lists.  So during the gray-list interval (currently 5
> > minutes
>
> True.  But in that case, we also need the greylisting period to be long
> enough for the blacklisting to happen, *and* we might need special
> provision on the spamtraps too.
>
> Assuming greylisting gets realy widespread (otherwise spammers would not be
> doing retries in the first place, I suppose), spamtraps might also have to
> do greylisting (or spammers could just stop delivering for non-greylisting
> sites, which is something quite weird to think about but...).  So we would
> need various levels of greylisting.

Running gray-listing (or pseudo-gray-listing as it might never actually accept 
mail) on a spam-trap will be fine.  The Postfix implementation of 
gray-listing postgrey does not send it's 450 code until after the rcpt to:, 
this means that it knows what address the mail was being sent to, what 
address it was coming from, and of course the IP address.  In spite of having 
gray-listing permanently on it could still operate fully as a spam-trap.  
Sure it's convenient for a spam-trap to actually collect the spam, but it's 
not strictly required.

If the spammer can send to a gray-listing site then it can send to a 
gray-listing spam-trap too.

> > Currently gray-listing can be used on it's own with no other anti-spam
> > measures and still do some good.  This situation will change.  But I
> > believe that in combination with other anti-spam measures it will still
> > offer considerable benefits even after spammers wake up to it's presence.
>
> You're probably right.  So please let me revise my point: greylisting by
> itself is a one-shot deal, let's use it while we can.  greylisting as a
> delay measure for blacklists to catch up before you deliver the email will
> continue working well (i.e. not an one-shot deal), IF the blacklists DO
> manage to catch up during the greylisting time AND we can keep them doing
> just that when greylisting gets very widely deployed (greylisting could
> interfere with the listing delays, after all).

The black-lists often beat the spam.

> Russell, how fast are the blacklists reacting to ongoing spam runs on the
> systems you pay attention to?  I don't have that data for mine :(

I'm not sure that it's possible for anyone other than a spammer to really know 
this.  Spamcop reacts quite fast and I suspect that often entries are added 
to the spamcop DNSBL during a spam run before it gets to me even without 
gray-listing.  Adding gray-listing (or other delays) increases the chance 
that someone else will report the spammer before the spam gets to me.

Of course this relies on some people not using gray-listing (so that they get 
the spam fast) and being active in reporting it.  Given the previous 
discussions it seems quite obvious that not everyone will implement it so we 
can probably rely on that.

> > Henrique, please don't take this as a flame.  I am writing to you because
> > you
>
> I didn't...

I'm glad to hear it.  I was also concerned that other readers might get the 
wrong idea.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Is gray-listing a one-shot anti-spam measure?

[Henrique de Moraes Holschuh]

On Fri, 03 Dec 2004, Russell Coker wrote:
> Henrique recently stated the belief that gray-listing is a one-shot measure 
> against spam (see the above URL) and that spammers would just re-write their 
> bots to do two transmission runs with a delay in between.

Yes.

> A delay of transmission means more time for the spamming IP address to be 
> added to black-lists.  So during the gray-list interval (currently 5 minutes 

True.  But in that case, we also need the greylisting period to be long
enough for the blacklisting to happen, *and* we might need special provision
on the spamtraps too.

Assuming greylisting gets realy widespread (otherwise spammers would not be
doing retries in the first place, I suppose), spamtraps might also have to
do greylisting (or spammers could just stop delivering for non-greylisting
sites, which is something quite weird to think about but...).  So we would
need various levels of greylisting.

> Currently gray-listing can be used on it's own with no other anti-spam 
> measures and still do some good.  This situation will change.  But I believe 
> that in combination with other anti-spam measures it will still offer 
> considerable benefits even after spammers wake up to it's presence.

You're probably right.  So please let me revise my point: greylisting by
itself is a one-shot deal, let's use it while we can.  greylisting as a
delay measure for blacklists to catch up before you deliver the email will
continue working well (i.e. not an one-shot deal), IF the blacklists DO
manage to catch up during the greylisting time AND we can keep them doing
just that when greylisting gets very widely deployed (greylisting could
interfere with the listing delays, after all).

Russell, how fast are the blacklists reacting to ongoing spam runs on the
systems you pay attention to?  I don't have that data for mine :(

> Henrique, please don't take this as a flame.  I am writing to you because you 

I didn't...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Is gray-listing a one-shot anti-spam measure?

[Russell Coker]

http://www.atm.tut.fi/list-archive/debian-security/msg14351.html

Henrique recently stated the belief that gray-listing is a one-shot measure 
against spam (see the above URL) and that spammers would just re-write their 
bots to do two transmission runs with a delay in between.

I have been considering that point and have come to the conclusion that it may 
not be correct.

A delay of transmission means more time for the spamming IP address to be 
added to black-lists.  So during the gray-list interval (currently 5 minutes 
but may need to be increased to something longer such as 30 mins in future) 
the spammer keeps sending mail to other systems until they either hit a 
spam-trap address or they get reported to spamcop or some other black-list 
service.  Then when they get to their second attempt at sending to a system 
that uses gray-listing they are on a DNSBL or RHSBL listing and are not 
permitted to send.

Currently gray-listing can be used on it's own with no other anti-spam 
measures and still do some good.  This situation will change.  But I believe 
that in combination with other anti-spam measures it will still offer 
considerable benefits even after spammers wake up to it's presence.


Henrique, please don't take this as a flame.  I am writing to you because you 
best expressed a sentiment that others seem to share, and the debian-isp list 
is the best place for such a discussion on the topic.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: postfix, spamassassin and spam ~ blocking cable and adsl modems

[Paul Johnson]

Steven Jones <[EMAIL PROTECTED]> writes:

> We seem to be, being hit with in excess of 12,000 spam emails per day from adsl
> and cable modems in the US alone. Then we get brute force attackedthe
> server at times gets somewhat stretched...
>
> What would ppl suggest it the most efficient way to block such addresses?

Use bl.spamcop.net as a dnsbl, which lists currently spamming IPs
instead of just blacklisting entire netblocks of mostly innocent
bystanders.


pgpzR227XpXOn.pgp
Description: PGP signature

Re: postfix, spamassassin and spam ~ blocking cable and adsl modems

[Russell Coker]

On Sat, 7 Aug 2004 09:52, Steven Jones <[EMAIL PROTECTED]> wrote:
> We seem to be, being hit with in excess of 12,000 spam emails per day
> from adsl and cable modems in the US alone. Then we get brute force
> attackedthe server at times gets somewhat stretched...
>
> What would ppl suggest it the most efficient way to block such
> addresses?

If you use some DNSBL services you can block access from dial-up and broadband 
customer IP addresses without blocking mail servers.  Below is the list of 
DNSBL and RHSBL services that I have one one of my machines.

smtpd_client_restrictions = permit_mynetworks, 
reject_rbl_clientbl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, 
reject_rbl_client list.dsbl.org, reject_rbl_client cbl.abuseat.org, 
reject_rbl_client dnsbl.njabl.org, reject_rbl_client sbl.spamhaus.org, 
reject_rbl_client relays.ordb.org, reject_rhsbl_client rhsbl.sorbs.net, 
reject_rhsbl_client dsn.rfc-ignorant.org, reject_rhsbl_client 
postmaster.rfc-ignorant.org


> The goal here is to minimise disk i/o as that is the item being
> stretched, iostat -x 5 shows over 450% utilisation.delays are geting
> to 4+ hours...and they bitch if its over 5 minutes

Putting some of that iostat output as a text attachment to your email would 
really help us advise you about this (NB don't paste it into your email as 
the lines are too long and will get munged).

> I have 4 cpu's and spare capacity on these and I am only using 2.5 gig
> out of 4gig of ram so have spare herethe box only processes incoming
> smtp only, outgoing takes another route.

The spare RAM will be cache, so most likely your machine is doing few disk 
reads and it's entirely bottlenecked on disk writes when it's running.

If you mount all your file systems with the noatime option then you may save 
5% or 10% of your disk access.

Configure syslogd to use the "-" option for most (if not all) log files to not 
use synchronous writes.  Every email gets several lines in the syslog and you 
don't want them to all be written synchronously.

> At present I am running ext3 on the logging and spool directories but
> considering reiserFS, a good idea?
>
> Also I am aiming to get more disks as I ahve only 2, so I can either
> raid 0 over the 3 new disks or split the queuesto 3 disks, which
> might be better?

Don't use RAID-0, it increases the probability of data loss through disk 
error.  A hardware RAID-5 over the 5 disks will give better write performance 
if you have a battery-backed write-back cache on the RAID controller (the 
cheap ones don't).

> Would a scsi hwraid based cache controller be worth it?

Yes.

If you mount your Ext3 file systems with "data=journal" and have external 
journals on a separate disk then you may get really good performance.

Usually the lower block numbers of a disk are mapped to the outer tracks and 
have a higher data transfer rate (use the zcav program in my Bonnie++ package 
to test this).  So you could have the main file systems for storing the data 
on one pair of disks in a RAID-1 array and the external journals for those 
file systems on the fastest part of another pair of disks in a separate 
RAID-1.  If you have a pair of disks used for nothing but journals (which 
will probably take <100M of disk space) then the seeks should all be very 
short which will give a fast access time.

http://www.umem.com/PCINVRAMCARDS.html

An even better option might be to use non-volatile RAM storage devices.  Above 
is the URL for a company that makes PCI cards that have non-volatile storage.  
These cards can handle reads and writes at PCI bandwidth (four times faster 
than any hard disk even with 32bit PCI) and with no seek time (hard disks can 
only do about 100 seeks a second while the umem cards should do 50,000 or 
more depending on the size of the data blocks).

I don't know whether the Linux drivers for umem cards work with the latest 
hardware, you would have to check with them.

Also umem cards aren't particularly expensive.  Last time I got a quote the 
high-end cards were only about $700US.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

postfix, spamassassin and spam ~ blocking cable and adsl modems

[Steven Jones]

We seem to be, being hit with in excess of 12,000 spam emails per day from adsl and cable modems in the US alone. Then we get brute force attackedthe server at times gets somewhat stretched...

What would ppl suggest it the most efficient way to block such addresses?

I cannot simply block entire class B's and blocking individual IPs will probably get out of date...

I do not really want to process the email, I want to decrease the load on spam assassin by stopping the initial connect.

By analysin the mails I am finding they are all spam so I want to block say strings like dsl..swbell.com

access list? 

IPtables rule?

What would be most efficient?

The goal here is to minimise disk i/o as that is the item being stretched, iostat -x 5 shows over 450% utilisation.delays are geting to 4+ hours...and they bitch if its over 5 minutes



I have 4 cpu's and spare capacity on these and I am only using 2.5 gig out of 4gig of ram so have spare herethe box only processes incoming smtp only, outgoing takes another route.

At present I am running ext3 on the logging and spool directories but considering reiserFS, a good idea? 

Also I am aiming to get more disks as I ahve only 2, so I can either raid 0 over the 3 new disks or split the queuesto 3 disks, which might be better?

Would a scsi hwraid based cache controller be worth it?

If I raid 0 what stripe size would be a good starting point with ReiserFS?

advice appreciated...

regards

Thing


<>

Re: Which Spam Block List to use for a network?

[Blu]

On Wed, Jun 30, 2004 at 08:53:40AM +0200, Matej Kovac wrote:
> > :) Well, my approach is not that fancy. I just check if the callback
> > passes the RCPT, and if not, issue a 550 with a short message telling
> > that my host will not accept mail that cannot be answered.
> 
> you are receiving a message and you start callback to the mx if he passes
> the rcpt test, but - the mx starts callback to you if you pass...
[...]

Actually that's not the case. The callback is done with MAIL FROM:<>

Blu.

Re: Which Spam Block List to use for a network?

[Blu]

On Wed, Jun 30, 2004 at 08:53:40AM +0200, Matej Kovac wrote:
> > :) Well, my approach is not that fancy. I just check if the callback
> > passes the RCPT, and if not, issue a 550 with a short message telling
> > that my host will not accept mail that cannot be answered.
> 
> you are receiving a message and you start callback to the mx if he passes
> the rcpt test, but - the mx starts callback to you if you pass...
[...]

Actually that's not the case. The callback is done with MAIL FROM:<>

Blu.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network? [SCANNED]

[Arnt Karlsen]

On Thu, 1 Jul 2004 09:04:01 +0200, Adrian wrote in message 
<[EMAIL PROTECTED]>:

> OTOH, it can be argued that anybody stupid enough to fall for a 419 
> deserves what he gets. Still, it's actual people being actually killed
> because of spam.

..it can also be argued the Nigerian 419 rule is racism, against 
_all_ other Africans, effectively denying them _any_ business 
opportunity over internet.

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: Which Spam Block List to use for a network? [SCANNED]

[Arnt Karlsen]

On Thu, 1 Jul 2004 09:04:01 +0200, Adrian wrote in message 
<[EMAIL PROTECTED]>:

> OTOH, it can be argued that anybody stupid enough to fall for a 419 
> deserves what he gets. Still, it's actual people being actually killed
> because of spam.

..it can also be argued the Nigerian 419 rule is racism, against 
_all_ other Africans, effectively denying them _any_ business 
opportunity over internet.

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network? [SCANNED]

[Adrian 'Dagurashibanipal' von Bidder]

On Wednesday 30 June 2004 23.15, David Thurman wrote:
> On 6/30/04 10:43 AM, "Robert Cates" wrote:
> > Well I do not remember ever seeing on the evening news or morning
> > news paper that somebody was hurt or worst killed from a Spam
> > attack!
> Maybe no one has been killed, but given the human nature I am sure
> there will be some collateral effects that could come to death from
> all this.

Some of the people traveling to Nigeria to reclaim their losses were 
actually killed.

