Re: What changes would you make to stop spam? - United Nations Paper
On Aug 1, 2006, at 10:24 PM, John Andersen wrote: Direct deliver is not evil, and the current fad of blocking DHCP assigned IPs had not cut down on spam one little bit. It actually blocks a ton of spam in my world.
Re: My thoughts on image spam strategies
On Aug 1, 2006, at 10:30 PM, Derek Harding wrote: John Rudd wrote: Um, how exactly will they fail? How about a nice black white speckled image with red text on it? Explain to me how you think it will fail?
Re: What changes would you make to stop spam? - United Nations Paper
Mr Butler, with all due respect go pound sand. You've convinced me that we should kick the UN out of the United States so that idiots like you do not spam mailing lists like this. You're an fscking idiot. {`,'} - Original Message - From: James [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, August 01, 2006 21:05 Subject: Re: What changes would you make to stop spam? - United Nations Paper A little bit sorry for the top-post ... but .. Re: Kofi Annan's quote from the post dated today at around 6:20 PM PST: The problem has risen to a level requiring that the United Nations be aware of the issue and to take steps to address the problem.** I simply do not agree. The U.N. has far more important and pressing issues to deal with than SPAM, which is essentially a corporate productivity problem. Consider: Oh, geez, the hundreds of truly consequential issues facing a global assembly of governments in today's world. Compare that with (from my own example) the several hundreds of SPAM message I filter for my staff, each day. Ok ... after a weekend off, it's somewhere areound 1,500 SPAM message ... regardless, with a tiny bit of traning, any human can be trained to quickly scan the company queue and remove any of today's SPAM from the company inboxes. While I agree that even that is too much for a small business to be satisfied with (it certainly won't make the company go broke), it's simply not that great an issue, when compared to world-affecting issues like Poverty and whatnot. I say good luck with your proposal but NOT good luck getting the money you want to get from the U.N. to be put toward solving this problem. It's simply not an issue I believe we should be spending any portion of that particular budget for. Sincerest regards, James Butler Chairman, Board of Directors Internet Society - Los Angeles Chapter California, USA John Rudd wrote: On Aug 1, 2006, at 6:54 PM, John D. Hardin wrote: On Tue, 1 Aug 2006, jdow wrote: From: Marc Perkel [EMAIL PROTECTED] Allowing IMAP/POP to Send Email Nonsense. ...is there an echo in here? ;) Having also said the same thing ... Doesn't part of Microsoft's extension to IMAP (called MAPI, oh so original) also support sending via IMAP?
Re: Image spams getting thru
Rob Mangiafico wrote: Anyone else find this to be a good rule to catch these image stock spams without too much collateral damage? After writing this I did some checks on the SA public corpus. The rule didn't hit on any of the hard ham. It didn't hit much of the spam either since very little of that is image spam. Regarding SARE it has SARE_GIF_ATTACH which matches on any email that has an attached image. My rule only matches on email that has an attached image that is referenced in the HTML. Hi, a friend of mine is using outlook stationary with a logo. This would hit the rule ... I am not sure whether many senders do that, however Wolfgang Hamann I'm finding it to be very successful and am interested in what others find. Derek
Re: Image spams getting thru
[EMAIL PROTECTED] wrote: Hi, a friend of mine is using outlook stationary with a logo. This would hit the rule ... I am not sure whether many senders do that, however Stationery and image sig files are the two main false positives that I can think of. However I think those uses are fairly rare. Derek
Re: My thoughts on image spam strategies
John Rudd wrote: On Aug 1, 2006, at 10:30 PM, Derek Harding wrote: John Rudd wrote: Um, how exactly will they fail? How about a nice black white speckled image with red text on it? Explain to me how you think it will fail? So you're dropping three bits? White is FF, Black 00, Chose a red of 70. Drop the top three bits of that colour and it's indistinguishable from the black. Derek
Re: My thoughts on image spam strategies
On Wed, August 2, 2006 06:11, John Rudd wrote: white will produce (assuming 24bit color) f0,f0,f0 and black will produce 00,00,00. Thus, you get a nice high-contrast image for feeding just for clearness white is ff, ff, ff will it not be much faster just to make a md5 sum on the image file without thinking if it a appel or orange ? :-) even if spammers is good it will catch a fair good part of spams -- Benny
Re: What changes would you make to stop spam? - United Nations Paper
On Wed, August 2, 2006 05:10, John Rudd wrote: Having also said the same thing ... Doesn't part of Microsoft's extension to IMAP (called MAPI, oh so original) also support sending via IMAP? courier-mta does it and friends how it works is another problem :-) -- Benny
Re: Image spams getting thru
From: Derek Harding [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, a friend of mine is using outlook stationary with a logo. This would hit the rule ... I am not sure whether many senders do that, however Stationery and image sig files are the two main false positives that I can think of. However I think those uses are fairly rare. I wish. {o.o}
Re: What changes would you make to stop spam? - United Nations Paper
On Wednesday 02 August 2006 08:21, Benny Pedersen wrote: On Wed, August 2, 2006 05:10, John Rudd wrote: Having also said the same thing ... Doesn't part of Microsoft's extension to IMAP (called MAPI, oh so original) also support sending via IMAP? courier-mta does it and friends how it works is another problem :-) Courier IMAP lets you create a specially named folder. Dragging mail into it will trigger courier to call 'sendmail' to punt the mail out the door. It works, and I've used it on the road when I couldn't get 25 or 587 through to my server. Wouldn't want to use it permanently though.
Re: What changes would you make to stop spam? - United Nations Paper
Op 2-aug-06, om 07:31 heeft Tom Ray het volgende geschreven:Totalitarian regimes will *love* that one. ISPs will hate it. Hate to break the news to you but many ISPs are already not allowing their users to connect via port 25 outside their networks. Comcast has done it, as have a few others already. I run into this a lot because I'm also a hosting company and offer SMTP Auth but many customers have issues because they can't connect to port 25 on my mail server. I also totally agree with this practice, if they are going to be on the hook for something their users did then they need to keep a watchful eye on their customers. ISPs don't hate this considering that many ISPs now do hosting, it's a way for them to get their customers to bring the hosting over to them also. Dynamic IP users are not allowed to send mail directly. Any MTA should be behind static IP with proper DNS and PTR. What's wrong with that?All major ISP's in Belgium do this. We use a "high" SMTP port + SMTP-AUTH for our mobile users, so they can use the company MTA as a relay.The day the one major DSL ISP started blocking 25 a couple of years ago, incoming virus count dropped by about 90%.As a SMB, we run our own MTA. We recently started blocking all hosts without PTR. Email _is_ critical to the business, rather have a bunch of FN's then one FP, so we are careful not to drop a mail too many. No complaints so far. To contribute to the original request:Require all legitimate MTA to greet with a valid hostname, whose IP points back to that hostname. And then block anything that doesn't meet this requirement.Patrick SneyersBelgium
Re: Block direct SMTP
On Wednesday 02 August 2006 00:05, MennovB wrote: Forcing SMTP to go through the ISP has IMHO nothing to do with free-speech You, sir, are delusional. or not, even direct SMTP traffic is passing through routers of the ISP anyway so they could monitor it, and you can always encrypt mail if you want to. Going through their routers has nothing at all in common with being sent thru their SMPT servers, with the attendant delays, mail size limitations, and forwarding to third parties (postini etc), and the load imposed on those servers. Second to usnet, smtp servres are the most costly and problematic servers that ISPs run. So much so that more and more of them are foisting it upstream to companies that care less and less about the end user. SMTP was designed for direct delivery. The very trouble we are in with spam is caused by the fact that spammers can hide behind several layers of ISPs and forwarders. The very thing you suggest is the solution IS THE PROBLEM!. If all smtp traffic had to go direct, then finding a spammer would be easy. You can fake a few headers, but its pretty hard to fake the IP you are connecting with if you expect to open a tcp session. The problem is that we let spammers hide behind spam friendly ISPs, and 5 to 20 relay, such that the real connection information is lost to the end recipient. Your best solution to this problem is to suggest we use more ISPs and more relays. Doing the same thing over and over and expecting different results is the definition of insanity. -- _ John Andersen pgplAduSqN3Nv.pgp Description: PGP signature
Re: Block direct SMTP
If you can think of a direct-connect-only protocol that would work, I then defy you to think of a way of preventing a store-and-forward form of routing and aggregation, such that we would be in exactly the situation we are in now. How can you tell the difference between a direct connect from X and a store and forward from Y through Z when the forwarder is able to rewrite the information and say he is Y? The problem isn't that we can't block the routers delivering spam. We can. But they aslo deliver ham, so we wind up blocking that too. I can't at the moment think of any delivery strategy that allows delivery of unsolicited messages from people that you haven't previously talked to or authorized individually that doesn't also allow the delivery of spam. I'm personally not willing to limit my universe to only the people I know when I'm born. I don't necessarily like a lot of them, and the ones I do like will die off over the years. So how do I get more people to talk to without unsolicited initial contacts in some form, even if they are meeting someone at the supermarket? Forcing mail through specific gateways has plusses and minuses. It allows for the institution of traffic cops that can block the speeders from speeding. But it also gives a home for a nest of pesky government busybodies to tell me who I can and can't talk to, and how much I'm going to have to pay them in voluntary fees (bribes) to be able to talk to anyone at all. And it also eliminates a lot of the original net redundancy, since now one bad guy only has to control a very few points to stop all communication. There probably isn't a technological solution to spamming that involves mandatory anything, even mandatory spam filtering on input to everyone's personal machine. The solution to spam is pretty much going to have to be economic. There aren't alot of whale oil salesmen these days, and the reason isn't the UN limitation on whaling. The reason is that darn few people have any interest in buying whale oil. If few people have an interest in spam it will largely go away, at least the commercial version. It might get back to the place it was a decade ago, when you could tell when the school term started because you were innundated in pyramid scheme emails. Or the UN or EU could take over the entire internet, and charge everyone in the world a $200EU/year communication tax to support their legislators making laws about what you must read and are not permitted to read, and farming off subsidiaries that will randomly limit traffic for the good of all. (But since none of Africa and south america and eastern Europe would pay the tax, the rest of us would have to pay 400EU/year in averaged taxes plus 600EU/year in government overhead costs to redistribute that money to the people that didn't pay taxes in the first place.) Loren
Re: Block direct SMTP
John Andersen wrote: The very trouble we are in with spam is caused by the fact that spammers can hide behind several layers of ISPs and forwarders. The very thing you suggest is the solution IS THE PROBLEM!. I guess you get different spam then than I get on my mailservers.. Spam from ISP's SMTP servers here is a rarity. Most of it comes directly from infected pc's at home or small sites. Sometimes there is a layer of relays in the header but that's almost always a fake one. When it comes form larger sites or even ISP's it's mostly from well known spam countries and they are already blocked here at the MTA level. John Andersen wrote: If all smtp traffic had to go direct, then finding a spammer would be easy. You can fake a few headers, but its pretty hard to fake the IP you are connecting with if you expect to open a tcp session. That's the unfortunate situation right now and because of the increasing number of bots there are way to many IP-addresses to block. And the spammers are getting better in dispersing the Spam over all their bots so detecting multiple spams from the same addresses gets more and more difficult for me. Regards Menno -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5610480 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: My thoughts on image spam strategies
On Aug 1, 2006, at 11:58 PM, Derek Harding wrote: John Rudd wrote: On Aug 1, 2006, at 10:30 PM, Derek Harding wrote: John Rudd wrote: Um, how exactly will they fail? How about a nice black white speckled image with red text on it? Explain to me how you think it will fail? So you're dropping three bits? White is FF, Black 00, Chose a red of 70. Drop the top three bits of that colour and it's indistinguishable from the black. No, 70 would still be 70. 07 would become 00. And 07 is a pretty faint red. Looking at it now, I can't distinguish it from black. (70 is 0111 so the lower 3 or 4 bits are already 0's, whereas 07 is 0111 .. THAT becomes 0 and is indistinguishable from black.. but then, so is 07, to my eye) In fact, 070707 is pretty indistinguishable from black. So is 000700, which should be the one we'd be most likely to see, because it's using green. But I still see it as black on my screen. So, I still don't see how you're asserting that it would fail.