OTOH, it can be argued that anybody stupid enough to fall for a 419 
deserves what he gets. Still, it's actual people being actually killed 
because of spam.

cheers
-- vbi

-- 
featured product: the GNU Compiler Collection - http://gcc.gnu.org


pgp9WPl9xqkMz.pgp
Description: signature

Re: Which Spam Block List to use for a network? [SCANNED]

[Adrian 'Dagurashibanipal' von Bidder]

On Wednesday 30 June 2004 23.15, David Thurman wrote:
> On 6/30/04 10:43 AM, "Robert Cates" wrote:
> > Well I do not remember ever seeing on the evening news or morning
> > news paper that somebody was hurt or worst killed from a Spam
> > attack!
> Maybe no one has been killed, but given the human nature I am sure
> there will be some collateral effects that could come to death from
> all this.

Some of the people traveling to Nigeria to reclaim their losses were 
actually killed.

OTOH, it can be argued that anybody stupid enough to fall for a 419 
deserves what he gets. Still, it's actual people being actually killed 
because of spam.

cheers
-- vbi

-- 
featured product: the GNU Compiler Collection - http://gcc.gnu.org


pgpf4UbHAJYj6.pgp
Description: signature

Re: Which Spam Block List to use for a network? [SCANNED]

[David Thurman]

On 6/30/04 10:43 AM, "Robert Cates" wrote:

> Well I do not remember ever seeing on the evening news or morning news paper
> that somebody was hurt or worst killed from a Spam attack!

Wrong, you must not read the Industry trade magazines. Many people are
(harmed) ripped off from spam, possible jailed from buying email
prescriptions online, which was one of the issues on Rush Limbaugh, have had
their identities stolen (TV ads) (Major newspapers), and much more.

Maybe no one has been killed, but given the human nature I am sure there
will be some collateral effects that could come to death from all this.

I guess you have so much spam to delete you don't have time to read the
paper, listen to the radio or TV.
-- 
David Thurman
The Web Presence Group
http://www.the-presence.com
Web Development/E-Commerce/CMS/Hosting/Dedicated Servers
800-399-6441/309-679-0774

Re: Which Spam Block List to use for a network? [SCANNED]

[David Thurman]

On 6/30/04 10:43 AM, "Robert Cates" wrote:

> Well I do not remember ever seeing on the evening news or morning news paper
> that somebody was hurt or worst killed from a Spam attack!

Wrong, you must not read the Industry trade magazines. Many people are
(harmed) ripped off from spam, possible jailed from buying email
prescriptions online, which was one of the issues on Rush Limbaugh, have had
their identities stolen (TV ads) (Major newspapers), and much more.

Maybe no one has been killed, but given the human nature I am sure there
will be some collateral effects that could come to death from all this.

I guess you have so much spam to delete you don't have time to read the
paper, listen to the radio or TV.
-- 
David Thurman
The Web Presence Group
http://www.the-presence.com
Web Development/E-Commerce/CMS/Hosting/Dedicated Servers
800-399-6441/309-679-0774


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Adrian 'Dagurashibanipal' von Bidder]

[no cc:s on list mail, please]

On Wednesday 30 June 2004 18.17, Russell Coker wrote:
> If you reject a message with a 55x and a suitable message then the
> author of the message can find another method of contact and there is
> no loss merely inconvenience.

While I personally agree, some people react extremely offended/aggressive 
when confronted with a rejection message (there are quite a few of these 
in the Debian project ;-/, and I've met one or two in my 
 project ()... 

Also, some people do not know that an email bounce is perfectly readable 
(these are people who perfectly know how to read and who understand 
english, but go run away screaming when confronted with a slightly 
technical-looking message - the 'it's techincal, I won't understand it 
anyway' mindset).

In both cases, the result is that the 'other method of contact' does not 
usually happen, but the failure of communication is just being ignored.

cheers
-- vbi


-- 
Available for key signing in Zürich and Basel, Switzerland
(what's this? Look at http://fortytwo.ch/gpg/intro)


pgpEv5zix7jyr.pgp
Description: signature

Re: Which Spam Block List to use for a network?

[Russell Coker]

On Thu, 1 Jul 2004 01:34, Adrian 'Dagurashibanipal' von Bidder 
<[EMAIL PROTECTED]> wrote:
> I agree that false positives are extremely annoying, so an ISP/corporate
> anti-spam policy will have to be more conservative than what some here
> use for their own email.

The correct solution to false positives (IMHO) is to be extremely conservative 
in regard to dropping email.  Only a confirmed virus should be dropped on the 
floor.  Any other rejection of a message should be a code 55x in the SMTP 
protocol.

If you reject a message with a 55x and a suitable message then the author of 
the message can find another method of contact and there is no loss merely 
inconvenience.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Which Spam Block List to use for a network?

[Russell Coker]

On Thu, 1 Jul 2004 01:43, "Robert Cates" <[EMAIL PROTECTED]> wrote:
> Well I do not remember ever seeing on the evening news or morning news
> paper that somebody was hurt or worst killed from a Spam attack!  Have you

I know many people who have a stated intention of killing a spammer if given a 
reasonable chance.  It would really suck if one of those people accidentally 
killed a non-spammer by mistake!

> >>When users try to deal with spam they often complain to the wrong people
> >>(think about joe-job's), they take the wrong actions (think about sending
> >>email to the "remove" address in a spam), and they don't have the
> >> competence
> >>to do it properly (think about the people who block postmaster mail etc,
> >> or who just block everything and complain to their ISP).
>
> Somebody who blocks everything, or ignorantly complains to their ISP, needs
> to be educated, not hand-held.  That "education" in my mind is a service
> and responsibilty of the ISP, an if it's a matter of getting too many phone
> calls per day, there can easily be an FAQ posted on the ISP web site.  Or
> maybe more appropriately it should be the responsibility of the software
> vendor providing the Anti-Spam software.

Sure.  Next time you run an ISP with over a million customers and only three 
people who really know how email works you can try educating users.  I'll 
stick to giving them what I and management think is best for them.

> Who on the ISP side knows what the customer wants (blocked)?

I do because I'm the bofh!  ;)

> Are the ISPs calling all of their customers and asking?

No point.  The customer doesn't know the answer either.

> So the world will come to a day 
> when all Internet users won't have much choice, won't know what's getting
> blocked, won't know who's controlling what, won't know who's making what

If a user finds that their ISP gives them th wrong mix of spam protection to 
false positives then they can find another ISP.  ISPs that make the wrong 
choices will lose business and eventually go bankrupt or get bought out by 
better ISPs.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Which Spam Block List to use for a network?

[Adrian 'Dagurashibanipal' von Bidder]

[no cc:s on list mail, please]

On Wednesday 30 June 2004 18.17, Russell Coker wrote:
> If you reject a message with a 55x and a suitable message then the
> author of the message can find another method of contact and there is
> no loss merely inconvenience.

While I personally agree, some people react extremely offended/aggressive 
when confronted with a rejection message (there are quite a few of these 
in the Debian project ;-/, and I've met one or two in my 
 project ()... 

Also, some people do not know that an email bounce is perfectly readable 
(these are people who perfectly know how to read and who understand 
english, but go run away screaming when confronted with a slightly 
technical-looking message - the 'it's techincal, I won't understand it 
anyway' mindset).

In both cases, the result is that the 'other method of contact' does not 
usually happen, but the failure of communication is just being ignored.

cheers
-- vbi


-- 
Available for key signing in Zürich and Basel, Switzerland
(what's this? Look at http://fortytwo.ch/gpg/intro)


pgpOYfkH2zIUS.pgp
Description: signature

Re: Which Spam Block List to use for a network?

[Robert Cates]

>>Should we leave control of crime to the victim as well?  Or do you think
that
>>a professional police force is better?

Well I do not remember ever seeing on the evening news or morning news paper
that somebody was hurt or worst killed from a Spam attack!  Have you ever
been a victom of crime?  Has somebody in your family been killed by a drunk
driver?  Can anybody who's been a victom of crime honestly say "oh it's ok,
but I sure wish a police was with me when it happened"?  Anyway, this is
heading down another road, and yes, I am fully aware of the importance of
our police department/force, in every country.

>>When users try to deal with spam they often complain to the wrong people
>>(think about joe-job's), they take the wrong actions (think about sending
>>email to the "remove" address in a spam), and they don't have the
competence
>>to do it properly (think about the people who block postmaster mail etc,
or
>>who just block everything and complain to their ISP).

Somebody who blocks everything, or ignorantly complains to their ISP, needs
to be educated, not hand-held.  That "education" in my mind is a service and
responsibilty of the ISP, an if it's a matter of getting too many phone
calls per day, there can easily be an FAQ posted on the ISP web site.  Or
maybe more appropriately it should be the responsibility of the software
vendor providing the Anti-Spam software.

>>It's better for the ISP to have an anti-spam system that blocks most of
the
>>spam that customers want blocked and gets a small enough number of
>>false-positives that they don't mind.  Some ISPs find that SpamCop's DNSBL
>>fits this description...

Who on the ISP side knows what the customer wants (blocked)?  Are the ISPs
calling all of their customers and asking?  So the world will come to a day
when all Internet users won't have much choice, won't know what's getting
blocked, won't know who's controlling what, won't know who's making what
decision, the largest ISP will take-over the competition, and before we know
it, there will be an Internet monopoly much the same as the PC software
industry of the past 20 or more years.


- Original Message - 
From: "Russell Coker" <[EMAIL PROTECTED]>
To: ; "Robert Cates" <[EMAIL PROTECTED]>
Sent: Wednesday, June 30, 2004 4:47 PM
Subject: Re: Which Spam Block List to use for a network?


On Wed, 30 Jun 2004 23:54, "Robert Cates" <[EMAIL PROTECTED]> wrote:
> Spam Black ("Block") Lists? Not a good thing in my opinion!! I mean,
> e-mail servers can be configured NOT to relay for unauthorized domains
> anyway. I'm not an advocate of e-mail Spamming. I just feel that the
> control or blocking should be left up to the individual user. Just like
> it's my choice which "Office" package I want to (buy and) use. ;-)

Should we leave control of crime to the victim as well?  Or do you think
that
a professional police force is better?

When users try to deal with spam they often complain to the wrong people
(think about joe-job's), they take the wrong actions (think about sending
email to the "remove" address in a spam), and they don't have the competence
to do it properly (think about the people who block postmaster mail etc, or
who just block everything and complain to their ISP).

It's better for the ISP to have an anti-spam system that blocks most of the
spam that customers want blocked and gets a small enough number of
false-positives that they don't mind.  Some ISPs find that SpamCop's DNSBL
fits this description...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Which Spam Block List to use for a network?

[Adrian 'Dagurashibanipal' von Bidder]

On Wednesday 30 June 2004 15.54, Robert Cates wrote:
> Hi,
>
> why don't you make life easier for yourself and forget trying to
> block Spam! Let your customers and/or users be responsible for
> blocking Spam!  [...]

Apart from what Russel says: are you prepared to pay for it?

According to some (IIRC AOL published numbers like that) email blocked 
in the SMTP transaction reaches 80-90% of the mail delivery attempts in 
some cases (I have ca. 50%, I guess mainly because my domain is 
insignificant enough not to attract systematic dictionary attacks etc.)

So, are you prepared to pay for
 - the additional storage used to store all the mail
 - the additional support personnel to answer phones when customers are 
annoyed that their mail quota is full again
 - the additional bandwidth used to transfer all that spam to the 
customers
 - the additional time spent by all customers (instead of just once by 
the ISP) to configure an anti-spam set up that will in 80% of the cases 
filter out all of the same messages for everybody

(not to mention that such a set up has less information available, like 
crossassassin-style detection of the same message being delivered to 
many accounts, which is quite a good spam-sign in many cases).

Lacking experience with large set ups, this is not hard data, but I'm 
quite confident that those who *have* experience with large set ups can 
confirm these thoughts.


I agree that false positives are extremely annoying, so an ISP/corporate 
anti-spam policy will have to be more conservative than what some here 
use for their own email.

cheers
-- vbi

-- 
Beware of the FUD - know your enemies. This week
* The Alexis de Toqueville Institue *
http://fortytwo.ch/opinion/


pgpNKFRw2rdvy.pgp
Description: signature

Re: Which Spam Block List to use for a network?

[Russell Coker]

On Wed, 30 Jun 2004 23:54, "Robert Cates" <[EMAIL PROTECTED]> wrote:
> Spam Black ("Block") Lists?  Not a good thing in my opinion!!  I mean,
> e-mail servers can be configured NOT to relay for unauthorized domains
> anyway.  I'm not an advocate of e-mail Spamming.  I just feel that the
> control or blocking should be left up to the individual user.  Just like
> it's my choice which "Office" package I want to (buy and) use. ;-)

Should we leave control of crime to the victim as well?  Or do you think that 
a professional police force is better?

When users try to deal with spam they often complain to the wrong people 
(think about joe-job's), they take the wrong actions (think about sending 
email to the "remove" address in a spam), and they don't have the competence 
to do it properly (think about the people who block postmaster mail etc, or 
who just block everything and complain to their ISP).

It's better for the ISP to have an anti-spam system that blocks most of the 
spam that customers want blocked and gets a small enough number of 
false-positives that they don't mind.  Some ISPs find that SpamCop's DNSBL 
fits this description...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Which Spam Block List to use for a network?

[Russell Coker]

On Thu, 1 Jul 2004 01:34, Adrian 'Dagurashibanipal' von Bidder 
<[EMAIL PROTECTED]> wrote:
> I agree that false positives are extremely annoying, so an ISP/corporate
> anti-spam policy will have to be more conservative than what some here
> use for their own email.

The correct solution to false positives (IMHO) is to be extremely conservative 
in regard to dropping email.  Only a confirmed virus should be dropped on the 
floor.  Any other rejection of a message should be a code 55x in the SMTP 
protocol.

If you reject a message with a 55x and a suitable message then the author of 
the message can find another method of contact and there is no loss merely 
inconvenience.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Russell Coker]

On Thu, 1 Jul 2004 01:43, "Robert Cates" <[EMAIL PROTECTED]> wrote:
> Well I do not remember ever seeing on the evening news or morning news
> paper that somebody was hurt or worst killed from a Spam attack!  Have you

I know many people who have a stated intention of killing a spammer if given a 
reasonable chance.  It would really suck if one of those people accidentally 
killed a non-spammer by mistake!

> >>When users try to deal with spam they often complain to the wrong people
> >>(think about joe-job's), they take the wrong actions (think about sending
> >>email to the "remove" address in a spam), and they don't have the
> >> competence
> >>to do it properly (think about the people who block postmaster mail etc,
> >> or who just block everything and complain to their ISP).
>
> Somebody who blocks everything, or ignorantly complains to their ISP, needs
> to be educated, not hand-held.  That "education" in my mind is a service
> and responsibilty of the ISP, an if it's a matter of getting too many phone
> calls per day, there can easily be an FAQ posted on the ISP web site.  Or
> maybe more appropriately it should be the responsibility of the software
> vendor providing the Anti-Spam software.

Sure.  Next time you run an ISP with over a million customers and only three 
people who really know how email works you can try educating users.  I'll 
stick to giving them what I and management think is best for them.

> Who on the ISP side knows what the customer wants (blocked)?

I do because I'm the bofh!  ;)

> Are the ISPs calling all of their customers and asking?

No point.  The customer doesn't know the answer either.

> So the world will come to a day 
> when all Internet users won't have much choice, won't know what's getting
> blocked, won't know who's controlling what, won't know who's making what

If a user finds that their ISP gives them th wrong mix of spam protection to 
false positives then they can find another ISP.  ISPs that make the wrong 
choices will lose business and eventually go bankrupt or get bought out by 
better ISPs.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Robert Cates]

Hi,

why don't you make life easier for yourself and forget trying to block Spam!
Let your customers and/or users be responsible for blocking Spam!  There is
plenty of anti-spam software out there for both Windows and Linux platforms
for the end-user to choose from and use to block Spam.  I mean, I think this
Spam "problem" should be left up to the individual, like so many other
things in life, and stop having companies and/or organizations trying to
control the e-mail aspect of the Internet.  I feel that even companies large
and small themselves (and I'm not talking about ISPs) should be the ones to
control Spam, just like the (try) to control access to Porn sites.

Even with all of the anit-spam solutions and Black Lists out there, I still
get alot of Spam, but for me it's not much more of a problem than to just
click the delete button/option, and empty my waste basket once a week.

I really think there's people out there on the wrong track trying to tackle
this Spam "problem" (in terms of ISPs and their services), and not (really,
fully) realizing what effect this control has on the Internet.

Look, when I go to the store, I can buy whatever TV is out there on the
market, and I can bring it home and tune it in for all (or none) of the
broadcast stations available in my area.  I can pay for cable TV, or not.  I
can even control what gets seen and when, including all of the (Spammed)
commercials.  So I've controlled everything from choosing the TV, to
watching what I want in the evening; not the store, not the station/channel
I'm watching, but me.

Spam Black ("Block") Lists?  Not a good thing in my opinion!!  I mean,
e-mail servers can be configured NOT to relay for unauthorized domains
anyway.  I'm not an advocate of e-mail Spamming.  I just feel that the
control or blocking should be left up to the individual user.  Just like
it's my choice which "Office" package I want to (buy and) use. ;-)

-Robert
- Original Message - 
From: "Matej Kovac" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, June 30, 2004 8:53 AM
Subject: Re: Which Spam Block List to use for a network?


> On Wed, Jun 23, 2004 at 07:33:52PM -0400, Blu wrote:
> > On Wed, Jun 23, 2004 at 09:01:24PM +1000, Russell Coker wrote:
> > > On Wed, 23 Jun 2004 18:23, Blu <[EMAIL PROTECTED]> wrote:
> > > > Well yes. Maybe I oversimplified. What I do is a callback to the MX
of
> > > > the envelope sender to see if it accepts mail to him/her. If not,
the
> > > > mail is rejected with an explicative 550.
> > >
> > > You aren't the only one who does that.  I have found one other person
who does
> > > that and who happens to have their mail server in an address range
that's
> > > black-listed.  So when I sent mail to them their mail server made a
call-back
> > > to mine, my server rejected that and their mail server then generated
a 55x
> > > code that tried to summarise the code from mine.  Then my mail server
took
> > > that and made it into a bounce message.
> >
> > Of course I am not the first one doing this. In fact Exim4 has buitin
> > capability to do so.
> >
> > > The resulting message was something that I could not decipher even
though I
> > > have 10 years of experience running Internet mail servers!  All I
could do
> > > was post a message to a mailing list I knew the person was subscribed
to and
> > > inform them that their server was borked in some unknown way.
> >
> > :) Well, my approach is not that fancy. I just check if the callback
> > passes the RCPT, and if not, issue a 550 with a short message telling
> > that my host will not accept mail that cannot be answered.
>
> you are receiving a message and you start callback to the mx if he passes
> the rcpt test, but - the mx starts callback to you if you pass...
>
> don't do this, this is a finger^H^H^H^H^H^H^Hn rcpt-war. and what is
curious
> is... what if yahoo would do rcpt checks and I forge some yahoo email? you
would
> try to rcpt-check yahoo? and they'd too... and I have put you in war with
yahoo.
>
> -- 
> matej kovac
> [EMAIL PROTECTED]
>
>
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>

Re: Which Spam Block List to use for a network?

[Robert Cates]

>>Should we leave control of crime to the victim as well?  Or do you think
that
>>a professional police force is better?

Well I do not remember ever seeing on the evening news or morning news paper
that somebody was hurt or worst killed from a Spam attack!  Have you ever
been a victom of crime?  Has somebody in your family been killed by a drunk
driver?  Can anybody who's been a victom of crime honestly say "oh it's ok,
but I sure wish a police was with me when it happened"?  Anyway, this is
heading down another road, and yes, I am fully aware of the importance of
our police department/force, in every country.

>>When users try to deal with spam they often complain to the wrong people
>>(think about joe-job's), they take the wrong actions (think about sending
>>email to the "remove" address in a spam), and they don't have the
competence
>>to do it properly (think about the people who block postmaster mail etc,
or
>>who just block everything and complain to their ISP).

Somebody who blocks everything, or ignorantly complains to their ISP, needs
to be educated, not hand-held.  That "education" in my mind is a service and
responsibilty of the ISP, an if it's a matter of getting too many phone
calls per day, there can easily be an FAQ posted on the ISP web site.  Or
maybe more appropriately it should be the responsibility of the software
vendor providing the Anti-Spam software.

>>It's better for the ISP to have an anti-spam system that blocks most of
the
>>spam that customers want blocked and gets a small enough number of
>>false-positives that they don't mind.  Some ISPs find that SpamCop's DNSBL
>>fits this description...

Who on the ISP side knows what the customer wants (blocked)?  Are the ISPs
calling all of their customers and asking?  So the world will come to a day
when all Internet users won't have much choice, won't know what's getting
blocked, won't know who's controlling what, won't know who's making what
decision, the largest ISP will take-over the competition, and before we know
it, there will be an Internet monopoly much the same as the PC software
industry of the past 20 or more years.


- Original Message - 
From: "Russell Coker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "Robert Cates" <[EMAIL PROTECTED]>
Sent: Wednesday, June 30, 2004 4:47 PM
Subject: Re: Which Spam Block List to use for a network?


On Wed, 30 Jun 2004 23:54, "Robert Cates" <[EMAIL PROTECTED]> wrote:
> Spam Black ("Block") Lists? Not a good thing in my opinion!! I mean,
> e-mail servers can be configured NOT to relay for unauthorized domains
> anyway. I'm not an advocate of e-mail Spamming. I just feel that the
> control or blocking should be left up to the individual user. Just like
> it's my choice which "Office" package I want to (buy and) use. ;-)

Should we leave control of crime to the victim as well?  Or do you think
that
a professional police force is better?

When users try to deal with spam they often complain to the wrong people
(think about joe-job's), they take the wrong actions (think about sending
email to the "remove" address in a spam), and they don't have the competence
to do it properly (think about the people who block postmaster mail etc, or
who just block everything and complain to their ISP).

It's better for the ISP to have an anti-spam system that blocks most of the
spam that customers want blocked and gets a small enough number of
false-positives that they don't mind.  Some ISPs find that SpamCop's DNSBL
fits this description...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Adrian 'Dagurashibanipal' von Bidder]

On Wednesday 30 June 2004 15.54, Robert Cates wrote:
> Hi,
>
> why don't you make life easier for yourself and forget trying to
> block Spam! Let your customers and/or users be responsible for
> blocking Spam!  [...]

Apart from what Russel says: are you prepared to pay for it?

According to some (IIRC AOL published numbers like that) email blocked 
in the SMTP transaction reaches 80-90% of the mail delivery attempts in 
some cases (I have ca. 50%, I guess mainly because my domain is 
insignificant enough not to attract systematic dictionary attacks etc.)

So, are you prepared to pay for
 - the additional storage used to store all the mail
 - the additional support personnel to answer phones when customers are 
annoyed that their mail quota is full again
 - the additional bandwidth used to transfer all that spam to the 
customers
 - the additional time spent by all customers (instead of just once by 
the ISP) to configure an anti-spam set up that will in 80% of the cases 
filter out all of the same messages for everybody

(not to mention that such a set up has less information available, like 
crossassassin-style detection of the same message being delivered to 
many accounts, which is quite a good spam-sign in many cases).

Lacking experience with large set ups, this is not hard data, but I'm 
quite confident that those who *have* experience with large set ups can 
confirm these thoughts.


I agree that false positives are extremely annoying, so an ISP/corporate 
anti-spam policy will have to be more conservative than what some here 
use for their own email.

cheers
-- vbi

-- 
Beware of the FUD - know your enemies. This week
* The Alexis de Toqueville Institue *
http://fortytwo.ch/opinion/


pgpFLisRRO7qO.pgp
Description: signature

Re: Which Spam Block List to use for a network?

[Russell Coker]

On Wed, 30 Jun 2004 23:54, "Robert Cates" <[EMAIL PROTECTED]> wrote:
> Spam Black ("Block") Lists?  Not a good thing in my opinion!!  I mean,
> e-mail servers can be configured NOT to relay for unauthorized domains
> anyway.  I'm not an advocate of e-mail Spamming.  I just feel that the
> control or blocking should be left up to the individual user.  Just like
> it's my choice which "Office" package I want to (buy and) use. ;-)

Should we leave control of crime to the victim as well?  Or do you think that 
a professional police force is better?

When users try to deal with spam they often complain to the wrong people 
(think about joe-job's), they take the wrong actions (think about sending 
email to the "remove" address in a spam), and they don't have the competence 
to do it properly (think about the people who block postmaster mail etc, or 
who just block everything and complain to their ISP).

It's better for the ISP to have an anti-spam system that blocks most of the 
spam that customers want blocked and gets a small enough number of 
false-positives that they don't mind.  Some ISPs find that SpamCop's DNSBL 
fits this description...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Which Spam Block List to use for a network?

[Robert Cates]

Hi,

why don't you make life easier for yourself and forget trying to block Spam!
Let your customers and/or users be responsible for blocking Spam!  There is
plenty of anti-spam software out there for both Windows and Linux platforms
for the end-user to choose from and use to block Spam.  I mean, I think this
Spam "problem" should be left up to the individual, like so many other
things in life, and stop having companies and/or organizations trying to
control the e-mail aspect of the Internet.  I feel that even companies large
and small themselves (and I'm not talking about ISPs) should be the ones to
control Spam, just like the (try) to control access to Porn sites.

Even with all of the anit-spam solutions and Black Lists out there, I still
get alot of Spam, but for me it's not much more of a problem than to just
click the delete button/option, and empty my waste basket once a week.

I really think there's people out there on the wrong track trying to tackle
this Spam "problem" (in terms of ISPs and their services), and not (really,
fully) realizing what effect this control has on the Internet.

Look, when I go to the store, I can buy whatever TV is out there on the
market, and I can bring it home and tune it in for all (or none) of the
broadcast stations available in my area.  I can pay for cable TV, or not.  I
can even control what gets seen and when, including all of the (Spammed)
commercials.  So I've controlled everything from choosing the TV, to
watching what I want in the evening; not the store, not the station/channel
I'm watching, but me.

Spam Black ("Block") Lists?  Not a good thing in my opinion!!  I mean,
e-mail servers can be configured NOT to relay for unauthorized domains
anyway.  I'm not an advocate of e-mail Spamming.  I just feel that the
control or blocking should be left up to the individual user.  Just like
it's my choice which "Office" package I want to (buy and) use. ;-)

-Robert
- Original Message - 
From: "Matej Kovac" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 30, 2004 8:53 AM
Subject: Re: Which Spam Block List to use for a network?


> On Wed, Jun 23, 2004 at 07:33:52PM -0400, Blu wrote:
> > On Wed, Jun 23, 2004 at 09:01:24PM +1000, Russell Coker wrote:
> > > On Wed, 23 Jun 2004 18:23, Blu <[EMAIL PROTECTED]> wrote:
> > > > Well yes. Maybe I oversimplified. What I do is a callback to the MX
of
> > > > the envelope sender to see if it accepts mail to him/her. If not,
the
> > > > mail is rejected with an explicative 550.
> > >
> > > You aren't the only one who does that.  I have found one other person
who does
> > > that and who happens to have their mail server in an address range
that's
> > > black-listed.  So when I sent mail to them their mail server made a
call-back
> > > to mine, my server rejected that and their mail server then generated
a 55x
> > > code that tried to summarise the code from mine.  Then my mail server
took
> > > that and made it into a bounce message.
> >
> > Of course I am not the first one doing this. In fact Exim4 has buitin
> > capability to do so.
> >
> > > The resulting message was something that I could not decipher even
though I
> > > have 10 years of experience running Internet mail servers!  All I
could do
> > > was post a message to a mailing list I knew the person was subscribed
to and
> > > inform them that their server was borked in some unknown way.
> >
> > :) Well, my approach is not that fancy. I just check if the callback
> > passes the RCPT, and if not, issue a 550 with a short message telling
> > that my host will not accept mail that cannot be answered.
>
> you are receiving a message and you start callback to the mx if he passes
> the rcpt test, but - the mx starts callback to you if you pass...
>
> don't do this, this is a finger^H^H^H^H^H^H^Hn rcpt-war. and what is
curious
> is... what if yahoo would do rcpt checks and I forge some yahoo email? you
would
> try to rcpt-check yahoo? and they'd too... and I have put you in war with
yahoo.
>
> -- 
> matej kovac
> [EMAIL PROTECTED]
>
>
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Fraser Campbell]

On June 26, 2004 05:27 pm, Leonardo Boselli wrote:

> Just a note. Since these are infected machines, a first test could just to
> try to "call back" the other server, to see if it replyes to port 25.