Re: My thoughts on image spam strategies
On Aug 2, 2006, at 12:12 AM, Benny Pedersen wrote: On Wed, August 2, 2006 06:11, John Rudd wrote: white will produce (assuming 24bit color) f0,f0,f0 and black will produce 00,00,00. Thus, you get a nice high-contrast image for feeding just for clearness white is ff, ff, ff yes, white is ff,ff,ff ... but after you drop the lower 4 bits, it's f0,f0,f0. That was what I was saying. will it not be much faster just to make a md5 sum on the image file without thinking if it a appel or orange ? :-) Yes, but just taking a straight sum will be sensitive to all of those small pixels which are changed by the spammers so that they have different sums, but the differences aren't visible to the human eye. That's my point. If you drop out the lower bits of the colors, then you mostly retain what is perceptible (in color ranges) to the human, while losing those parts that a) the human wouldn't have noticed anyway, and b) throw off your sum of the image for comparison to known spam images.
Re: Image spams getting thru
On Aug 2, 2006, at 12:25 AM, jdow wrote: From: Derek Harding [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, a friend of mine is using outlook stationary with a logo. This would hit the rule ... I am not sure whether many senders do that, however Stationery and image sig files are the two main false positives that I can think of. However I think those uses are fairly rare. I wish. {o.o} I wish too. But, you know, if suddenly all stationary and image sig files disappeared off of the internet because anti-spam engines were flagging them as spam... I would NOT regret it. I might even quietly pay off the few vocal idio... users in my domain who would complain about it.
Re: Block direct SMTP
Loren Wilton wrote: Forcing mail through specific gateways has plusses and minuses. It allows for the institution of traffic cops that can block the speeders from speeding. The main thing for me is that it would block the bots on the infected computers from sending out spam/viruses. That does not involve any checking on the ISP SMTP server. Of course when new bots are programmed to find out the correct SMTP server and start using that than the ISP can help blocking this spam. Loren Wilton wrote: But it also gives a home for a nest of pesky government busybodies to tell me who I can and can't talk to, and how much I'm going to have to pay them in voluntary fees (bribes) to be able to talk to anyone at all. And it also eliminates a lot of the original net redundancy, since now one bad guy only has to control a very few points to stop all communication. I'm not so sure about that, there are/can be more mailservers to choose from, and there certaiinly are more ways to communicate (ICQ, blog, AOL, messenger etc). I understand the fear of centralization/regulation but as said for now (until better measures are found) to me the benefits of 'blocking direct-smtp' outweigh the costs. Regards Menno -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5610865 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: My thoughts on image spam strategies
will it not be much faster just to make a md5 sum on the image file without thinking if it a appel or orange ? :-) Yes, but just taking a straight sum will be sensitive to all of those small pixels which are changed by the spammers so that they have different sums, but the differences aren't visible to the human eye. That's my point. If you drop out the lower bits of the colors, then you mostly retain what is perceptible (in color ranges) to the human, while losing those parts that a) the human wouldn't have noticed anyway, and b) throw off your sum of the image for comparison to known spam images. Hi You're idea is kinda interesting, but what would you do about a pic with white background, black font and some random black noise on it ? Matt
Re: Block direct SMTP
On Aug 2, 2006, at 2:23 AM, MennovB wrote: John Andersen wrote: The very trouble we are in with spam is caused by the fact that spammers can hide behind several layers of ISPs and forwarders. The very thing you suggest is the solution IS THE PROBLEM!. I guess you get different spam then than I get on my mailservers.. Spam from ISP's SMTP servers here is a rarity. Most of it comes directly from infected pc's at home or small sites. Sometimes there is a layer of relays in the header but that's almost always a fake one. When it comes form larger sites or even ISP's it's mostly from well known spam countries and they are already blocked here at the MTA level. I have to completely agree with MennovB here. The _most_ effective anti-spam technique I've implemented so far was: Blocking addresses which have no PTR, can't verify the hostname in the PTR has an A record, the A record doesn't resolve back to the submitters IP address, OR the hostname looks like a dynamic ISP client. Adding that combination of rejections to my MIMEDefang filter is by FAR the most effective anti-spam technique I'm using now, and that I've ever used. (I allow SMTP-AUTH and specified and/or local IP addresses as an exemption) More effective than Greet-Pause of 30 seconds. More effective than SBL+XBL. More effective than just using Spam Assassin. More effective than all 3 of those used in combination. And, when using all 4 of them together, I was able to drop the Green-Pause to 3 seconds (basically only stopping slammers), and didn't even notice a change in what gets through to me. 90% of what used to get caught by SBL+XBL now gets caught by the DNS checks. 90% of what I was catching with the 30 second Greet-Pause is now caught with the DNS checks (and I don't have to give exceptions for verizon or mac.com now because I was able to lower it to 3 seconds). And there's now such a small trickle of messages actually going to SA that my FN rate is about 1/week on a bad week (so about 1/2000). My FP rate is about what it always has been (1/month, but usually grouped about 3 together once every quarter ... so about 1/9000). Admittedly, this is at home, where I'm usually only getting 300 msgs/day. But, 3 days ago, there was that 2500 messages from one host (see my note about defeating greylisting), that all got caught by the DNS checks. (I'm also testing this set up for possible use in MIMEDefang or CommuniGate Pro filters at work, where it's more like a .25-.75 million or so messages a day, depending on day of the week and such, so I can't guarantee that it'll scale, but my testing and data gathering so far says it should be just fine)
Re: My thoughts on image spam strategies
On Aug 2, 2006, at 3:03 AM, Matthias Keller wrote: will it not be much faster just to make a md5 sum on the image file without thinking if it a appel or orange ? :-) Yes, but just taking a straight sum will be sensitive to all of those small pixels which are changed by the spammers so that they have different sums, but the differences aren't visible to the human eye. That's my point. If you drop out the lower bits of the colors, then you mostly retain what is perceptible (in color ranges) to the human, while losing those parts that a) the human wouldn't have noticed anyway, and b) throw off your sum of the image for comparison to known spam images. Hi You're idea is kinda interesting, but what would you do about a pic with white background, black font and some random black noise on it ? Yeah, my strategy fights hidden pixel variations, but not overt ones. making the image actually appear grainy/noisy to the human eye, with different grain/noise for each spam, still gets past my strategy.