Being unable to connect to port 25 doesn't mean anything.  AFAIK there is no 
RFC or other standard saying that to send email with smtp you must accept 
email by smtp.

It is normal (or at least common) to verify that the sender's domain at least 
appears to accept mail but a given mail relay could be dedicated to outgoing 
mail and there's no reason that it must accept mail.

-- 
Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/
Georgetown, Ontario, Canada   Debian GNU/Linux

Re: Which Spam Block List to use for a network?

[Fraser Campbell]

On June 26, 2004 05:27 pm, Leonardo Boselli wrote:

> Just a note. Since these are infected machines, a first test could just to
> try to "call back" the other server, to see if it replyes to port 25.

Being unable to connect to port 25 doesn't mean anything.  AFAIK there is no 
RFC or other standard saying that to send email with smtp you must accept 
email by smtp.

It is normal (or at least common) to verify that the sender's domain at least 
appears to accept mail but a given mail relay could be dedicated to outgoing 
mail and there's no reason that it must accept mail.

-- 
Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/
Georgetown, Ontario, Canada   Debian GNU/Linux


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Craig Sanders]

On Sat, Jun 26, 2004 at 06:34:53PM +1000, Russell Coker wrote:
> On Thu, 24 Jun 2004 11:58, "Jason Lim" <[EMAIL PROTECTED]> wrote:
> > > most ISPs (and mail service providers like yahoo and hotmail), for
> > > instance, will never have SPF records in their DNS.  they may use SPF
> > > checking on their own MX servers, but they won't have the records in their
> > > DNS.  their users have legitimate needs to send mail using their address
> > > from any arbitrary location, which is exactly what SPF works to prevent.
> 
> If someone wants to use a hotmail or yahoo email address when sending email 
> to 
> me then they will use hotmail/yahoo servers to send it.  My mail server will 
> prevent them doing otherwise, and has been doing so since before SPF started 
> becoming popular.

doesn't matter.  hotmail and yahoo are only two domains out of millions that
will never have SPF records in the DNS.  some because the domain owners are
lazy and/or ignorant, some (like debian.org) because they have a legitimate
need to send mail from so many locations that it is impossible to specify all
allowed hosts.



> > I feel SPF is not going to be implemented many placed not because people
> > don't wont to reduce spam, but because SPF just won't work in many cases.
> > In fact, depending on how you look at it, it doesn't reduce spam at ALL
> > (phising is certainly bad, but that is a separate problem).
> 
> If it stops people from joe-jobbing me then that's enough reason to have it.

that's a reason for you to have SPF records (well, it will be if/when enough MX
servers implement SPF checking...in the meantime, it doesn't hurt to have
them).  like me, you *can* have SPF records for your domain because you *can*
list all the hosts allowed to send mail claiming to be from your domain.  that
just isn't the case for many domains.

that is why SPF will never be a generic anti-spam tool.  it is a
tightly-focussed anti-forgery tool of very limited use.

craig

-- 
craig sanders <[EMAIL PROTECTED]>

The next time you vote, remember that "Regime change begins at home"

Re: Which Spam Block List to use for a network?

[Leonardo Boselli]

Il 22 Jun 2004 alle 8:40 Adam Funk immise in rete
> This is a smarter way to do it.  Wouldn't you admit that the problem
> is not from MTAs on dynamic IP addresses, but rather from infected
> Windows machines on dynamic IP addresses?

Just a note. Since these are infected machines, a first test could just to 
try to "call back" the other server, to see if it replyes to port 25. If it 
does, the bet on accept, if not go ahead with checking ...

--
Leonardo Boselli
Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile
Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze
tel +39 0554796431 cell +39 3488605348 fax +39 055495333
http://www.dicea.unifi.it/~leo

Re: Which Spam Block List to use for a network?

[Craig Sanders]

On Sat, Jun 26, 2004 at 06:34:53PM +1000, Russell Coker wrote:
> On Thu, 24 Jun 2004 11:58, "Jason Lim" <[EMAIL PROTECTED]> wrote:
> > > most ISPs (and mail service providers like yahoo and hotmail), for
> > > instance, will never have SPF records in their DNS.  they may use SPF
> > > checking on their own MX servers, but they won't have the records in their
> > > DNS.  their users have legitimate needs to send mail using their address
> > > from any arbitrary location, which is exactly what SPF works to prevent.
> 
> If someone wants to use a hotmail or yahoo email address when sending email to 
> me then they will use hotmail/yahoo servers to send it.  My mail server will 
> prevent them doing otherwise, and has been doing so since before SPF started 
> becoming popular.

doesn't matter.  hotmail and yahoo are only two domains out of millions that
will never have SPF records in the DNS.  some because the domain owners are
lazy and/or ignorant, some (like debian.org) because they have a legitimate
need to send mail from so many locations that it is impossible to specify all
allowed hosts.



> > I feel SPF is not going to be implemented many placed not because people
> > don't wont to reduce spam, but because SPF just won't work in many cases.
> > In fact, depending on how you look at it, it doesn't reduce spam at ALL
> > (phising is certainly bad, but that is a separate problem).
> 
> If it stops people from joe-jobbing me then that's enough reason to have it.

that's a reason for you to have SPF records (well, it will be if/when enough MX
servers implement SPF checking...in the meantime, it doesn't hurt to have
them).  like me, you *can* have SPF records for your domain because you *can*
list all the hosts allowed to send mail claiming to be from your domain.  that
just isn't the case for many domains.

that is why SPF will never be a generic anti-spam tool.  it is a
tightly-focussed anti-forgery tool of very limited use.

craig

-- 
craig sanders <[EMAIL PROTECTED]>

The next time you vote, remember that "Regime change begins at home"


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Leonardo Boselli]

Il 22 Jun 2004 alle 8:40 Adam Funk immise in rete
> This is a smarter way to do it.  Wouldn't you admit that the problem
> is not from MTAs on dynamic IP addresses, but rather from infected
> Windows machines on dynamic IP addresses?

Just a note. Since these are infected machines, a first test could just to 
try to "call back" the other server, to see if it replyes to port 25. If it 
does, the bet on accept, if not go ahead with checking ...

--
Leonardo Boselli
Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile
Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze
tel +39 0554796431 cell +39 3488605348 fax +39 055495333
http://www.dicea.unifi.it/~leo


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Russell Coker]

On Thu, 24 Jun 2004 11:58, "Jason Lim" <[EMAIL PROTECTED]> wrote:
> > most ISPs (and mail service providers like yahoo and hotmail), for
> > instance, will never have SPF records in their DNS.  they may use SPF
> > checking on their own MX servers, but they won't have the records in their
> > DNS.  their users have legitimate needs to send mail using their address
> > from any arbitrary location, which is exactly what SPF works to prevent.

If someone wants to use a hotmail or yahoo email address when sending email to 
me then they will use hotmail/yahoo servers to send it.  My mail server will 
prevent them doing otherwise, and has been doing so since before SPF started 
becoming popular.

> This also applies to most hosting companies. If your ISP prevents outgoing
> SMTP (port 25) to other mail servers and you are forced to use your ISP's
> mail servers, then the "mail server" is not going to match that of your
> hosting account or domain name. Thus SPF fails again in this case.

You just have to enable the ISP's mail server in the SPF configuration.  That 
allows a customer of the same ISP to joe-job you, but sorting THAT out should 
not be so difficult.

> I feel SPF is not going to be implemented many placed not because people
> don't wont to reduce spam, but because SPF just won't work in many cases.
> In fact, depending on how you look at it, it doesn't reduce spam at ALL
> (phising is certainly bad, but that is a separate problem).

If it stops people from joe-jobbing me then that's enough reason to have it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Which Spam Block List to use for a network?

[Russell Coker]

On Thu, 24 Jun 2004 11:58, "Jason Lim" <[EMAIL PROTECTED]> wrote:
> > most ISPs (and mail service providers like yahoo and hotmail), for
> > instance, will never have SPF records in their DNS.  they may use SPF
> > checking on their own MX servers, but they won't have the records in their
> > DNS.  their users have legitimate needs to send mail using their address
> > from any arbitrary location, which is exactly what SPF works to prevent.

If someone wants to use a hotmail or yahoo email address when sending email to 
me then they will use hotmail/yahoo servers to send it.  My mail server will 
prevent them doing otherwise, and has been doing so since before SPF started 
becoming popular.

> This also applies to most hosting companies. If your ISP prevents outgoing
> SMTP (port 25) to other mail servers and you are forced to use your ISP's
> mail servers, then the "mail server" is not going to match that of your
> hosting account or domain name. Thus SPF fails again in this case.

You just have to enable the ISP's mail server in the SPF configuration.  That 
allows a customer of the same ISP to joe-job you, but sorting THAT out should 
not be so difficult.

> I feel SPF is not going to be implemented many placed not because people
> don't wont to reduce spam, but because SPF just won't work in many cases.
> In fact, depending on how you look at it, it doesn't reduce spam at ALL
> (phising is certainly bad, but that is a separate problem).

If it stops people from joe-jobbing me then that's enough reason to have it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Jasper Metselaar]

On Wednesday 23 June 2004 10.26, Adrian 'Dagurashibanipal' von Bidder
wrote:
>> Finally, I keep postmaster always open, a thing that a lot of this
>> happy blocking servers does not.

> Goes without saying. Additionally, as I said, the rejection message
> does contain a unblocked email address, too. So far, postmaster and
> abuse are not spammed.

It may be quite off topic, but I am actually looking for a way to keep
the postmaster address open, but until now I haven't succeeded. :-(I use 
rblsmtpd. Any clues or suggestions?

Thanks!

Jasper

Re: Which Spam Block List to use for a network?

[Jasper Metselaar]

On Wednesday 23 June 2004 10.26, Adrian 'Dagurashibanipal' von Bidder
wrote:
>> Finally, I keep postmaster always open, a thing that a lot of this
>> happy blocking servers does not.

> Goes without saying. Additionally, as I said, the rejection message
> does contain a unblocked email address, too. So far, postmaster and
> abuse are not spammed.

It may be quite off topic, but I am actually looking for a way to keep
the postmaster address open, but until now I haven't succeeded. :-(I use rblsmtpd. Any 
clues or suggestions?

Thanks!

Jasper






-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Kilian Krause]

Hi Craig,

> > [BTW, debian.org does not have an SPF entry.]
> 
> nor should it.  there are over a thousand @debian.org addresses, belonging to
> over a thousand people, all of whom use their own internet connections to send
> mail.  it would be impossible to specify all the hosts allowed to send mail
> claiming to be from @debian.org.

that may be correct for @debian.org, but for sure the mailservers which
are supposed to be sending @lists.debian.org are only certain ones. So
there is even places where it might make sense to setup SPF for the
debian domain. (like lists, ftp-master, security.debian.org maybe even
etc.)

-- 
Best regards,
 Kilian


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Re: Which Spam Block List to use for a network?

[Kilian Krause]

Hi Craig,

> > [BTW, debian.org does not have an SPF entry.]
> 
> nor should it.  there are over a thousand @debian.org addresses, belonging to
> over a thousand people, all of whom use their own internet connections to send
> mail.  it would be impossible to specify all the hosts allowed to send mail
> claiming to be from @debian.org.

that may be correct for @debian.org, but for sure the mailservers which
are supposed to be sending @lists.debian.org are only certain ones. So
there is even places where it might make sense to setup SPF for the
debian domain. (like lists, ftp-master, security.debian.org maybe even
etc.)

-- 
Best regards,
 Kilian


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Re: Which Spam Block List to use for a network?

[Craig Sanders]

On Thu, Jun 24, 2004 at 08:46:20AM -0400, Mark Bucciarelli wrote:
> On Thursday 24 June 2004 08:17, Kilian Krause wrote:
> > Hi Mark,
> >
> > Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06:
> > > I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header,
> > > not From:, so I think this case should work fine ...
> >
> > so you mean this will also cut down the secondary spam through mailinglists
> > (which have a proper SPF most probably). 
> 
> No.  I meant that I send my domain mail through my ISP's SMTP server and I
> can setup my domain's DNS txt record so this works with SPF.

yes.  SPF is useful for small domains, including small businesses, SOHO, and
vanity domains.  it's also useful for corporations that have mail gateways
through which ALL of their outbound mail is supposed to pass.

it's not much use in any other circumstance.

e.g. i have SPF records in my home domains.  it is appropriate to have them
there because i *KNOW* with absolute 100% certainty which hosts are allowed to
send mail claiming to be from those domains.  i also have them because the cost
of having them is negligible (a few minutes of time to create them) even if
there aren't many mail servers which actually check them (hopefully that will
change in future) - in other words, they're not much use at the moment but it
didn't cost me much to publish the SPF TXT records.

i don't have SPF records in any of the thousands of domains on my name-server
at work (an ISP) because i do not and can not know which hosts should be
allowed to send mail claiming to be from these domains.

> [BTW, debian.org does not have an SPF entry.]

nor should it.  there are over a thousand @debian.org addresses, belonging to
over a thousand people, all of whom use their own internet connections to send
mail.  it would be impossible to specify all the hosts allowed to send mail
claiming to be from @debian.org.

as mentioned before, SPF is only useful where the owner of a domain can define
exactly which hosts are allowed to send mail claiming to be from that domain.
as you correctly deduced earlier (but incorrectly dismissed), it IS a very
small percentage of domains which can do this.

for every domain that can have SPF records, there are tens of thousands that
can't...and for every domain that actually does have them, there are millions
that don't.  that will always be the case.  SPF is not useful as a generic
anti-spam/anti-virus tool.  it is a specifically focused anti-forgery tool with
a very limited and small set of domains where it can be used.

sorry to burst your bubble, but wishful thinking won't make it any different.

craig

ps: more on SPF records for debian.org..it's a good idea to think about the
consequences of any action *BEFORE* doing it.  jumping on the bandwagon just
because it's fashionable or because it's all shiny and new is stupid.


-- 
craig sanders <[EMAIL PROTECTED]>

The next time you vote, remember that "Regime change begins at home"

Re: Which Spam Block List to use for a network?

[Yves Junqueira]

On Thu, 24 Jun 2004 09:19:41 -0400, Mark Bucciarelli
<[EMAIL PROTECTED]> wrote:
 
> Q: Do all hotmail accounts have Caller-ID records?
> 

(Sorry about the broken replying in my last message)

It's not about hotmail *accounts*, it's either hotmail.com has
published SPF/Caller-ID records or not.  I can't check from where I am
now, but try:

# host -t MX hotmail.com

Also, try:

# host -t MX gmail.com

The last time I checked, hotmail didn't have any TXT records anymore,
either Caller-ID nor SPF. I am almost sure it had published Caller-ID
records before.
In the other hand, Gmail has a "-all" SPF record, which is nice for us
mail admins, who could block fake @gmail.com - like those @yahoo,
@msn, @hotmail that come all the time. They are usually blocked by
some other methods, but some pass.

I disagree with Craig Sanders. I understand that "their users have
legitimate needs to send mail using their address from any arbitrary location,
which is exactly what SPF works to prevent.", but that's why there is
"~all" and other partial, graylisting options. And the *hope* is mail
servers that doesn't use SASL authentication to do so.

I think SPF can help a lot, because phishing and spamming are very
related. One can be fooled to read a mail from
"[EMAIL PROTECTED]" just because he thinks it is
legitimate. This happens all the time. (it could be hotmail.com or any
other domain)

Btw, a very important feature I use in some implementations is that
the mail server will not accept mail from its own domains if the user
is not authenticated, even if the final destination is a valid user.
I've noticed a lot of spam comes with a MAIL FROM (or From, I'm not
sure) faked to the 'domain.tld' part of the smtp server greeting. This
seems to work for me in most scenarios (all my users already have to
authenticate using SASL, anyway). What are your thoughts?

A small contribution:
For those who are still in doubt, the idea of SPF is: one can only
send mails with a @gmail.com sender address from those servers
specified by SPF records in the gmail.com TXT domain record.

If you want to send e-mail from somewhere else, you must ideally
authenticate to gmail's SMTP server (SASL is the keyword here). If you
send e-mail from somewhere else, my server will block you, since it
has an SPF checker (postfix's spf policyd).

This is been a very informative discussion. Thanks!

-- 
Yves Junqueira
www.lynx.com.br

Re: Which Spam Block List to use for a network?

[Craig Sanders]

On Thu, Jun 24, 2004 at 08:46:20AM -0400, Mark Bucciarelli wrote:
> On Thursday 24 June 2004 08:17, Kilian Krause wrote:
> > Hi Mark,
> >
> > Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06:
> > > I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header,
> > > not From:, so I think this case should work fine ...
> >
> > so you mean this will also cut down the secondary spam through mailinglists
> > (which have a proper SPF most probably). 
> 
> No.  I meant that I send my domain mail through my ISP's SMTP server and I
> can setup my domain's DNS txt record so this works with SPF.

yes.  SPF is useful for small domains, including small businesses, SOHO, and
vanity domains.  it's also useful for corporations that have mail gateways
through which ALL of their outbound mail is supposed to pass.

it's not much use in any other circumstance.

e.g. i have SPF records in my home domains.  it is appropriate to have them
there because i *KNOW* with absolute 100% certainty which hosts are allowed to
send mail claiming to be from those domains.  i also have them because the cost
of having them is negligible (a few minutes of time to create them) even if
there aren't many mail servers which actually check them (hopefully that will
change in future) - in other words, they're not much use at the moment but it
didn't cost me much to publish the SPF TXT records.

i don't have SPF records in any of the thousands of domains on my name-server
at work (an ISP) because i do not and can not know which hosts should be
allowed to send mail claiming to be from these domains.

> [BTW, debian.org does not have an SPF entry.]

nor should it.  there are over a thousand @debian.org addresses, belonging to
over a thousand people, all of whom use their own internet connections to send
mail.  it would be impossible to specify all the hosts allowed to send mail
claiming to be from @debian.org.

as mentioned before, SPF is only useful where the owner of a domain can define
exactly which hosts are allowed to send mail claiming to be from that domain.
as you correctly deduced earlier (but incorrectly dismissed), it IS a very
small percentage of domains which can do this.

for every domain that can have SPF records, there are tens of thousands that
can't...and for every domain that actually does have them, there are millions
that don't.  that will always be the case.  SPF is not useful as a generic
anti-spam/anti-virus tool.  it is a specifically focused anti-forgery tool with
a very limited and small set of domains where it can be used.

sorry to burst your bubble, but wishful thinking won't make it any different.

craig

ps: more on SPF records for debian.org..it's a good idea to think about the
consequences of any action *BEFORE* doing it.  jumping on the bandwagon just
because it's fashionable or because it's all shiny and new is stupid.


-- 
craig sanders <[EMAIL PROTECTED]>

The next time you vote, remember that "Regime change begins at home"


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Yves Junqueira]

On Thu, 24 Jun 2004 09:19:41 -0400, Mark Bucciarelli
<[EMAIL PROTECTED]> wrote:
 
> Q: Do all hotmail accounts have Caller-ID records?
> 

(Sorry about the broken replying in my last message)

It's not about hotmail *accounts*, it's either hotmail.com has
published SPF/Caller-ID records or not.  I can't check from where I am
now, but try:

# host -t MX hotmail.com

Also, try:

# host -t MX gmail.com

The last time I checked, hotmail didn't have any TXT records anymore,
either Caller-ID nor SPF. I am almost sure it had published Caller-ID
records before.
In the other hand, Gmail has a "-all" SPF record, which is nice for us
mail admins, who could block fake @gmail.com - like those @yahoo,
@msn, @hotmail that come all the time. They are usually blocked by
some other methods, but some pass.

I disagree with Craig Sanders. I understand that "their users have
legitimate needs to send mail using their address from any arbitrary location,
which is exactly what SPF works to prevent.", but that's why there is
"~all" and other partial, graylisting options. And the *hope* is mail
servers that doesn't use SASL authentication to do so.

I think SPF can help a lot, because phishing and spamming are very
related. One can be fooled to read a mail from
"[EMAIL PROTECTED]" just because he thinks it is
legitimate. This happens all the time. (it could be hotmail.com or any
other domain)

Btw, a very important feature I use in some implementations is that
the mail server will not accept mail from its own domains if the user
is not authenticated, even if the final destination is a valid user.
I've noticed a lot of spam comes with a MAIL FROM (or From, I'm not
sure) faked to the 'domain.tld' part of the smtp server greeting. This
seems to work for me in most scenarios (all my users already have to
authenticate using SASL, anyway). What are your thoughts?

A small contribution:
For those who are still in doubt, the idea of SPF is: one can only
send mails with a @gmail.com sender address from those servers
specified by SPF records in the gmail.com TXT domain record.

If you want to send e-mail from somewhere else, you must ideally
authenticate to gmail's SMTP server (SASL is the keyword here). If you
send e-mail from somewhere else, my server will block you, since it
has an SPF checker (postfix's spf policyd).

This is been a very informative discussion. Thanks!

-- 
Yves Junqueira
www.lynx.com.br


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Thursday 24 June 2004 10:09, Kilian Krause wrote:
> Hi Mark,
>
> > For most cases, it doesn't cost anything to implement SPF now.  And if
> > you do it, and tell two friends, and they tell two friends ...
>
> well, this may be correct. However i miss the config sniplet to drop
> into exim4 in spf.pobox.com. So how do i make my MTA verify SPF?
> (setting up the DNS is easy enough, but i also want to check the others,
> wouldn't i? *g*)

http://spf.pobox.com/downloads.html

Re: Which Spam Block List to use for a network?

[Kilian Krause]

Hi again,

Am Do, den 24.06.2004 schrieb Kilian Krause um 16:09:
> Hi Mark,
> 
> > For most cases, it doesn't cost anything to implement SPF now.  And if you 
> > do it, and tell two friends, and they tell two friends ...
> 
> well, this may be correct. However i miss the config sniplet to drop
> into exim4 in spf.pobox.com. So how do i make my MTA verify SPF?
> (setting up the DNS is easy enough, but i also want to check the others,
> wouldn't i? *g*)

well, i seem to just have found it after clicking send.
http://spf.pobox.com/exim4.spf.acl-2.09.txt
However when installing "libmail-spf-query-perl" there's no /etc/init.d
script to launch spfd. Is there any plans to add this? Is the spfd
version even recommended? 
Afterall that's exim4-daemon-heavy running sa-exim already, so it should
be able to deal with the perl module itself, shouldn't it? Any configs
out there already?

-- 
Best regards,
 Kilian


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Re: Which Spam Block List to use for a network?

[Kilian Krause]

Hi Mark,

> For most cases, it doesn't cost anything to implement SPF now.  And if you 
> do it, and tell two friends, and they tell two friends ...

well, this may be correct. However i miss the config sniplet to drop
into exim4 in spf.pobox.com. So how do i make my MTA verify SPF?
(setting up the DNS is easy enough, but i also want to check the others,
wouldn't i? *g*)

-- 
Best regards,
 Kilian


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

AW: Which Spam Block List to use for a network?

[Sebastian Graf]

test

-Ursprüngliche Nachricht-
Von: Mark Bucciarelli [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 24. Juni 2004 15:20
An: debian-isp@lists.debian.org
Betreff: Re: Which Spam Block List to use for a network?

On Wednesday 23 June 2004 20:51, Craig Sanders wrote:

> most ISPs (and mail service providers like yahoo and hotmail), for
> instance, will never have SPF records in their DNS.  they may use SPF
> checking on their own MX servers, but they won't have the records in
> their DNS.

Looks like you can use SPF with Hotmail since February.

"February 26th 2004: The latest version of Mail::SPF::Query will parse 
Caller-ID records! SPF-enabled MTAs can now read Hotmail and 
Microsoft.com's records and translate them into SPF format." [1]

Q: Do all hotmail accounts have Caller-ID records?

Regards,

Mark

[1] http://spf.pobox.com/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Leonardo Boselli]

On Thu, 24 Jun 2004, Mark Bucciarelli wrote:
> > > I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header,
> > > not From:, so I think this case should work fine ...
> > are you sure ? i never see such header !
> Yes.  See http://spf.pobox.com/faq.html

that is mail from: not mail-from:
how can i see it as a recipient ? I do not trust other systems for
filtering !
After all, there is no problem in giving a fake address as "mail from" 
so you on the end should test if the alleged from is conformat with the
originatin host, and yopu are agin in teroble is someone send a message
from another domain .

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Wednesday 23 June 2004 20:51, Craig Sanders wrote:

> most ISPs (and mail service providers like yahoo and hotmail), for
> instance, will never have SPF records in their DNS.  they may use SPF
> checking on their own MX servers, but they won't have the records in
> their DNS.

Looks like you can use SPF with Hotmail since February.

"February 26th 2004: The latest version of Mail::SPF::Query will parse 
Caller-ID records! SPF-enabled MTAs can now read Hotmail and 
Microsoft.com's records and translate them into SPF format." [1]

Q: Do all hotmail accounts have Caller-ID records?

Regards,

Mark

[1] http://spf.pobox.com/

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Thursday 24 June 2004 08:17, Kilian Krause wrote:
> Hi Mark,
>
> Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06:
> > I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header,
> > not From:, so I think this case should work fine ...
>
> so you mean this will also cut down the secondary spam through
> mailinglists (which have a proper SPF most probably). 

No.  I meant that I send my domain mail through my ISP's SMTP server and I 
can setup my domain's DNS txt record so this works with SPF.

[BTW, debian.org does not have an SPF entry.]

> How is that MTA 
> gonna see within the MAIL FROM whom this was forwarded for?
> I mean, the general issue (for me) is not the spam i receive directly
> through my primary host, but those that's forwarding email-addresses,
> which have a whitelisted mx host re-sending me the spam they accepted

It's the other server's responsibility, not yours.  I guess you have the 
option not to whitelist them, since they send you spam.

Regards,

Mark

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Thursday 24 June 2004 08:48, Leonardo Boselli wrote:
> On Thu, 24 Jun 2004, Mark Bucciarelli wrote:
> > > > I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM:
> > > > header, not From:, so I think this case should work fine ...
> > >
> > > are you sure ? i never see such header !
> >
> > Yes.  See http://spf.pobox.com/faq.html
>
> that is mail from: not mail-from:
> how can i see it as a recipient ? I do not trust other systems for
> filtering !
> After all, there is no problem in giving a fake address as "mail from"
> so you on the end should test if the alleged from is conformat with the
> originatin host, and yopu are agin in teroble is someone send a message
> from another domain .

Somewhere along the mail trail, the spammer forged the MAIL FROM header and 
sent an email from a server not associated with the forged domain.  That's 
where SPF can work.  Once that email is accepted by the receiving server, 
the game is over.