Re: Block direct SMTP [MTA level]
MennovB [EMAIL PROTECTED] writes: [...] I already block mail from lots of adsl/cable urls. In the reject message I mention the SMTP-server of their ISP so they know what to change if they want to send mail to me. I also use the DUL list for blocking. Forcing SMTP to go through the ISP has IMHO nothing to do with free-speech or not, even direct SMTP traffic is passing through routers of the ISP anyway so they could monitor it, and you can always encrypt mail if you want to. The core challange in such aproach is to standardize way of blocking messages from DUL ranges *in SMTP session* that gives sending MTA a chance to use fallback relay (smarthost provided by ISP). One suggested approach was to use in greeting message 5?? reject. It makes *sendmail* as it is use fallback relays. [...] -- [pl2en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED]
Re: My thoughts on image spam strategies
On Aug 2, 2006, at 3:03 AM, Matthias Keller wrote: will it not be much faster just to make a md5 sum on the image file without thinking if it a appel or orange ? :-) Yes, but just taking a straight sum will be sensitive to all of those small pixels which are changed by the spammers so that they have different sums, but the differences aren't visible to the human eye. That's my point. If you drop out the lower bits of the colors, then you mostly retain what is perceptible (in color ranges) to the human, while losing those parts that a) the human wouldn't have noticed anyway, and b) throw off your sum of the image for comparison to known spam images. Hi You're idea is kinda interesting, but what would you do about a pic with white background, black font and some random black noise on it ? Yeah, my strategy fights hidden pixel variations, but not overt ones. making the image actually appear grainy/noisy to the human eye, with different grain/noise for each spam, still gets past my strategy. Maybe I'm not getting the obvious, but what about using something like Perl::Magick to convert a given image into B/W? I mean, ImageMagick is made for things like that... Shrinking it to, say, a quarter of it's original size would take care of at least many random noise pixels. Dirk
Re: Block direct SMTP [MTA level]
Andrzej Adam Filip wrote: The core challange in such aproach is to standardize way of blocking messages from DUL ranges *in SMTP session* that gives sending MTA a chance to use fallback relay (smarthost provided by ISP). One suggested approach was to use in greeting message 5?? reject. It makes *sendmail* as it is use fallback relays. Yes, but of course this blocking happens at the MTA level, my mailserver for incoming mail is not allowed outgoing SMTP (I hate bounces/doublebounces etc so also the recipient-address is checked at MTA-level). So for example these lines are in my log: Aug 2 11:23:32 server postfix/smtpd[1224]: NOQUEUE: reject: RCPT from 84-75-0-121.dclient.hispeed.ch[84.75.0.121]: 554 84-75-0-121.dclient.hispeed.ch[84.75.0.121]: Client host rejected: dclient.hispeed.ch no direct mail allowed, please send via your provider-mailserver smtp.hispeed.ch; from=[EMAIL PROTECTED] to=xxx proto=SMTP helo=84-75-0-121.dclient.hispeed.ch Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5611498 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Image spams getting thru
John D. Hardin wrote: On Tue, 1 Aug 2006, Theo Van Dinter wrote: Except now you've also delayed your valid mail by 30 minutes or an hour which sucks (and is sometimes completely unacceptable). Repeat after me: Email is a non-guaranteed, Best Attempt delivery mechanism. There may be delays. Just because thats what it was designed to be, doesnt mean that it is. Email is whatever people use it for. Its an instant messenger utility, its a file transfer mechanism, or even a replacement for the telephone or snail mail. Many people have gotten used to the fact that email these days is usually freakin quick and to suddenly have that changed is unacceptable. Imagine if car companies suddenly started making all vehicles with 4 cylinder engines to help solve the current gasoline crisis. It *would* help the problem and many people would embrace it, but for many others, its simply unacceptable. -Jim
Re: What changes would you make to stop spam? - United Nations Paper
Tom Ray wrote: Hate to break the news to you but many ISPs are already not allowing their users to connect via port 25 outside their networks. Comcast has done it, as have a few others already. I run into this a lot because I'm also a hosting company and offer SMTP Auth but many customers have issues because they can't connect to port 25 on my mail server. I also totally agree with this practice, if they are going to be on the hook for something their users did then they need to keep a watchful eye on their customers. ISPs don't hate this considering that many ISPs now do hosting, it's a way for them to get their customers to bring the hosting over to them also. That's why I propose expanding the IMAP protocol to include sending email by allowing users to transmit ourgoing email back up the IMAP connection to be delivered to the server's SMTP from that IMAP server. It would allow an existing authenticated connection to do the work of sending email.
Re: Image spams getting thru
I installed Derek's test rule last night and it has caught every one of the stock promotion emails and nothing else. I set it 1.5 for testing. I have received about 5 of these in the last 12 hours on 2 different accounts out of a total of about 100 emails. Also, I did receive some emails with that were both HTML and text WITH images and they came through perfect without hitting the rule. I will be keeping a close eye on this one as these have seemed to elude every other method. If I see more success, I will be increasing the score. Thanks Derek! -- Here to serve, Dave Augustus Ingrafted Software Inc. c(817) 371-0585 o(817) 741-1288 PO Box 1040 Newark TX 76071
Re: What changes would you make to stop spam? - United Nations Paper
Sanford Whiteman wrote: Please don't pollute the IMAP and POP protocols this way. POP3 XTND XMIT submission extensions already "polluted" POP3 many years ago, supported by many thousands of servers (tho' not necessarily enabled). --Sandy Does anyone use these protocols? Is there a similar extension for IMAP?
Re: What changes would you make to stop spam? - United Nations Paper
Benny Pedersen wrote: On Wed, August 2, 2006 05:10, John Rudd wrote: Having also said the same thing ... Doesn't part of Microsoft's extension to IMAP (called MAPI, oh so original) also support sending via IMAP? courier-mta does it and friends how it works is another problem :-) What clients does it work with?
Re: What changes would you make to stop spam? - United Nations Paper
Why not just eliminate the SMTP protocol for end users and keep SMTP as a server to server protocol and have users send theit email to the server by extending POP/IMAP to send email. It created an authenticated connection back to the server where the POP/IMAP server hands it off to the SMTP server. That way email clients aren't using the same protocol as email servers. I think part of the problem is that the receiving SMTP server can't tell if email is coming from another SMTP server or a virus infected spam zombie.
Re: What changes would you make to stop spam? - United Nations Paper
On Wed, 02 Aug 2006 05:37:32 -0700, Marc Perkel [EMAIL PROTECTED] wrote: Why not just eliminate the SMTP protocol for end users and keep SMTP as a server to server protocol and have users send theit email to the server by extending POP/IMAP to send email. It created an authenticated connection back to the server where the POP/IMAP server hands it off to the SMTP server. That way email clients aren't using the same protocol as email servers. I think part of the problem is that the receiving SMTP server can't tell if email is coming from another SMTP server or a virus infected spam zombie. Our MTA has the facility to assign an alternate SMTP port, this is used for customers to send mail in. The main port 25 still operates as normal for server to server, and more often than not spammer to server traffic. Though the facility was originally introduced to get around certain ISP's blocking port 25 off network and those that use a proxy. In many, many cases the proxies don't forward the auth info and legitimate sender mail consequently bounces. The added bonus for us is that legitimate local users are never competing with spammers for sockets. Nigel
Re: What changes would you make to stop spam? - United Nations Paper
Nigel Frankcom wrote: On Wed, 02 Aug 2006 05:37:32 -0700, Marc Perkel [EMAIL PROTECTED] wrote: Why not just eliminate the SMTP protocol for end users and keep SMTP as a server to server protocol and have users send theit email to the server by extending POP/IMAP to send email. It created an authenticated connection back to the server where the POP/IMAP server hands it off to the SMTP server. That way email clients aren't using the same protocol as email servers. I think part of the problem is that the receiving SMTP server can't tell if email is coming from another SMTP server or a virus infected spam zombie. Our MTA has the facility to assign an alternate SMTP port, this is used for customers to send mail in. The main port 25 still operates as normal for server to server, and more often than not spammer to server traffic. Though the facility was originally introduced to get around certain ISP's blocking port 25 off network and those that use a proxy. In many, many cases the proxies don't forward the auth info and legitimate sender mail consequently bounces. The added bonus for us is that legitimate local users are never competing with spammers for sockets. Nigel I think what you are doing is a step in the right direction. But imagine if the users IMAP connection could be used to send mail back up the link then you wouldn't need to do SMTP to the users at all. All you would have to do is configure a way for the IMAP server to hand outgoing email off to the SMTP server.
Re: Re: What changes would you make to stop spam? - United Nations Paper
On Wed, 02 Aug 2006 05:53:17 -0700, Marc Perkel [EMAIL PROTECTED] wrote: Nigel Frankcom wrote: On Wed, 02 Aug 2006 05:37:32 -0700, Marc Perkel [EMAIL PROTECTED] wrote: Why not just eliminate the SMTP protocol for end users and keep SMTP as a server to server protocol and have users send theit email to the server by extending POP/IMAP to send email. It created an authenticated connection back to the server where the POP/IMAP server hands it off to the SMTP server. That way email clients aren't using the same protocol as email servers. I think part of the problem is that the receiving SMTP server can't tell if email is coming from another SMTP server or a virus infected spam zombie. Our MTA has the facility to assign an alternate SMTP port, this is used for customers to send mail in. The main port 25 still operates as normal for server to server, and more often than not spammer to server traffic. Though the facility was originally introduced to get around certain ISP's blocking port 25 off network and those that use a proxy. In many, many cases the proxies don't forward the auth info and legitimate sender mail consequently bounces. The added bonus for us is that legitimate local users are never competing with spammers for sockets. Nigel I think what you are doing is a step in the right direction. But imagine if the users IMAP connection could be used to send mail back up the link then you wouldn't need to do SMTP to the users at all. All you would have to do is configure a way for the IMAP server to hand outgoing email off to the SMTP server. For our purposes a second MTA that accepts and delivers user mail is an option, one of my colleagues does just that now. That said, I can see the appeal of an IMAP hand-off. Nigel
Re: What changes would you make to stop spam? - United Nations Paper
On Wednesday 02 August 2006 13:53, Marc Perkel wrote: I think what you are doing is a step in the right direction. But imagine if the users IMAP connection could be used to send mail back up the link then you wouldn't need to do SMTP to the users at all. All you would have to do is configure a way for the IMAP server to hand outgoing email off to the SMTP server. Courier IMAP offers this as a non-standard extension. It breaks standard mail clients and their concept of 'sent mail', because all you've done is stuff the mail into a folder, not click send. As I mentioned before, I've used it, and it's handy in a pinch, but not the way I prefer to send mail.