For most cases, it doesn't cost anything to implement SPF now.  And if you 
do it, and tell two friends, and they tell two friends ...

There are only two significant problem that I know of with SPF:

(1) "traditional UNIX .forward files and /etc/aliases files" [1] don't 
change the return-path address in the envelop.

(2) greeting card sites and "e-mail me this news article" sites use your 
email address in the envelop as well as the From: header.

For (1), you can use remailing instead.  For (2), you have to ask the site 
to change their policy.  Newer sites may already work (for example, Orkut 
doesn't have this problem).


[1] Linux Journal, May 2004, p. 53

Regards,

Mark

Re: Which Spam Block List to use for a network?

[Kilian Krause]

Hi Mark,

> It's the other server's responsibility, not yours.  I guess you have the 
> option not to whitelist them, since they send you spam.

That's technically correct. However it lacks the important bit. It's my
*problem* not theirs. (for i still get the spam, even if they *SHOULD*
be blocking it)
Thus I still want to eliminate it, for telling they shouldn't be sending
it to me in the first place doesn't delete it, does it? 

-- 
Best regards,
 Kilian



signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Thursday 24 June 2004 10:09, Kilian Krause wrote:
> Hi Mark,
>
> > For most cases, it doesn't cost anything to implement SPF now.  And if
> > you do it, and tell two friends, and they tell two friends ...
>
> well, this may be correct. However i miss the config sniplet to drop
> into exim4 in spf.pobox.com. So how do i make my MTA verify SPF?
> (setting up the DNS is easy enough, but i also want to check the others,
> wouldn't i? *g*)

http://spf.pobox.com/downloads.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Thursday 24 June 2004 08:23, Leonardo Boselli wrote:
> On Thu, 24 Jun 2004, Mark Bucciarelli wrote:
> > On Wednesday 23 June 2004 21:58, Jason Lim wrote:
> > > This also applies to most hosting companies. If your ISP prevents
> > > outgoing SMTP (port 25) to other mail servers and you are forced to
> > > use your ISP's mail servers, then the "mail server" is not going to
> > > match that of your hosting account or domain name. Thus SPF fails
> > > again in this case.
> >
> > I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header,
> > not From:, so I think this case should work fine ...
>
> are you sure ? i never see such header !

Yes.  See http://spf.pobox.com/faq.html

Regards,

Mark

Re: Which Spam Block List to use for a network?

[Kilian Krause]

Hi again,

Am Do, den 24.06.2004 schrieb Kilian Krause um 16:09:
> Hi Mark,
> 
> > For most cases, it doesn't cost anything to implement SPF now.  And if you 
> > do it, and tell two friends, and they tell two friends ...
> 
> well, this may be correct. However i miss the config sniplet to drop
> into exim4 in spf.pobox.com. So how do i make my MTA verify SPF?
> (setting up the DNS is easy enough, but i also want to check the others,
> wouldn't i? *g*)

well, i seem to just have found it after clicking send.
http://spf.pobox.com/exim4.spf.acl-2.09.txt
However when installing "libmail-spf-query-perl" there's no /etc/init.d
script to launch spfd. Is there any plans to add this? Is the spfd
version even recommended? 
Afterall that's exim4-daemon-heavy running sa-exim already, so it should
be able to deal with the perl module itself, shouldn't it? Any configs
out there already?

-- 
Best regards,
 Kilian


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Re: Which Spam Block List to use for a network?

[Kilian Krause]

Hi Mark,

> For most cases, it doesn't cost anything to implement SPF now.  And if you 
> do it, and tell two friends, and they tell two friends ...

well, this may be correct. However i miss the config sniplet to drop
into exim4 in spf.pobox.com. So how do i make my MTA verify SPF?
(setting up the DNS is easy enough, but i also want to check the others,
wouldn't i? *g*)

-- 
Best regards,
 Kilian


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Re: Which Spam Block List to use for a network?

[Leonardo Boselli]

On Thu, 24 Jun 2004, Mark Bucciarelli wrote:
> On Wednesday 23 June 2004 21:58, Jason Lim wrote:
> > This also applies to most hosting companies. If your ISP prevents
> > outgoing SMTP (port 25) to other mail servers and you are forced to use
> > your ISP's mail servers, then the "mail server" is not going to match
> > that of your hosting account or domain name. Thus SPF fails again in
> > this case.
> I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header, not 
> From:, so I think this case should work fine ...

are you sure ? i never see such header !

Re: Which Spam Block List to use for a network?

[Kilian Krause]

Hi Mark,


Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06:
> I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header, not 
> From:, so I think this case should work fine ...

so you mean this will also cut down the secondary spam through
mailinglists (which have a proper SPF most probably). How is that MTA
gonna see within the MAIL FROM whom this was forwarded for?
I mean, the general issue (for me) is not the spam i receive directly
through my primary host, but those that's forwarding email-addresses,
which have a whitelisted mx host re-sending me the spam they accepted
(which would have been rejected if it was sent to my primary email
address). For that problem I currently see no other way than doing
content scanning. But please anybody enlighten me in case i have missed
a point on SPF or the rest of the discussion.

-- 
Best regards,
 Kilian


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Wednesday 23 June 2004 21:58, Jason Lim wrote:

> This also applies to most hosting companies. If your ISP prevents
> outgoing SMTP (port 25) to other mail servers and you are forced to use
> your ISP's mail servers, then the "mail server" is not going to match
> that of your hosting account or domain name. Thus SPF fails again in
> this case.

I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header, not 
From:, so I think this case should work fine ...

Regards,

Mark

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Wednesday 23 June 2004 20:51, Craig Sanders wrote:
> On Wed, Jun 23, 2004 at 12:05:57PM -0300, Yves Junqueira wrote:
> > SPF is a proposed standard.
> > http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt
> > Even Microsoft seemed to drops its CallerID proposal in favor of SPF.
> > Check spf.pobox.com

> SPF isn't a very effective tool for blocking spam or viruses.  it is a
> tool for preventing some kinds of forgery.  it is useful where the owner
> of a domain can strictly define which hosts are allowed to send mail
> claiming to be from their domain.  it is not useful otherwise.

I sense an implication that this is some small percentage of total non-spam 
email.  Doesn't this cover a _huge_ percentage of valid email?  Who does 
this rule out other than power users with an MTA on a their laptop or 
people using greeting card sites?

Also, according to Meng Weng's Linux Journal article, SPF makes provisions 
for power users with their own MTA on dynamic IP's (even if Russel 
doesn't  ;).  In addition, if you are a power user that uses forward 
files, if you switch to remailing SPF will also work.  These require using 
advanced SPF: the "exists" and "include" mechanisms.

> most ISPs (and mail service providers like yahoo and hotmail), for
> instance, will never have SPF records in their DNS.  they may use SPF
> checking on their own MX servers, but they won't have the records in
> their DNS.  their users have legitimate needs to send mail using their
> address from any arbitrary location, which is exactly what SPF works to
> prevent.

Why do you say never?  If it's good enough for aol and google, why not 
hotmail and yahoo?  According to spf.pobox.com, Microsoft has endorsed SPF 
as a standard.

Regards,

Mark

AW: Which Spam Block List to use for a network?

[Sebastian Graf]

test

-Ursprüngliche Nachricht-
Von: Mark Bucciarelli [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 24. Juni 2004 15:20
An: [EMAIL PROTECTED]
Betreff: Re: Which Spam Block List to use for a network?

On Wednesday 23 June 2004 20:51, Craig Sanders wrote:

> most ISPs (and mail service providers like yahoo and hotmail), for
> instance, will never have SPF records in their DNS.  they may use SPF
> checking on their own MX servers, but they won't have the records in
> their DNS.

Looks like you can use SPF with Hotmail since February.

"February 26th 2004: The latest version of Mail::SPF::Query will parse 
Caller-ID records! SPF-enabled MTAs can now read Hotmail and 
Microsoft.com's records and translate them into SPF format." [1]

Q: Do all hotmail accounts have Caller-ID records?

Regards,

Mark

[1] http://spf.pobox.com/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Wednesday 23 June 2004 20:51, Craig Sanders wrote:

> most ISPs (and mail service providers like yahoo and hotmail), for
> instance, will never have SPF records in their DNS.  they may use SPF
> checking on their own MX servers, but they won't have the records in
> their DNS.

Looks like you can use SPF with Hotmail since February.

"February 26th 2004: The latest version of Mail::SPF::Query will parse 
Caller-ID records! SPF-enabled MTAs can now read Hotmail and 
Microsoft.com's records and translate them into SPF format." [1]

Q: Do all hotmail accounts have Caller-ID records?

Regards,

Mark

[1] http://spf.pobox.com/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Thursday 24 June 2004 08:48, Leonardo Boselli wrote:
> On Thu, 24 Jun 2004, Mark Bucciarelli wrote:
> > > > I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM:
> > > > header, not From:, so I think this case should work fine ...
> > >
> > > are you sure ? i never see such header !
> >
> > Yes.  See http://spf.pobox.com/faq.html
>
> that is mail from: not mail-from:
> how can i see it as a recipient ? I do not trust other systems for
> filtering !
> After all, there is no problem in giving a fake address as "mail from"
> so you on the end should test if the alleged from is conformat with the
> originatin host, and yopu are agin in teroble is someone send a message
> from another domain .

Somewhere along the mail trail, the spammer forged the MAIL FROM header and 
sent an email from a server not associated with the forged domain.  That's 
where SPF can work.  Once that email is accepted by the receiving server, 
the game is over.

For most cases, it doesn't cost anything to implement SPF now.  And if you 
do it, and tell two friends, and they tell two friends ...

There are only two significant problem that I know of with SPF:

(1) "traditional UNIX .forward files and /etc/aliases files" [1] don't 
change the return-path address in the envelop.

(2) greeting card sites and "e-mail me this news article" sites use your 
email address in the envelop as well as the From: header.

For (1), you can use remailing instead.  For (2), you have to ask the site 
to change their policy.  Newer sites may already work (for example, Orkut 
doesn't have this problem).


[1] Linux Journal, May 2004, p. 53

Regards,

Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Kilian Krause]

Hi Mark,

> It's the other server's responsibility, not yours.  I guess you have the 
> option not to whitelist them, since they send you spam.

That's technically correct. However it lacks the important bit. It's my
*problem* not theirs. (for i still get the spam, even if they *SHOULD*
be blocking it)
Thus I still want to eliminate it, for telling they shouldn't be sending
it to me in the first place doesn't delete it, does it? 

-- 
Best regards,
 Kilian



signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Re: Which Spam Block List to use for a network?

[Leonardo Boselli]

On Thu, 24 Jun 2004, Mark Bucciarelli wrote:
> > > I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header,
> > > not From:, so I think this case should work fine ...
> > are you sure ? i never see such header !
> Yes.  See http://spf.pobox.com/faq.html

that is mail from: not mail-from:
how can i see it as a recipient ? I do not trust other systems for
filtering !
After all, there is no problem in giving a fake address as "mail from" 
so you on the end should test if the alleged from is conformat with the
originatin host, and yopu are agin in teroble is someone send a message
from another domain .



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Thursday 24 June 2004 08:17, Kilian Krause wrote:
> Hi Mark,
>
> Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06:
> > I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header,
> > not From:, so I think this case should work fine ...
>
> so you mean this will also cut down the secondary spam through
> mailinglists (which have a proper SPF most probably). 

No.  I meant that I send my domain mail through my ISP's SMTP server and I 
can setup my domain's DNS txt record so this works with SPF.

[BTW, debian.org does not have an SPF entry.]

> How is that MTA 
> gonna see within the MAIL FROM whom this was forwarded for?
> I mean, the general issue (for me) is not the spam i receive directly
> through my primary host, but those that's forwarding email-addresses,
> which have a whitelisted mx host re-sending me the spam they accepted

It's the other server's responsibility, not yours.  I guess you have the 
option not to whitelist them, since they send you spam.

Regards,

Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Thursday 24 June 2004 08:23, Leonardo Boselli wrote:
> On Thu, 24 Jun 2004, Mark Bucciarelli wrote:
> > On Wednesday 23 June 2004 21:58, Jason Lim wrote:
> > > This also applies to most hosting companies. If your ISP prevents
> > > outgoing SMTP (port 25) to other mail servers and you are forced to
> > > use your ISP's mail servers, then the "mail server" is not going to
> > > match that of your hosting account or domain name. Thus SPF fails
> > > again in this case.
> >
> > I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header,
> > not From:, so I think this case should work fine ...
>
> are you sure ? i never see such header !

Yes.  See http://spf.pobox.com/faq.html

Regards,

Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Leonardo Boselli]

On Thu, 24 Jun 2004, Mark Bucciarelli wrote:
> On Wednesday 23 June 2004 21:58, Jason Lim wrote:
> > This also applies to most hosting companies. If your ISP prevents
> > outgoing SMTP (port 25) to other mail servers and you are forced to use
> > your ISP's mail servers, then the "mail server" is not going to match
> > that of your hosting account or domain name. Thus SPF fails again in
> > this case.
> I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header, not 
> From:, so I think this case should work fine ...

are you sure ? i never see such header !



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Kilian Krause]

Hi Mark,


Am Do, den 24.06.2004 schrieb Mark Bucciarelli um 14:06:
> I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header, not 
> From:, so I think this case should work fine ...

so you mean this will also cut down the secondary spam through
mailinglists (which have a proper SPF most probably). How is that MTA
gonna see within the MAIL FROM whom this was forwarded for?
I mean, the general issue (for me) is not the spam i receive directly
through my primary host, but those that's forwarding email-addresses,
which have a whitelisted mx host re-sending me the spam they accepted
(which would have been rejected if it was sent to my primary email
address). For that problem I currently see no other way than doing
content scanning. But please anybody enlighten me in case i have missed
a point on SPF or the rest of the discussion.

-- 
Best regards,
 Kilian


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Wednesday 23 June 2004 21:58, Jason Lim wrote:

> This also applies to most hosting companies. If your ISP prevents
> outgoing SMTP (port 25) to other mail servers and you are forced to use
> your ISP's mail servers, then the "mail server" is not going to match
> that of your hosting account or domain name. Thus SPF fails again in
> this case.

I'm pretty sure this is incorrect.  SPF checks the MAIL-FROM: header, not 
From:, so I think this case should work fine ...

Regards,

Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Mark Bucciarelli]

On Wednesday 23 June 2004 20:51, Craig Sanders wrote:
> On Wed, Jun 23, 2004 at 12:05:57PM -0300, Yves Junqueira wrote:
> > SPF is a proposed standard.
> > http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt
> > Even Microsoft seemed to drops its CallerID proposal in favor of SPF.
> > Check spf.pobox.com

> SPF isn't a very effective tool for blocking spam or viruses.  it is a
> tool for preventing some kinds of forgery.  it is useful where the owner
> of a domain can strictly define which hosts are allowed to send mail
> claiming to be from their domain.  it is not useful otherwise.

I sense an implication that this is some small percentage of total non-spam 
email.  Doesn't this cover a _huge_ percentage of valid email?  Who does 
this rule out other than power users with an MTA on a their laptop or 
people using greeting card sites?

Also, according to Meng Weng's Linux Journal article, SPF makes provisions 
for power users with their own MTA on dynamic IP's (even if Russel 
doesn't  ;).  In addition, if you are a power user that uses forward 
files, if you switch to remailing SPF will also work.  These require using 
advanced SPF: the "exists" and "include" mechanisms.

> most ISPs (and mail service providers like yahoo and hotmail), for
> instance, will never have SPF records in their DNS.  they may use SPF
> checking on their own MX servers, but they won't have the records in
> their DNS.  their users have legitimate needs to send mail using their
> address from any arbitrary location, which is exactly what SPF works to
> prevent.

Why do you say never?  If it's good enough for aol and google, why not 
hotmail and yahoo?  According to spf.pobox.com, Microsoft has endorsed SPF 
as a standard.

Regards,

Mark


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Jason Lim]

>
> most ISPs (and mail service providers like yahoo and hotmail), for
instance,
> will never have SPF records in their DNS.  they may use SPF checking on
their
> own MX servers, but they won't have the records in their DNS.  their
users have
> legitimate needs to send mail using their address from any arbitrary
location,
> which is exactly what SPF works to prevent.

This also applies to most hosting companies. If your ISP prevents outgoing
SMTP (port 25) to other mail servers and you are forced to use your ISP's
mail servers, then the "mail server" is not going to match that of your
hosting account or domain name. Thus SPF fails again in this case.

> SPF is useful and a *part* of the solution for *some* of the problem.
it is
> not a magic bullet.

I feel SPF is not going to be implemented many placed not because people
don't wont to reduce spam, but because SPF just won't work in many cases.
In fact, depending on how you look at it, it doesn't reduce spam at ALL
(phising is certainly bad, but that is a separate problem).

Jas

Re: Which Spam Block List to use for a network?

[Craig Sanders]

On Wed, Jun 23, 2004 at 12:05:57PM -0300, Yves Junqueira wrote:
> SPF is a proposed standard.
> http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt
> Even Microsoft seemed to drops its CallerID proposal in favor of SPF.
> Check spf.pobox.com
> 
> On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci <[EMAIL PROTECTED]> wrote:
> 
> > Please correct me if I'm wrong; I'm searching for RFCs which
> > propose effective ways to block spam and viruses.

SPF isn't a very effective tool for blocking spam or viruses.  it is a tool for
preventing some kinds of forgery.  it is useful where the owner of a domain can
strictly define which hosts are allowed to send mail claiming to be from their
domain.  it is not useful otherwise.  

this means it is very useful for, say, banks and other corporations to
prevent/limit phishing style scams.  it is also useful for small businesses and
home vanity domains.  it is not useful as a general anti-spam/anti-virus tool
because spammers and viruses can just forge addresses in any of the millions of
domains that don't have (and never will have) SPF records.

most ISPs (and mail service providers like yahoo and hotmail), for instance,
will never have SPF records in their DNS.  they may use SPF checking on their
own MX servers, but they won't have the records in their DNS.  their users have
legitimate needs to send mail using their address from any arbitrary location,
which is exactly what SPF works to prevent.

SPF is useful and a *part* of the solution for *some* of the problem.  it is
not a magic bullet.

craig



PS: (standard quote information file)

please learn to quote properly. your reply goes UNDERNEATH the quoted
material, not above it. this allows the quoted message to be read in
sequential order rather than reverse chronological order.

top-posting screws up the chronological order of the replies making it a
jarring chore to make sense of them - you have to scroll backwards and
forwards trying to match who said what to whom and when.

the longer a thread goes on, the worse it gets.

-- 
craig sanders <[EMAIL PROTECTED]>

The next time you vote, remember that "Regime change begins at home"

Re: Which Spam Block List to use for a network?

[Craig Sanders]

On Wed, Jun 23, 2004 at 11:45:40AM +0200, Niccolo Rigacci wrote:
> On Wed, Jun 23, 2004 at 09:56:02AM +1000, Craig Sanders wrote:
> > > You want to block spam or viruses, this is OK but you are on the
> > > wrong way.
> > 
> > no, it's absolutely the right way.  a large percentage of spam and
> > almost all viruses come direct from dynamic IP addresses.
> 
> I repeat for the last time: the fact that your block is effective
> to your problem does not metter that you are on the rigth way.

i'm so glad it's the last time.  it's very tiresome when someone
is both wrong and repetitive.

craig

-- 
craig sanders <[EMAIL PROTECTED]>

The next time you vote, remember that "Regime change begins at home"

Re: Which Spam Block List to use for a network?

[Jason Lim]

>
> most ISPs (and mail service providers like yahoo and hotmail), for
instance,
> will never have SPF records in their DNS.  they may use SPF checking on
their
> own MX servers, but they won't have the records in their DNS.  their
users have
> legitimate needs to send mail using their address from any arbitrary
location,
> which is exactly what SPF works to prevent.

This also applies to most hosting companies. If your ISP prevents outgoing
SMTP (port 25) to other mail servers and you are forced to use your ISP's
mail servers, then the "mail server" is not going to match that of your
hosting account or domain name. Thus SPF fails again in this case.

> SPF is useful and a *part* of the solution for *some* of the problem.
it is
> not a magic bullet.

I feel SPF is not going to be implemented many placed not because people
don't wont to reduce spam, but because SPF just won't work in many cases.
In fact, depending on how you look at it, it doesn't reduce spam at ALL
(phising is certainly bad, but that is a separate problem).

Jas


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Blu]

On Wed, Jun 23, 2004 at 09:01:24PM +1000, Russell Coker wrote:
> On Wed, 23 Jun 2004 18:23, Blu <[EMAIL PROTECTED]> wrote:
> > Well yes. Maybe I oversimplified. What I do is a callback to the MX of
> > the envelope sender to see if it accepts mail to him/her. If not, the
> > mail is rejected with an explicative 550.
> 
> You aren't the only one who does that.  I have found one other person who 
> does 
> that and who happens to have their mail server in an address range that's 
> black-listed.  So when I sent mail to them their mail server made a call-back 
> to mine, my server rejected that and their mail server then generated a 55x 
> code that tried to summarise the code from mine.  Then my mail server took 
> that and made it into a bounce message.

Of course I am not the first one doing this. In fact Exim4 has buitin
capability to do so.

> The resulting message was something that I could not decipher even though I 
> have 10 years of experience running Internet mail servers!  All I could do 
> was post a message to a mailing list I knew the person was subscribed to and 
> inform them that their server was borked in some unknown way.

:) Well, my approach is not that fancy. I just check if the callback
passes the RCPT, and if not, issue a 550 with a short message telling
that my host will not accept mail that cannot be answered. I don't
expect end users to read a bounce, but many of them forwards the bounce
to customer service instead and in some cases it has been enough to
whitelist a server.

> What would the average Internet user do in such a situation?
> 
> The typical 55x message about a DNSBL rejection is clear enough that most 
> people can get some idea of what to do (IE phone the person, use a different 
> mail server, etc).

In my experience, end users in general are not able to interpret a
bounce message and they complain to admins in the best case. In the
worst case, they do nothing.

> The call-back idea may be good if you have a domain totally full of clueless 
> morons who only receive mail from skilled administrators who have experience 
> in dealing with call-back systems.  But if you have average people exchanging 
> email with other average people (the common case) then it will make things 
> worse not better.

I am not willing to deal with all the sites which reject mail from my
servers for the most diverse reasons and every one with a different
way of dealing with the problem, if any. If a foreign server is
rejecting mail from me, without me having done anything harmful, then
the problem is theirs and not mine. It is the administrator of that
server who has to explain to his users why he is rejecting legitimate
email.

Blu.

Re: Which Spam Block List to use for a network?

[Christian Storch]

It's a good paper to start for learning about basics of spam blocking.
As you already mentioned: most of it is still a must for every mailserver today.

But interesting: 4xx instead of 5xx is used successful by greylisting!

Christian

- Original Message - 
From: "Yves Junqueira" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, June 24, 2004 12:12 AM
Subject: Re: Which Spam Block List to use for a network?


> This could be also of interest. Although it is old (feb 99), most of
> its recomendations are valid. Others have not yet come to a consensus,
> like using 4xx error codes instead of 5xx for denying spam. Anyway, it
> instigates more profund analysis from the mail admin.
> 
>  http://www.faqs.org/rfcs/rfc2505.html
> 
> What are your thoughts, readers?
> 
> 
> > > On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci <[EMAIL PROTECTED]> 
> > > wrote:
> > >
> > > > Please correct me if I'm wrong; I'm searching for RFCs which
> > > > propose effective ways to block spam and viruses.
> > > >
> 
> -- 
> Yves Junqueira
> www.lynx.com.br
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 
> 
> 

Re: Which Spam Block List to use for a network?

[Craig Sanders]

On Wed, Jun 23, 2004 at 12:05:57PM -0300, Yves Junqueira wrote:
> SPF is a proposed standard.
> http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt
> Even Microsoft seemed to drops its CallerID proposal in favor of SPF.
> Check spf.pobox.com
> 
> On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci <[EMAIL PROTECTED]> wrote:
> 
> > Please correct me if I'm wrong; I'm searching for RFCs which
> > propose effective ways to block spam and viruses.

SPF isn't a very effective tool for blocking spam or viruses.  it is a tool for
preventing some kinds of forgery.  it is useful where the owner of a domain can
strictly define which hosts are allowed to send mail claiming to be from their
domain.  it is not useful otherwise.  

this means it is very useful for, say, banks and other corporations to
prevent/limit phishing style scams.  it is also useful for small businesses and
home vanity domains.  it is not useful as a general anti-spam/anti-virus tool
because spammers and viruses can just forge addresses in any of the millions of
domains that don't have (and never will have) SPF records.

most ISPs (and mail service providers like yahoo and hotmail), for instance,
will never have SPF records in their DNS.  they may use SPF checking on their
own MX servers, but they won't have the records in their DNS.  their users have
legitimate needs to send mail using their address from any arbitrary location,
which is exactly what SPF works to prevent.

SPF is useful and a *part* of the solution for *some* of the problem.  it is
not a magic bullet.

craig



PS: (standard quote information file)

please learn to quote properly. your reply goes UNDERNEATH the quoted
material, not above it. this allows the quoted message to be read in
sequential order rather than reverse chronological order.

top-posting screws up the chronological order of the replies making it a
jarring chore to make sense of them - you have to scroll backwards and
forwards trying to match who said what to whom and when.

the longer a thread goes on, the worse it gets.

-- 
craig sanders <[EMAIL PROTECTED]>

The next time you vote, remember that "Regime change begins at home"


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Craig Sanders]

On Wed, Jun 23, 2004 at 11:45:40AM +0200, Niccolo Rigacci wrote:
> On Wed, Jun 23, 2004 at 09:56:02AM +1000, Craig Sanders wrote:
> > > You want to block spam or viruses, this is OK but you are on the
> > > wrong way.
> > 
> > no, it's absolutely the right way.  a large percentage of spam and
> > almost all viruses come direct from dynamic IP addresses.
> 
> I repeat for the last time: the fact that your block is effective
> to your problem does not metter that you are on the rigth way.

i'm so glad it's the last time.  it's very tiresome when someone
is both wrong and repetitive.

craig

-- 
craig sanders <[EMAIL PROTECTED]>

The next time you vote, remember that "Regime change begins at home"


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Yves Junqueira]

This could be also of interest. Although it is old (feb 99), most of
its recomendations are valid. Others have not yet come to a consensus,
like using 4xx error codes instead of 5xx for denying spam. Anyway, it
instigates more profund analysis from the mail admin.

 http://www.faqs.org/rfcs/rfc2505.html

What are your thoughts, readers?


> > On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci <[EMAIL PROTECTED]> 
> > wrote:
> >
> > > Please correct me if I'm wrong; I'm searching for RFCs which
> > > propose effective ways to block spam and viruses.
> > >

-- 
Yves Junqueira
www.lynx.com.br

Re: Which Spam Block List to use for a network?

[Christian Storch]

You mean http://www.ietf.org/internet-drafts/draft-mengwong-spf-01.txt.

Very nice idea to perhaps avoid some percent of spam. The only problem:

It has nothing to do with the reality out in the world and net respectively.
It's only shifting the job of blacklisting ip's to domains.
Sit back a while and try to think about a realistic number
of email addresses/domains today ...
... and you will forget any kind of such academic solution.

I'm getting some hundreds of spams every day - all flavor of spam, really!
And I know some customers of the compnay I'm working for with nearly
the same amount.
Now my answer is a combination of a couple of tools integrated into the
mailer daemon we're using today and a weighting scheme of all at the end:
Today I'm dealing with about 0,1 % false positives/negatives.