Re: What changes would you make to stop spam? - United Nations Paper
Marc Perkel wrote: Nigel Frankcom wrote: On Wed, 02 Aug 2006 05:37:32 -0700, Marc Perkel [EMAIL PROTECTED] wrote: Why not just eliminate the SMTP protocol for end users and keep SMTP as a server to server protocol and have users send theit email to the server by extending POP/IMAP to send email. It created an authenticated connection back to the server where the POP/IMAP server hands it off to the SMTP server. That way email clients aren't using the same protocol as email servers. I think part of the problem is that the receiving SMTP server can't tell if email is coming from another SMTP server or a virus infected spam zombie. Our MTA has the facility to assign an alternate SMTP port, this is used for customers to send mail in. The main port 25 still operates as normal for server to server, and more often than not spammer to server traffic. Though the facility was originally introduced to get around certain ISP's blocking port 25 off network and those that use a proxy. In many, many cases the proxies don't forward the auth info and legitimate sender mail consequently bounces. The added bonus for us is that legitimate local users are never competing with spammers for sockets. Nigel I think what you are doing is a step in the right direction. But imagine if the users IMAP connection could be used to send mail back up the link then you wouldn't need to do SMTP to the users at all. All you would have to do is configure a way for the IMAP server to hand outgoing email off to the SMTP server. IMAP, POP3 send, SMTP -- are all protocols. No one system is designed to fight spam in anyway. It could be argued that one can have this ability because of some auth mech. I see blocking res. addresses from directly sending via port 25 to any mail server they choose other than the ISP's mail server is a good way to slow the spread of spam. 99.999% of ALL spam I receive is from res. net blocks. Most of which are not on any DUL or RBL (I run my own RBL for this very reason.) If we forced ALL SMTP sessions (be it from server to server (MTA to MTA) or user to server (MUA to MTA)) to be authenticated you will stop the majority of the spam. But this has a fundamental flaw. Say one of your customers has a new customer who's on mail provider W, but you don't know who mail provider W is. If they loose that contact because you don't allow them to send mail to them, you'll also be out of a customer. The reason SMTP is so popular is because it is so open. IMAP does nothing, nor does POP3 do anything more than what SMTP can do already. The issue is not with the servers them selves its the end users we try to protect. They are at fault! Spamers are out to make money (like the rest of us.) You can be pissed off at them all day long if you like, but for every 1000 mails you block, some get through, and enough gain a profit for the spamer. Like it or not, but this is a huge industry. Users NEED to know that they are helping the problem, that if they don't like spam they need to let their family, colleagues and peers know that the only reason spam exists today in such a wide spread issue is because the spamer makes the money. I'm not defending spamers, they are dirty, crude and disgusting. Public education would be a HUGE plus in fighting spam. Spam could be thought as the drug trade (illegal street drug trade.) You stop the sellers, but there will always be someone to buy the goods. So you go after both parties. Stop the source, stop the consumer -- stop the spam. My nickel's worth. -- Thanks, James
RE: What changes would you make to stop spam? - United Nations Paper
A possibly better method is to block SMTP outbound from the ISP. That's what we do here at the University of Richmond. Our firewall is configued to block all outbound SMTP connections (except those of our legitimate SMTP servers). This dramatically reduced the flow of spam from our campus. We can now use tools to track (and block) spammers since we only have to watch one or two servers (SpamShield works nicely!) Steve
Re: What changes would you make to stop spam? - United Nations Paper
Here's what I've written so far. Deadline is today. Still working on it. http://wiki.ctyme.com/index.php/UN_Spam_Paper
Re: What changes would you make to stop spam? - United Nations Paper
Tom Ray wrote: Hate to break the news to you but many ISPs are already not allowing their users to connect via port 25 outside their networks. ... because of third-party spam complaints. The ISP I now work for started to do this shortly after they bought the smaller ISP I started working for originally. It's made our mail service at least somewhat more reliable. Comcast has done it, as have a few others already. I run into this a lot because I'm also a hosting company and offer SMTP Auth but many customers have issues because they can't connect to port 25 on my mail server. I also totally agree with this practice, if they are going to be on the hook for something their users did then they need to keep a watchful eye on their customers. Set up your MTA to listen on port 587 (the standard mail submission port), and 465 (? not certain, might be 456) for those OE/Outlook users whose idiot mail client isn't bright enough to handle TLS/SSL + SMTP AUTH on the proper port. As a bonus, it means you can usually set up SPF records for hosted domains with -all. -kgd
RE: Image spams getting thru
I'm using your rule here with a low score and in addition: rawbody INLINE_IMAGE2/src\s*=\s*[']cid:image001\.gif/i describe INLINE_IMAGE2 Inline Image image001.gif score INLINE_IMAGE2 5.0 I know, I should have used a meta rule intead of duplicating the pattern. Will work wonders till they change the filename. It's already happened. I just received some image spams each with the different attachment names: name=masterpiece.gif name=righteously.gif name=locket.gif
Re: What changes would you make to stop spam? - United Nations Paper
Tom Ray [EMAIL PROTECTED] writes: I also totally agree with this practice, if they are going to be on the hook for something their users did then they need to keep a watchful eye on their customers. But the ISPs should not be 'on the hook' for something their users did. What is needed is for users to take more responsibility for their own systems and for ISPs to become like telephone service providers. If someone makes a nuisance of themselves using the telephone, the user (or renter of the number), not the telephone company, is held responsible and has to carry the can. Personally I would solve the problem by going the other way. Get rid of dynamic IP addresses, especially for ADSL and cable, go back to the traditional mechanism of sending mail direct to MX rather than using an ISP's MTA for outgoing mail, have customers register their own domain name(s)[1] and get rid of email addresses of the form [EMAIL PROTECTED] Keep the ISPs incoming SMTP to POP/IMAP server as many people do not run 24/7. That way the customer would be responsible for any traffic (email or otherwise) originating from his IP address(es) in same way as he is responsible for any calls made from his phone number. [1] For example the ISP I use provides registration and administration of 1 domain in the price of standard ADSL.
BAYES settings
Although I've been running SA, now 3.1.x, with amavisd-new and postfix on FreeBSD 5.4 for some time now, I've not looked at SA closely, only when there's an issue, and now trying to go over my settings for optimizing. First of all, I ran 'spamassassin --lint -D' to look for any trouble and found the perl modules Net-Ident, IP-Country-Fast, and IO-Socket-INET6 were not installed, I hope that was a hole letting some spam through and now shut. Trying now to understand how bayes works, my debug tells me the following tests: [33431] dbg: check: tests=BAYES_20,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [33431] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__UNUSABLE_MSGID Then, in my local.cf file, I have: score RAZOR2_CHECK 2.500 score BAYES_99 4.300 score BAYES_80 3.000 Can someone tell me if these settings are good or point me to the best doc for reading up on how to best implement BAYES and other tests. I find so much information, not sure which is most current or the best advice. I am an ISP that processes all mail through two gateways. Each gateway processes over 100K messages per day. I do not have any current load issues. I run rules du jour: [ ${TRUSTED_RULESETS} ] || \ TRUSTED_RULESETS=TRIPWIRE ANTIDRUG \ SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 \ BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BML SARE_SPOOF \ SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER0 \ SARE_HTML0 SARE_HTML1 SARE_SPECIFIC SARE_OBFU0 SARE_REDIRECT_POST300 \ SARE_GENLSUBJ0 SARE_UNSUB SARE_URI0 SARE_URI1 \ SARE_WHITELIST SARE_WHITELIST_SPF SARE_STOCKS; I don't have a big problem with spam, but several are consistently getting through. Most notably those image only stock spams I read about here on the list. -- Robert
This list using SORBS?
I tried sending a message to the list yesterday and it never came through. I finally found the rejection due to my IP listed on SORBS. Although I am looking into why my static IP is listed for dynamic reasons, many think SORBS should not be used, including www.dnsstuff.com. Is SORBS widely used? -- Robert
Re: What changes would you make to stop spam? - United Nations Paper
Marc Perkel wrote: Here's what I've written so far. Deadline is today. Still working on it. http://wiki.ctyme.com/index.php/UN_Spam_Paper I think in this part you're missing one of the main issues: Marc Perkel wrote: Today we have more of a consumer model where consumers run email clients and leave the SMTP servers to their Internet Service Providers (ISPs) The user creates an email message that is sent to their local ISP who has an SMTP server. That server accepts the email and then transfers the email by SMTP to the server that stores the incoming email for that user. Then the recipient connects to their server by POP/IMAP protocols to download their email. The problem is that anyone can impersonate any other person by setting their address to be anyone else on the planet. The problem is that these zombies do NOT use the ISP SMTP servers but send it directly to the SMTP-server of the addressed person. And this could (and already is in some cases) be prohibited by the provider by only allowing SMTP traffic from the client to the SMTP-servers of the ISP itself, not to others. After that action there is time to work on a better mail protocol. Marc Perkel wrote: This junk email known as “Spam” is NOT over 90% of all email traffic. I think you mean now ? In the cost of spam I miss the SCAM (some people really fell for this and have lost thousands of dollars..) and FISHING (lots of this to collect accounts and passwords for banks, credit-card info etc). In Microsoft Zombies there is a lot of text how bad Microsoft is, that's OK but I think the user is to blame too, if they don't think and just keep clicking yes/ok then eventually they will install malware no matter what patches. In where spam comes from I think some countries could be mentioned, like China and Korea that happily do the hosting for western spammers, and where the ISPs do not act on abuse messages about zombies. My few eurocents.. Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5614921 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Image spams getting thru
On Aug 2, 2006, at 5:21 AM, Jim Maul wrote: John D. Hardin wrote: On Tue, 1 Aug 2006, Theo Van Dinter wrote: Except now you've also delayed your valid mail by 30 minutes or an hour which sucks (and is sometimes completely unacceptable). Repeat after me: Email is a non-guaranteed, Best Attempt delivery mechanism. There may be delays. Just because thats what it was designed to be, doesnt mean that it is. Email is whatever people use it for. Its an instant messenger utility, its a file transfer mechanism, or even a replacement for the telephone or snail mail. Many people have gotten used to the fact that email these days is usually freakin quick and to suddenly have that changed is unacceptable. Yes, but no matter how much lipstick and lace you put on a pig, it's still a pig. It never suddenly becomes a human woman. And if you take it to a restaurant, you can talk about how dressed up it is, but people are still going to see a pig slopping at the table. And they're still going to give you funny looks for DATING A PIG. People who think Email is an IM, a file sharing tool, or a replacement for a fast, secure, guaranteed courier service ... are dating pigs. Treat them like it.
RE: This list using SORBS?
many think SORBS should not be used, including www.dnsstuff.com I know that this doesn't answer your main questions... but.. I would agree that SORBS should not be used for outright blocking. However, I personally wouldn't even use SBL or XBL or DSBL or anything else for outright blocking... but, yes, SORBS is a bit more risky for FPs than the others I've mentioned. But I do use all of these as factors which I weight into the score. (and I think that the warning from www.dnsstuff.com has more to do with people outright blocking based ONLY on that one RBL's results) --Rob McEwen
Re: Image spams getting thru
On Wed, Aug 02, 2006 at 11:17:35AM +0100, Randal, Phil wrote: rawbody INLINE_IMAGE2/src\s*=\s*[']cid:image001\.gif/i describe INLINE_IMAGE2 Inline Image image001.gif score INLINE_IMAGE2 5.0 fwiw, that hits on any outlook message which references an included gif. Will work wonders till they change the filename. It looks like they've generated the message using Outlook and then sent it out -- with one non-Outlook issue in the header. FWIW, I put in a rule via sa-update yesterday to address these mails, which as you say will work until they change the filename. We could do with a Spamassassin plugin to match inline/attached file names, to make it easy to score attached/embedded images by name. MIMEHeader ? Been there for ages. :) -- Randomly Generated Tagline: Stop searching. Happiness is right next to you. Now, if they'd only take a bath ... pgpKDx2NkmptI.pgp Description: PGP signature
RE: What changes would you make to stop spam? - United Nations Paper
From: David Cary Hart [mailto:[EMAIL PROTECTED] ... Look for social and societal solutions. Spammers keep pace with every technological method. Our greatest failure is that we have not promulgated the notion that purchasing goods and services from spammers is subsidizing criminals. It is not - and should be - socially unacceptable to buy from spammers. When have you ever seen a public service advertisement - on any medium - regarding this issue? Perhaps we could tie that in with the war on terror? If you buy from a spammer, you're putting money in the terrorists' pockets. It might even work better than the similar-themed war on drugs ads.
RE: What changes would you make to stop spam? - United Nations Paper
From: Evan Platt [mailto:[EMAIL PROTECTED] ... Speaking of which, when they give a person the lethal injection, why do they wipe the area with a alcohol swab? To protect the needle?
RE: Image spams getting thru
Rob Mangiafico wrote: Anyone else find this to be a good rule to catch these image stock spams without too much collateral damage? After writing this I did some checks on the SA public corpus. The rule didn't hit on any of the hard ham. It didn't hit much of the spam either since very little of that is image spam. Regarding SARE it has SARE_GIF_ATTACH which matches on any email that has an attached image. My rule only matches on email that has an attached image that is referenced in the HTML. Hi, a friend of mine is using outlook stationary with a logo. This would hit the rule ... I am not sure whether many senders do that, however Yeah, much to my amazement, many of our users do this as well. Bret
RE: Image spams getting thru
I'm using your rule here with a low score and in addition: rawbody INLINE_IMAGE2/src\s*=\s*[']cid:image001\.gif/i describe INLINE_IMAGE2 Inline Image image001.gif score INLINE_IMAGE2 5.0 I know, I should have used a meta rule intead of duplicating the pattern. How about a meta with a rule that excludes commonly-generated Outlook inline image names? Bret
RE: What changes would you make to stop spam? - United Nations Paper
Honestly, I haven't been following this thread much... but I do want to add that the UN is full of thugs who are power hungry and would like very much to control the Internet and implement a world tax and probably a tax on the Internet as well. They will do this all in the name of helping us... just like Hugo Chavez is helping the Venezuelans... but like Chavez, who is turning Venezuela into a new Cuba and himself into his beloved Castro, those guys at the UN are more concerned about their own power and about extracting (or extorting) wealth and power away from the U.S. and other rich western countries. SEE: http://www.opinionjournal.com/extra/?id=110007381 http://www.washtimes.com/world/20031208-125717-6682r.htm As far as I'm concerned, there is really no difference (intention-wise) between Kofi Annan and Supreme Chancellor Palpatine... except that Kofi is much dumber and not nearly as powerful as Palpatine... (at least not yet). So be careful about anything the U.N. might come up with to rescue us! Rob McEwen PowerView Systems
Re: What changes would you make to stop spam? - United Nations Paper
On Wed, 02 Aug 2006 10:43:41 -0400, Rosenbaum, Larry M. [EMAIL PROTECTED] opined: From: David Cary Hart [mailto:[EMAIL PROTECTED] ... Look for social and societal solutions. Spammers keep pace with every technological method. Our greatest failure is that we have not promulgated the notion that purchasing goods and services from spammers is subsidizing criminals. It is not - and should be - socially unacceptable to buy from spammers. When have you ever seen a public service advertisement - on any medium - regarding this issue? Perhaps we could tie that in with the war on terror? If you buy from a spammer, you're putting money in the terrorists' pockets. It might even work better than the similar-themed war on drugs ads. I would be very happy if the blacklist I administer was rendered unnecessary. There's enough pointless hyperbole floating around to make a US Congressman seem pragmatic. You can filter it, delete it and blacklist it. You can employ any number of commercial schemes that claim to kill off all of the spam that you might otherwise receive. At the end of the day, though, if there is a solution it is on the demand side. Spam will cease when people cease purchasing goods and services marketed through spam. Doing so subsidizes criminals. -- Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com Don't Subsidize Criminals: http://boulderpledge.org
Re: What changes would you make to stop spam? - United Nations Paper
On Wed, 2 Aug 2006, Tom Ray wrote: have registered that does not have working (i.e. read-by-a-human) postmaster@ and abuse@ aliases? Being that I am a domain registrar (small but still) how will I know if they have a working postmaster or abuse alias? Easy. Send them an email and see if they respond. Make it clear in the service agreement that they (hopefully) read before registering a domain that this is a requirement. And even if they did a quick filter setup at the server level will have those mails /dev/null'd in no time. Check back periodically. Note to them that if you get complaints about non-working aliases you will block the domain until they *do* work. This isn't a feasible idea for one reason and one reason only, Network Solutions. They'll find some way to re-route that domain to their own use. I agree it isn't a perfect solution given that some registrar somewhere won't enforce it. After all, there are spam-friendly registrars these days. Which suggests another idea: is there a SURBL for domains registered with Known Evil registrars? And it's also extra work for an already low-margin operation. 5) Require ISP's to channel their customer's email through their own mail servers (which will have some impact upon SPF tracking as well) and not allow any non-business customers, nor any dynamic customers (business or commercial), to directly connect to other mail servers. Totalitarian regimes will *love* that one. ISPs will hate it. Hate to break the news to you but many ISPs are already not allowing their users to connect via port 25 outside their networks. Comcast has done it, as have a few others already. I run into this a lot because I'm also a hosting company and offer SMTP Auth but many customers have issues because they can't connect to port 25 on my mail server. Do you support SMTP-via-SSL (ssmtp, 465/tcp)? Do the ISPs also block that port? In modern clients setting that up is just checking a checkbox. I also totally agree with this practice, if they are going to be on the hook for something their users did then they need to keep a watchful eye on their customers. Hrm. Then why do so many disclaim responsibility when they are told about known bot-controlled customer systems actively attacking others? ISPs don't hate this considering that many ISPs now do hosting, it's a way for them to get their customers to bring the hosting over to them also. I was thinking more about the ISP being reluctant to buy more servers to handle the increased email volume, but upon more thought I realize that this isn't likely to be an issue for several reasons. I'm also somewhat leery about having ISPs filter *any* traffic, apart from MS Networking; the potential for abuse is great. I was just throwing out ideas. What I would *like* to see is ISPs adopt a default filtering stance that blocks outbound SMTP, 1025-1029/udp, MS Networking and MSSQL, which would cover the vast majority of inbound crap my systems automatically discard, and have a register your account as clueful policy (at no extra charge!) that removes that filtering for your IP when you connect. The Great Unwashed need handholding, but that shouldn't cripple those who know how to administer their systems properly. But I realize this is a dream. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows.-- anytwofiveelevenis on Y! SCOX ---
Re: This list using SORBS?