So I would say the answer to all methods should be some reasonable regular
updated mixture of them.
It's a war not a problem!

And I think if somebody is tryning to write some RFC for that
the same would be obsolete before he's able publish it. 

Christian


- Original Message - 
From: "Yves Junqueira" <[EMAIL PROTECTED]>
To: ; "Craig Sanders" <[EMAIL PROTECTED]>
Sent: Wednesday, June 23, 2004 5:05 PM
Subject: Re: Which Spam Block List to use for a network?


> SPF is a proposed standard.
> http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt
> Even Microsoft seemed to drops its CallerID proposal in favor of SPF.
> Check spf.pobox.com
> 
> 
> On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci <[EMAIL PROTECTED]> wrote:
> 
> > Please correct me if I'm wrong; I'm searching for RFCs which
> > propose effective ways to block spam and viruses.
> > 
> 
> -- 
> Yves Junqueira
> www.lynx.com.br
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 
> 
> 

Re: Which Spam Block List to use for a network?

[Blu]

On Wed, Jun 23, 2004 at 09:01:24PM +1000, Russell Coker wrote:
> On Wed, 23 Jun 2004 18:23, Blu <[EMAIL PROTECTED]> wrote:
> > Well yes. Maybe I oversimplified. What I do is a callback to the MX of
> > the envelope sender to see if it accepts mail to him/her. If not, the
> > mail is rejected with an explicative 550.
> 
> You aren't the only one who does that.  I have found one other person who does 
> that and who happens to have their mail server in an address range that's 
> black-listed.  So when I sent mail to them their mail server made a call-back 
> to mine, my server rejected that and their mail server then generated a 55x 
> code that tried to summarise the code from mine.  Then my mail server took 
> that and made it into a bounce message.

Of course I am not the first one doing this. In fact Exim4 has buitin
capability to do so.

> The resulting message was something that I could not decipher even though I 
> have 10 years of experience running Internet mail servers!  All I could do 
> was post a message to a mailing list I knew the person was subscribed to and 
> inform them that their server was borked in some unknown way.

:) Well, my approach is not that fancy. I just check if the callback
passes the RCPT, and if not, issue a 550 with a short message telling
that my host will not accept mail that cannot be answered. I don't
expect end users to read a bounce, but many of them forwards the bounce
to customer service instead and in some cases it has been enough to
whitelist a server.

> What would the average Internet user do in such a situation?
> 
> The typical 55x message about a DNSBL rejection is clear enough that most 
> people can get some idea of what to do (IE phone the person, use a different 
> mail server, etc).

In my experience, end users in general are not able to interpret a
bounce message and they complain to admins in the best case. In the
worst case, they do nothing.

> The call-back idea may be good if you have a domain totally full of clueless 
> morons who only receive mail from skilled administrators who have experience 
> in dealing with call-back systems.  But if you have average people exchanging 
> email with other average people (the common case) then it will make things 
> worse not better.

I am not willing to deal with all the sites which reject mail from my
servers for the most diverse reasons and every one with a different
way of dealing with the problem, if any. If a foreign server is
rejecting mail from me, without me having done anything harmful, then
the problem is theirs and not mine. It is the administrator of that
server who has to explain to his users why he is rejecting legitimate
email.

Blu.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Christian Storch]

It's a good paper to start for learning about basics of spam blocking.
As you already mentioned: most of it is still a must for every mailserver today.

But interesting: 4xx instead of 5xx is used successful by greylisting!

Christian

- Original Message - 
From: "Yves Junqueira" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, June 24, 2004 12:12 AM
Subject: Re: Which Spam Block List to use for a network?


> This could be also of interest. Although it is old (feb 99), most of
> its recomendations are valid. Others have not yet come to a consensus,
> like using 4xx error codes instead of 5xx for denying spam. Anyway, it
> instigates more profund analysis from the mail admin.
> 
>  http://www.faqs.org/rfcs/rfc2505.html
> 
> What are your thoughts, readers?
> 
> 
> > > On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci <[EMAIL PROTECTED]> wrote:
> > >
> > > > Please correct me if I'm wrong; I'm searching for RFCs which
> > > > propose effective ways to block spam and viruses.
> > > >
> 
> -- 
> Yves Junqueira
> www.lynx.com.br
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 
> 
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Yves Junqueira]

This could be also of interest. Although it is old (feb 99), most of
its recomendations are valid. Others have not yet come to a consensus,
like using 4xx error codes instead of 5xx for denying spam. Anyway, it
instigates more profund analysis from the mail admin.

 http://www.faqs.org/rfcs/rfc2505.html

What are your thoughts, readers?


> > On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci <[EMAIL PROTECTED]> wrote:
> >
> > > Please correct me if I'm wrong; I'm searching for RFCs which
> > > propose effective ways to block spam and viruses.
> > >

-- 
Yves Junqueira
www.lynx.com.br


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Christian Storch]

You mean http://www.ietf.org/internet-drafts/draft-mengwong-spf-01.txt.

Very nice idea to perhaps avoid some percent of spam. The only problem:

It has nothing to do with the reality out in the world and net respectively.
It's only shifting the job of blacklisting ip's to domains.
Sit back a while and try to think about a realistic number
of email addresses/domains today ...
... and you will forget any kind of such academic solution.

I'm getting some hundreds of spams every day - all flavor of spam, really!
And I know some customers of the compnay I'm working for with nearly
the same amount.
Now my answer is a combination of a couple of tools integrated into the
mailer daemon we're using today and a weighting scheme of all at the end:
Today I'm dealing with about 0,1 % false positives/negatives.

So I would say the answer to all methods should be some reasonable regular
updated mixture of them.
It's a war not a problem!

And I think if somebody is tryning to write some RFC for that
the same would be obsolete before he's able publish it. 

Christian


- Original Message - 
From: "Yves Junqueira" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "Craig Sanders" <[EMAIL PROTECTED]>
Sent: Wednesday, June 23, 2004 5:05 PM
Subject: Re: Which Spam Block List to use for a network?


> SPF is a proposed standard.
> http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt
> Even Microsoft seemed to drops its CallerID proposal in favor of SPF.
> Check spf.pobox.com
> 
> 
> On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci <[EMAIL PROTECTED]> wrote:
> 
> > Please correct me if I'm wrong; I'm searching for RFCs which
> > propose effective ways to block spam and viruses.
> > 
> 
> -- 
> Yves Junqueira
> www.lynx.com.br
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 
> 
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Yves Junqueira]

SPF is a proposed standard.
http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt
Even Microsoft seemed to drops its CallerID proposal in favor of SPF.
Check spf.pobox.com


On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci <[EMAIL PROTECTED]> wrote:

> Please correct me if I'm wrong; I'm searching for RFCs which
> propose effective ways to block spam and viruses.
> 

-- 
Yves Junqueira
www.lynx.com.br

Re: Which Spam Block List to use for a network?

[Yves Junqueira]

SPF is a proposed standard.
http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt
Even Microsoft seemed to drops its CallerID proposal in favor of SPF.
Check spf.pobox.com


On Wed, 23 Jun 2004 11:45:40 +0200, Niccolo Rigacci <[EMAIL PROTECTED]> wrote:

> Please correct me if I'm wrong; I'm searching for RFCs which
> propose effective ways to block spam and viruses.
> 

-- 
Yves Junqueira
www.lynx.com.br


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Russell Coker]

On Wed, 23 Jun 2004 18:23, Blu <[EMAIL PROTECTED]> wrote:
> Well yes. Maybe I oversimplified. What I do is a callback to the MX of
> the envelope sender to see if it accepts mail to him/her. If not, the
> mail is rejected with an explicative 550.

You aren't the only one who does that.  I have found one other person who does 
that and who happens to have their mail server in an address range that's 
black-listed.  So when I sent mail to them their mail server made a call-back 
to mine, my server rejected that and their mail server then generated a 55x 
code that tried to summarise the code from mine.  Then my mail server took 
that and made it into a bounce message.

The resulting message was something that I could not decipher even though I 
have 10 years of experience running Internet mail servers!  All I could do 
was post a message to a mailing list I knew the person was subscribed to and 
inform them that their server was borked in some unknown way.

What would the average Internet user do in such a situation?

The typical 55x message about a DNSBL rejection is clear enough that most 
people can get some idea of what to do (IE phone the person, use a different 
mail server, etc).

The call-back idea may be good if you have a domain totally full of clueless 
morons who only receive mail from skilled administrators who have experience 
in dealing with call-back systems.  But if you have average people exchanging 
email with other average people (the common case) then it will make things 
worse not better.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Which Spam Block List to use for a network?

[Niccolo Rigacci]

On Wed, Jun 23, 2004 at 09:56:02AM +1000, Craig Sanders wrote:
> > You want to block spam or viruses, this is OK but you are on the
> > wrong way.
> 
> no, it's absolutely the right way.  a large percentage of spam and
> almost all viruses come direct from dynamic IP addresses.

I repeat for the last time: the fact that your block is effective
to your problem does not metter that you are on the rigth way.

You are arbitrarily dividing the IP address space in two: those
that can originate SMTP and those that can't.

As far I know SMTP works because thare are RFCs at which the
community agree. You can happily do whatever you want outside the
RFCs, just do not pretend to be "absolutely the right way".

No RFC exists that define what a dynamic IP address is, nor that
those addresses are to be treated differently by an SMTP server.
After all, how long should a lease last to be considered static?
One year? One week? Hours? You are ignoring this problem leaving
to the ISP the burden to declare what is "dynamic".

Please correct me if I'm wrong; I'm searching for RFCs which
propose effective ways to block spam and viruses.

And please, do not confuse your convenience with "absolutely the
right way".

-- 
Niccolo Rigacci
Firenze - Italy

War against Iraq? Not in my name!

Re: Which Spam Block List to use for a network?

[Russell Coker]

On Wed, 23 Jun 2004 18:23, Blu <[EMAIL PROTECTED]> wrote:
> Well yes. Maybe I oversimplified. What I do is a callback to the MX of
> the envelope sender to see if it accepts mail to him/her. If not, the
> mail is rejected with an explicative 550.

You aren't the only one who does that.  I have found one other person who does 
that and who happens to have their mail server in an address range that's 
black-listed.  So when I sent mail to them their mail server made a call-back 
to mine, my server rejected that and their mail server then generated a 55x 
code that tried to summarise the code from mine.  Then my mail server took 
that and made it into a bounce message.

The resulting message was something that I could not decipher even though I 
have 10 years of experience running Internet mail servers!  All I could do 
was post a message to a mailing list I knew the person was subscribed to and 
inform them that their server was borked in some unknown way.

What would the average Internet user do in such a situation?

The typical 55x message about a DNSBL rejection is clear enough that most 
people can get some idea of what to do (IE phone the person, use a different 
mail server, etc).

The call-back idea may be good if you have a domain totally full of clueless 
morons who only receive mail from skilled administrators who have experience 
in dealing with call-back systems.  But if you have average people exchanging 
email with other average people (the common case) then it will make things 
worse not better.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Which Spam Block List to use for a network?

[Blu]

On Wed, Jun 23, 2004 at 10:26:49AM +0200, Adrian 'Dagurashibanipal' von Bidder 
wrote:
> On Wednesday 23 June 2004 09.51, Blu wrote:
> 
> > I run a number of public service servers and in the past, from the
> > perspective of an user of a server which blocks mail from mine, the
> > mails were being blackholed at my host. They never got an answer or
> > even a bounce.
> 
> Huh? Either your servers are/were severely misconfigured, or you don't 
> mean the same thing as I when you talk about blocking.
> 
> block == reject with 5xx error code in the SMTP transaction. Or possibly 
> block at firewall level.

Yes, rejection with 5xx error, we are talking the same.

> So it's the task of the upstream mailserver to generate a bounce (and 
> since the upstream mailserver in most cases belongs to the 
> administrative domain where the mail originally comes from, there's 
> fair chance that the bounce actually gets to the sender of the mail.)
> 
> How did your users not receive a bounce?

First, I live in a place where ISP mail servers are not trustable, so I
generaly maintain my own MX servers.

Until not so long ago, my MXs were accepting mail from hosts which were
themselves blocking mail from them. The result were that my
servers received mail normaly, but then they found that they cannot
answer. From the perspective of the remote user sending mail to my
server, the message simply disappeared because my users or even myself
had no means to inform the remote user of the fate of the message, at
least by email. Having mail driven automatic services, my mailbox was
full of complains and questions about the service being down, questions
which I cannot even answer because the MXs of those users didn't like
me.

At present, rejecting those mails with an axplicative 5xx message, those
users at least (if they are able to read a bounce), know that it is not
my problem, it is theirs.

Blu.

Re: Which Spam Block List to use for a network?

[Adrian 'Dagurashibanipal' von Bidder]

On Wednesday 23 June 2004 09.51, Blu wrote:

> I run a number of public service servers and in the past, from the
> perspective of an user of a server which blocks mail from mine, the
> mails were being blackholed at my host. They never got an answer or
> even a bounce.

Huh? Either your servers are/were severely misconfigured, or you don't 
mean the same thing as I when you talk about blocking.

block == reject with 5xx error code in the SMTP transaction. Or possibly 
block at firewall level.

So it's the task of the upstream mailserver to generate a bounce (and 
since the upstream mailserver in most cases belongs to the 
administrative domain where the mail originally comes from, there's 
fair chance that the bounce actually gets to the sender of the mail.)

How did your users not receive a bounce?

(... and users not able to read bounce messages are a different topic, 
of course ...)

> Finally, I keep postmaster always open, a thing that a lot of this
> happy blocking servers does not.

Goes without saying. Additionally, as I said, the rejection message does 
contain a unblocked email address, too. So far, postmaster and abuse 
are not spammed.

cheers
-- vbi

-- 
Computer analyst to programmer: "You start coding. I'll go find out what
they want."


pgpL8pbEH8pK7.pgp
Description: signature