On Wed, 2 Aug 2006 16:26:10 +0200, Sietse van Zanen [EMAIL PROTECTED] opined: You might have a static IP, but if it's from an ISP DSL/Cable range, it will still be in SORBS. All dynamic lists have false positives (including ours). However, if you have a non-standard reverse pointer to your domain with adequate TTL, it will NOT be listed in SORBS or will be removed. -- Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com Don't Subsidize Criminals: http://boulderpledge.org
Re: Image spams getting thru
On Wed, Aug 02, 2006 at 08:06:02AM -0700, Bret Miller wrote: How about a meta with a rule that excludes commonly-generated Outlook inline image names? such as image001.gif, image002.gif, etc? :) -- Randomly Generated Tagline: See, you not only have to be a good coder to create a system like Linux, you have to be a sneaky bastard too ;-) - Linus Torvalds pgpJ6xJrPyG8B.pgp Description: PGP signature
Re: What changes would you make to stop spam? - United Nations Paper
On Tue, 1 Aug 2006, John Andersen wrote: On Tuesday 01 August 2006 17:49, John D. Hardin wrote: Please don't pollute the IMAP and POP protocols this way. The problem can be easily solved with no changes to existing tools if the ISP blocks all outbound SMTP from their dynamic client ranges and requires SMTP AUTH via their mail servers for outbound email. That solves nothing. Carried to the logical extension, why not just route ALL email through governments. SMTP was designed for direct delivery. ISPs do not and can not filter all mail, and when they try they invariably become part of the problem. I also believe that you should be able to register as clueful with your ISP and have the filters removed. I think that a default level of filtering - SMTP and the Microsoft protocols that were only intended for use on a LAN - should be in place to deal with the default level of end-user administrative skill - low to nonexistent. However I *don't* think that clueful administrators and users should be subject to such restrictions, and should be able to opt out without charge. In fact, spam friendly ISPs are a bigger problem than 100,000 linux users running their own MTA. What upstream is going to shut down a fat contract ISP because of spam? Spam-friendly ISPs are easy to isolate via DNSBLs. And I don't worry as much about Linux users running their own MTA as I do about hordes of p0wned Winders boxen running spambots without their owners' knowledge. Your elitist attitude is not really helpful. Elitist? Sure. But my opinion is supported by the number of clueless, bot-controlled leaf nodes that are directly connected to the Internet and spewing crap at everybody else. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows.-- anytwofiveelevenis on Y! SCOX ---
Re: Re[2]: What changes would you make to stop spam? - United Nations Paper
On Wed, 2 Aug 2006, Sanford Whiteman wrote: MAPI. [is]..implemented over DCE/RPC (i.e. LAN-only). Maybe a nit... but technically not LAN-only using ncacn_http. Well... *intended* to be LAN-only... -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows.-- anytwofiveelevenis on Y! SCOX ---
Re: This list using SORBS?
On Wed, 2006-08-02 at 11:11 -0400, David Cary Hart wrote: However, if you have a non-standard reverse pointer to your domain with adequate TTL non-standard reverse pointer? Our TTL is 300, is that 'adequate'. P.S. - sorry for the direct message David. -- Robert
Re: What changes would you make to stop spam? - United Nations Paper
On Wed, 2 Aug 2006, Marc Perkel wrote: I think what you are doing is a step in the right direction. But imagine if the users IMAP connection could be used to send mail back up the link then you wouldn't need to do SMTP to the users at all. All you would have to do is configure a way for the IMAP server to hand outgoing email off to the SMTP server. Yeah, but imagine if an SMTP AUTH connection could be used to send mail back up to the server. Then you wouldn't need to use IMAP to send mail at all. All you would have to do is nothing, since SMTP AUTH already works and provides the same benefits. - Logan
Re: What changes would you make to stop spam? - United Nations Paper
On Tue, 1 Aug 2006, John Rudd wrote: On Aug 1, 2006, at 10:24 PM, John Andersen wrote: Direct deliver is not evil, and the current fad of blocking DHCP assigned IPs had not cut down on spam one little bit. It actually blocks a ton of spam in my world. ...which brings up something I have noticed in discussions about spam: How many people consider cut down on spam or reduce spam from the POV of spam sent vs. the POV of spam received? In other words, Mr. Anderson seems to be saying hasn't reduced the amount being sent, and Mr. Rudd is saying has reduced the amount being delivered to my inbox. Reducing the amount of spam delivered to the user's inbox is good for the user, and is what SA is good at. Reducing the amount of spam actually sent in the first place is good for the entire network community, and a more important long-term goal because it reduces the overall load on the network infrastructure; but it is something that SA and DNSBLs and greylisting and such are NOT (directly at least) achieving. In fact, SA and related tools may be having a detrimental effect overall because they cause the spammers to send that much *more* spam in an attempt to bypass the filters and TMPFAILs and so forth. Reducing volume of spam *sent* probably requires fundamental redesign of the protocols, or some other major change in the cost/benefit analysis. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows.-- anytwofiveelevenis on Y! SCOX ---
Re: This list using SORBS?
On Wed, 02 Aug 2006 11:36:34 -0400, Robert Fitzpatrick [EMAIL PROTECTED] opined: On Wed, 2006-08-02 at 11:11 -0400, David Cary Hart wrote: However, if you have a non-standard reverse pointer to your domain with adequate TTL non-standard reverse pointer? Our TTL is 300, is that 'adequate'. P.S. - sorry for the direct message David. I'll digress a tad. The common example is dot-quad-ip-address.se.biz.rr.com. Not all of bz.rr.com is static. If you have a static IP and request a non-standard pointer you would change the rDNS to something like mail.mydomain.tld that is a non-standard unique reverse pointer. Please note that you then need to add an A record for the host-to-IP address. No. A 300 second TTL is not adequate. SORBS requires 12 hours. We require three hours but we are more flexible than SORBS. -- Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com Don't Subsidize Criminals: http://boulderpledge.org
Re: Image spams getting thru
On 2 Aug 2006 [EMAIL PROTECTED] wrote: Regarding SARE it has SARE_GIF_ATTACH which matches on any email that has an attached image. My rule only matches on email that has an attached image that is referenced in the HTML. a friend of mine is using outlook stationary with a logo. That's why such a rule should only contribute a few points to the score. Try to convince your correspondent of the inherent evil of stationery images in email... :) -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows.-- anytwofiveelevenis on Y! SCOX ---
Re: Image spams getting thru
On Tue, 1 Aug 2006, Derek Harding wrote: Stationery and image sig files are the two main false positives that I can think of. However I think those uses are fairly rare. False positives? I think they are *wonderful* indicators of cluelessness. (Elitist? Me?) -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows.-- anytwofiveelevenis on Y! SCOX ---
Geographic Zone to Headers?
I am not sure if this is a worthwhile experiment. Nor am I sure how this can be used in SA to add header information for country of origin. For that matter, I am not sure if this is a valuable use of bandwidth. EXPERIMENTALLY, I have added world.tqmcube.com as a zone which is obviously not included in the composite. This returns a text record of the country of origin. For example - with linux: #dig +short 199.227.237.209.world.tqmcube.com -t txt will return United States. Since this is experimental, it is NOT on all of the mirrors. The A record may not have fully propagated yet. -- Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com Don't Subsidize Criminals: http://boulderpledge.org
Re: This list using SORBS?
I had a similar problem recently, after 5 years on the same static Business IP it suddenly appeared in SORBS. In true Murphy's law fashion the first I knew of it was about 8PM on a Saturday night, when a message to this list bounced with reference to SORBS. After a few days dickering with my ISP they finally told me they'd do an rDNS, as it turned out they'd only do it on a domain registered through them. The domain was duly registered, MX's setup and I attempted to use the auto removal tool on SORBS. That failed due to a too low TTL. A query to my ISP resulted in them saying they couldn't/wouldn't do anything about the TTL's. I dropped a note to sorbs, explaining the situation and they removed me the same day. The real giggle was the call I got from my ISP a week later telling me how they'd finally managed to get me removed from SORBS :-D Nigel On Wed, 02 Aug 2006 11:36:34 -0400, Robert Fitzpatrick [EMAIL PROTECTED] wrote: On Wed, 2006-08-02 at 11:11 -0400, David Cary Hart wrote: However, if you have a non-standard reverse pointer to your domain with adequate TTL non-standard reverse pointer? Our TTL is 300, is that 'adequate'. P.S. - sorry for the direct message David.
Re: My thoughts on image spam strategies
On Wed, 2 Aug 2006 [EMAIL PROTECTED] wrote: Maybe I'm not getting the obvious, but what about using something like Perl::Magick to convert a given image into B/W? I mean, ImageMagick is made for things like that... Shrinking it to, say, a quarter of it's original size would take care of at least many random noise pixels. (1) image processing is expensive compared to a straight checksum. (2) everybody doing the test has to do it exactly the same way, or there is no hope of getting a shared checksum that will match other peoples' traffic. (3) is the same image guaranteed to shrink the same way every time? -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows.-- anytwofiveelevenis on Y! SCOX ---
Re[2]: What changes would you make to stop spam? - United Nations Paper
Does anyone use [XTND XMIT]? These days, not really. But when Eudora was king and the feature was usually enabled when supported on the MTA side, I would guess maybe 1% of Eudora users knew of and used the feature. The point is more that the extension's already been built, but never got a foothold. --Sandy
spamassassin configuration question
Hello,i have a question about spamassassin configuration.I use postfix with amavis and perl version of spamassassin.I want to have white/blacklist in sql. I have read documentation and found that it can be done with demonized version of spamassassin. The question is: is it possible to have something simmilar to amavis $spam_admin parameter because we use another machineas a spam-contener for our users - all recognized spam is direct to it and there stored for later usage. best regradsDaniel
Re: What changes would you make to stop spam? - United Nations Paper
On 8/2/06, Marc Perkel [EMAIL PROTECTED] wrote: Here's what I've written so far. Deadline is today. Still working on it. http://wiki.ctyme.com/index.php/UN_Spam_Paper Rather than extend POP/IMAP to send mail, which quite frankly will never happen (contact the author of the IMAP protocol, Mark Crispin, if you want the full rant -- you shouldn't have any trouble finding his email address if you search), please suggest that the SUBMIT protocol be used. RFC 2476 and 4409. See also RFC 4405.
RE: What changes would you make to stop spam? - United Nations Paper
--On Wednesday, August 02, 2006 11:09 AM -0400 Rob McEwen [EMAIL PROTECTED] wrote: Honestly, I haven't been following this thread much... but I do want to add that the UN is full of thugs who are power hungry and would like very much to control the Internet and implement a world tax and probably a tax on the Internet as well. Good point. While stopping spam, we shouldn't destroy anonymity. I'm sure repressive regimes like North Korea and Iran would love an anti-spam measure that let them keep better tabs on what their citizens are saying.
Re: What changes would you make to stop spam? - United Nations Paper
--On Tuesday, August 01, 2006 2:06 PM -0700 John Rudd [EMAIL PROTECTED] wrote: 1) Require Virus Scanning on all SMTP transactions Compare to requiring standards-compliance throughout the process, and particularly in message content. If you're allowed to discard all MIME content that fails to validate against published standards, you can drop all the HTML and image buffoonery that spammers hide within. You'd also drop a significant amount of legitimate business traffic generated by the world's most popular office suite. H.
Re: What changes would you make to stop spam? - United Nations Paper
LOL! Thanks for the reminder. Best of luck in your efforts to stop SPAM around the world. Sincerest regards, James Butler Chairman, Board of Directors Internet Society - Los Angeles Chapter California, USA *** REPLY SEPARATOR *** On 8/1/06 at 11:29 PM jdow wrote: Mr Butler, with all due respect go pound sand. You've convinced me that we should kick the UN out of the United States so that idiots like you do not spam mailing lists like this. You're an fscking idiot. {`,'} - Original Message - From: James [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, August 01, 2006 21:05 Subject: Re: What changes would you make to stop spam? - United Nations Paper A little bit sorry for the top-post ... but .. Re: Kofi Annan's quote from the post dated today at around 6:20 PM PST: The problem has risen to a level requiring that the United Nations be aware of the issue and to take steps to address the problem.** I simply do not agree. The U.N. has far more important and pressing issues to deal with than SPAM, which is essentially a corporate productivity problem. Consider: Oh, geez, the hundreds of truly consequential issues facing a global assembly of governments in today's world. Compare that with (from my own example) the several hundreds of SPAM message I filter for my staff, each day. Ok ... after a weekend off, it's somewhere areound 1,500 SPAM message ... regardless, with a tiny bit of traning, any human can be trained to quickly scan the company queue and remove any of today's SPAM from the company inboxes. While I agree that even that is too much for a small business to be satisfied with (it certainly won't make the company go broke), it's simply not that great an issue, when compared to world-affecting issues like Poverty and whatnot. I say good luck with your proposal but NOT good luck getting the money you want to get from the U.N. to be put toward solving this problem. It's simply not an issue I believe we should be spending any portion of that particular budget for. Sincerest regards, James Butler Chairman, Board of Directors Internet Society - Los Angeles Chapter California, USA John Rudd wrote: On Aug 1, 2006, at 6:54 PM, John D. Hardin wrote: On Tue, 1 Aug 2006, jdow wrote: From: Marc Perkel [EMAIL PROTECTED] Allowing IMAP/POP to Send Email Nonsense. ...is there an echo in here? ;) Having also said the same thing ... Doesn't part of Microsoft's extension to IMAP (called MAPI, oh so original) also support sending via IMAP?
Re: What changes would you make to stop spam? - United Nations Paper
--On Wednesday, August 02, 2006 8:23 AM -0700 John D. Hardin [EMAIL PROTECTED] wrote: I think that a default level of filtering - SMTP and the Microsoft protocols that were only intended for use on a LAN - should be in place to deal with the default level of end-user administrative skill - low to nonexistent. However I *don't* think that clueful administrators and users should be subject to such restrictions, and should be able to opt out without charge. Alas, I know of only one ISP (Speakeasy) clueful enough to implement this, and they're DSL-only. Those of us on very long phone lines and only able to get broadband via cable are stuck with the clueless ISP's operating over that medium. The only way to get a home office connection with a static IP is through an expensive T1. It's very frustrating.
Re: My thoughts on image spam strategies
John Rudd wrote: No, 70 would still be 70. 07 would become 00. And 07 is a pretty faint red. Looking at it now, I can't distinguish it from black. (70 is 0111 so the lower 3 or 4 bits are already 0's, whereas 07 is 0111 .. THAT becomes 0 and is indistinguishable from black.. but then, so is 07, to my eye) In fact, 070707 is pretty indistinguishable from black. So is 000700, which should be the one we'd be most likely to see, because it's using green. But I still see it as black on my screen. So, I still don't see how you're asserting that it would fail. I had misunderstood what you were trimming. Another of your posts made it clear. Derek
Re: What changes would you make to stop spam? - United Nations Paper
Rob McEwen wrote: Honestly, I haven't been following this thread much... but I do want to add that the UN is full of thugs who are power hungry and would like very much to control the Internet and implement a world tax and probably a tax on the Internet as well. Just to keep things in perspective, there are plenty of people who would say the exact same thing, except substituting US for UN and George W. Bush for Kofi Annan. Even the comparison to Palpatine. Now, back on the subject of actually fighting spam... -- Kelson Vibber SpeedGate Communications www.speed.net
Re: What changes would you make to stop spam? - United Nations Paper
--On Wednesday, August 02, 2006 3:03 PM +0100 Graham Murray [EMAIL PROTECTED] wrote: Personally I would solve the problem by going the other way. Get rid of dynamic IP addresses Interesting idea. It's my understanding that dynamic addresses are used due to the IPv4 shortage, so if we can push for more IPv6 deployment, we get the technical means to get rid of dynamic addresses. (Aside from addresses, are there other configuration settings that need to be handed down by DHCP? Does IPv6 auto-config take care of DNS and routing?)
Re: What changes would you make to stop spam? - United Nations Paper
--On Wednesday, August 02, 2006 5:37 AM -0700 Marc Perkel [EMAIL PROTECTED] wrote: Why not just eliminate the SMTP protocol for end users and keep SMTP as a server to server protocol and have users send theit email to the server by extending POP/IMAP to send email. What's your objection to authenticated SMTP? It already exists, and clients support it. All my users use it. About the only hitch is that I have to configure the server twice in Mozilla. (It would be nice to have a checkbox to say that the SMTP info is the same as the IMAP info, except for port number.)
Re: What changes would you make to stop spam? - United Nations Paper
John D. Hardin wrote: On Tue, 1 Aug 2006, John Rudd wrote: Reducing volume of spam *sent* probably requires fundamental redesign of the protocols, or some other major change in the cost/benefit analysis. Don't think that's needed, if ISP's only allow outgoing SMTP to the ISP's SMTP servers and not directly then most (current) bots and most spam will be dealt with. I wouldn't be surprised to see the amount of spam then drop more than 80%. (I know, just repeating myself ;-)) Come to think of it, changes are the zombies/bots will then be used for DDOS'ing everything that has an IP-address just as revenge :( Regards Menno -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5618619 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: What changes would you make to stop spam? - United Nations Paper
Kenneth Porter wrote: --On Wednesday, August 02, 2006 5:37 AM -0700 Marc Perkel [EMAIL PROTECTED] wrote: Why not just eliminate the SMTP protocol for end users and keep SMTP as a server to server protocol and have users send theit email to the server by extending POP/IMAP to send email. What's your objection to authenticated SMTP? It already exists, and clients support it. All my users use it. If IMAP had the ability to send email to the server then SMTP could be a server to server protocol and IMAP would be the consumer connection protocol. That would make it so that servers don't have to talk to end users pretending to be SMTP servers. You could wall off port 25 and isolate the spam zombies. About the only hitch is that I have to configure the server twice in Mozilla. (It would be nice to have a checkbox to say that the SMTP info is the same as the IMAP info, except for port number.) If IMAP could send you wouldn't have to configure it twice.
Help With A Custom Rule
Hello to the list! I'm trying to write a rule to nail the following string: 'Microsoft Word 11 (filtered medium)' To wit, I've written the following rule: rawbody WOLFSTAR_MSWORD11_RULE /Microsoft Word 11 (filtered medium)/ score WOLFSTAR_MSWORD11_RULE 1.0 describe WOLFSTAR_MSWORD11_RULE Looks Like Another Inline IMG SPAM ... --lint gives me no indication that anything is wrong. However, the rule doesn't seem to fire... specifically I'm trying to trap: [meta name=3DGenerator content=3DMicrosoft Word 11 (filtered medium)] sub [/ ]/ in the line above Suggestions as to what I am doing wrong?
Re: What changes would you make to stop spam? - United Nations Paper
--On Wednesday, August 02, 2006 10:38 AM -0700 MennovB [EMAIL PROTECTED] wrote: Don't think that's needed, if ISP's only allow outgoing SMTP to the ISP's SMTP servers and not directly then most (current) bots and most spam will be dealt with. I wouldn't be surprised to see the amount of spam then drop more than 80%. (I know, just repeating myself ;-)) Does it really have to be funneled through their SMTP servers? Would it not be sufficient simply to add a connection-level SYN throttle on that port at the routers? Perhaps someone here could propose a set of iptables rules that would implement this. Or the equivalent rule for a Cisco.
Re: Help With A Custom Rule
On Wed, Aug 02, 2006 at 01:59:24PM -0400, Michel Vaillancourt wrote: rawbody WOLFSTAR_MSWORD11_RULE /Microsoft Word 11 (filtered medium)/ ... --lint gives me no indication that anything is wrong. However, the rule doesn't seem to fire... specifically I'm trying to trap: [meta name=3DGenerator content=3DMicrosoft Word 11 (filtered medium)] Suggestions as to what I am doing wrong? My first guess is that you need to escape the parens. (...) has special meaning in regular expressions whereas \(...\) means ... between parens. :) -- Randomly Generated Tagline: Everyone lies Michael. The innocent lie because they don't want to be blamed for something they didn't do, and the guilty lie because they have no other choice. Find out why he's lying; the rest will take care of itself. - Sinclair on Babylon 5 pgpDpOBUjneTc.pgp Description: PGP signature
Re: Help With A Custom Rule
On Wed, 2 Aug 2006, Michel Vaillancourt wrote: To wit, I've written the following rule: rawbody WOLFSTAR_MSWORD11_RULE /Microsoft Word 11 (filtered medium)/ Escape the parentheses. They are at the moment indicating a captured match substring. rawbody WOLFSTAR_MSWORD11_RULE /Microsoft Word 11 \(filtered medium\)/ -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows.-- anytwofiveelevenis on Y! SCOX ---
Re: Block direct SMTP
Like others here I would want the ISPs to allow outgoing SMTP from their customers only to the ISP's SMTP servers. This is already been done with a lot of ISPs and it's very effective. I think it is a waste of time that it still isn't implemented everywhere. Lots of bots would become useless. I know that it will be difficult to force this in some countries but then I have the choice to block the mail from such countries. I already block mail from lots of adsl/cable urls. In the reject message I mention the SMTP-server of their ISP so they know what to change if they want to send mail to me. I also use the DUL list for blocking. Forcing SMTP to go through the ISP has IMHO nothing to do with free-speech or not, even direct SMTP traffic is passing through routers of the ISP anyway so they could monitor it, and you can always encrypt mail if you want to. Okay, spammers will find other methods probably, but then it can be dealt with centrally by the ISP. And using better protocols than SMTP is a possibility but that takes a lot of time before it is implemented, so for the time being, block it I would say. Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5609471 Sent from the SpamAssassin - Users forum at Nabble.com. Hi, one can have mixed feelings about that Well, I am customer to an access provider, and have an email address with them, so I quite naturally use their smarthost Now, add in my own domain. If the domain is hosted, one would, of course, use the hosts SMTP server, and smtp auth What happens if the access privider blocks outgoing smtp and the webhost cannot be bothered to offer an alternate port, or smtps? In a different area, we occasionally see discussions about people whose access provider is selling a business static ip access but does not get their act together as far as dul listings, dns entries etc are concerned I agree with rejecting mail that cannot be replied to, e.g. made-up domain names. Wolfgang Hamann
Re: What changes would you make to stop spam? - United Nations Paper
Kenneth Porter wrote: Does it really have to be funneled through their SMTP servers? Would it not be sufficient simply to add a connection-level SYN throttle on that port at the routers? Perhaps someone here could propose a set of iptables rules that would implement this. Or the equivalent rule for a Cisco. I understand 'funneling' as routing, but what I mean is the customer has to configure smtp.provider.com as outgoing mailserver. On my Cisco PIX firewalls I have configured embryonic limits on every static, Cisco FW-IOS has (I think) about the same commands, in plain IOS I wouldn't know the command. Anyway, IMHO with SYN throttle you would only be rate-limiting the zombies, I would rather they stopped sending spam completely.. Regards Menno -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5620144 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: What changes would you make to stop spam? - United Nations Paper
On Wed, 2 Aug 2006, Kenneth Porter wrote: --On Wednesday, August 02, 2006 5:37 AM -0700 Marc Perkel [EMAIL PROTECTED] wrote: Why not just eliminate the SMTP protocol for end users and keep SMTP as a server to server protocol and have users send theit email to the server by extending POP/IMAP to send email. What's your objection to authenticated SMTP? It already exists, and clients support it. All my users use it. About the only hitch is that I have to configure the server twice in Mozilla. (It would be nice to have a checkbox to say that the SMTP info is the same as the IMAP info, except for port number.) It's not my favorite MUA, but that already exists in MS Outlook. It has a checkbox exactly like that labelled Use same settings as my incoming mail server. What might really be nice is some sort of language that could be used to write up a document to configure a mail client for a given ISP and user. It could configure all necessary settings and would work with any client, making this a one-step process even if 10 or 20 different settings have to be entered. - Logan
Re: Image spams getting thru
Will work wonders till they change the filename. It's already happened. I just received some image spams each with the different attachment names: name=masterpiece.gif name=righteously.gif name=locket.gif I guess you people get different spams than I do. I've been seeing that random name selection on stock spam gifs for probably 5 months. In fact I've never seen two that used the same file name. Loren
Re: Geographic Zone to Headers?
On Wed, August 2, 2006 17:51, David Cary Hart wrote: EXPERIMENTALLY, I have added world.tqmcube.com as a zone which is obviously not included in the composite. This returns a text record of the country of origin. good For example - with linux: #dig +short 199.227.237.209.world.tqmcube.com -t txt will return United States. nice, but is it for mta or spamassassinn ? if its for mta, why need to tell the country of the ip ? if its for spamassassin it will be to much dns lookups for things that can be added to dnsbl.tqmcube.com as a subtest with seperate results you allready have ko and prc as example PS: for my test of the dnsbl zone its none false positive or negative here so far -- Benny
Re: What changes would you make to stop spam? - United Nations Paper
On Wednesday 02 August 2006 19:24, Kenneth Porter took the opportunity to say: --On Wednesday, August 02, 2006 3:03 PM +0100 Graham Murray [EMAIL PROTECTED] wrote: Personally I would solve the problem by going the other way. Get rid of dynamic IP addresses Interesting idea. It's my understanding that dynamic addresses are used due to the IPv4 shortage, so if we can push for more IPv6 deployment, we get the technical means to get rid of dynamic addresses. (Aside from addresses, are there other configuration settings that need to be handed down by DHCP? Does IPv6 auto-config take care of DNS and routing?) Although IPv6's stateless address autoconfiguration removes the primary motivation for DHCP in IPv4, DHCPv6 can still be used to statefully assign addresses if the network administrator desires more control over addressing. It can also be used to distribute information which is not otherwise discoverable; the most important case of this is the DNS server. http://en.wikipedia.org/wiki/DHCPv6 -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpS8KS0OWF5g.pgp Description: PGP signature
Re: What changes would you make to stop spam? - United Nations Paper
On Wednesday 02 August 2006 14:37, Marc Perkel took the opportunity to say: Why not just eliminate the SMTP protocol for end users and keep SMTP as a server to server protocol and have users send theit email to the server by extending POP/IMAP to send email. It created an authenticated connection back to the server where the POP/IMAP server hands it off to the SMTP server. That way email clients aren't using the same protocol as email servers. Why? It's not, like, that MUAs try to deliver directly to the recipient MX. If all ISPs block port 25 outbound, it doesn't matter what protocol end users use to submit their mail to their local MTA. Otherwise, zombies can still try to connect directly, and you'll have to rely on DUL and other blacklists to figure out which IP addresses belong to end users. I think part of the problem is that the receiving SMTP server can't tell if email is coming from another SMTP server or a virus infected spam zombie. Yes, but that problem isn't solved by using a different protocol to submit mail. How are you going to enforce it, without also blocking port 25 outbound? That, or a global whitelist, is the necessary and sufficient condition for stopping direct zombie connections. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpPDmRa1exve.pgp Description: PGP signature
Re: Block direct SMTP
hamann.w wrote: Well, I am customer to an access provider, and have an email address with them, so I quite naturally use their smarthost Now, add in my own domain. If the domain is hosted, one would, of course, use the hosts SMTP server, and smtp auth What happens if the access privider blocks outgoing smtp and the webhost cannot be bothered to offer an alternate port, or smtps? I think if this really would be a major problem it is feasible to let the ISP make exceptions, like allowing in their firewall outgoing SMTP from you to the other IP-address. Maybe they can even make this user-configurable in web-selfservice, say 10 entries to open SMTP to a certain ip-addresses.. hamann.w wrote: In a different area, we occasionally see discussions about people whose access provider is selling a business static ip access but does not get their act together as far as dul listings, dns entries etc are concerned We've got static addresses and several 'business' contracts but we don't use direct SMTP. I don't think I would notice it if our addresses would be in DUL lists. Unless one is checking all hops and giving lots of spam-points to RCVD_DUL_something, then we may suddenly start sending spam ;-) Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5620629 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: What changes would you make to stop spam? - United Nations Paper
Magnus Holmgren wrote: On Wednesday 02 August 2006 14:37, Marc Perkel took the opportunity to say: Why not just eliminate the SMTP protocol for end users and keep SMTP as a server to server protocol and have users send theit email to the server by extending POP/IMAP to send email. It created an authenticated connection back to the server where the POP/IMAP server hands it off to the SMTP server. That way email clients aren't using the same protocol as email servers. Why? It's not, like, that MUAs try to deliver directly to the recipient MX. If all ISPs block port 25 outbound, it doesn't matter what protocol end users use to submit their mail to their local MTA. Otherwise, zombies can still try to connect directly, and you'll have to rely on DUL and other blacklists to figure out which IP addresses belong to end users. The zombies wouldn't be able to connect because the zombies wouldn't have the IMAP password. I think part of the problem is that the receiving SMTP server can't tell if email is coming from another SMTP server or a virus infected spam zombie. Yes, but that problem isn't solved by using a different protocol to submit mail. How are you going to enforce it, without also blocking port 25 outbound? That, or a global whitelist, is the necessary and sufficient condition for stopping direct zombie connections. If you use IMAP for your outgoing email from the client you no longer need port 25 except for server to server transfers. The only outgoing path is the IMAP connection which requires authentication. Zombies wouldn't have the password and wouldn't have access to any way to send email.
RE: Image spams getting thru
Title: RE: Image spams getting thru -Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 02, 2006 3:17 PM To: users@spamassassin.apache.org Subject: Re: Image spams getting thru Will work wonders till they change the filename. It's already happened. I just received some image spams each with the different attachment names: name=masterpiece.gif name=righteously.gif name=locket.gif I guess you people get different spams than I do. I've been seeing that random name selection on stock spam gifs for probably 5 months. In fact I've never seen two that used the same file name. Loren I have the same random pattern here Loren. --Chris
same name spams
I am getting quite a few spams that even with most of the sare rules are sneaking in under 5 points. 4.7 - 4.9 one common thing I've noticed the last 2 days is 80% or so are addressed to more than one email address like this [EMAIL PROTECTED], [EMAIL PROTECTED] the part before the @ is always the same as my email address. is there a rule set the can check for this and add .2 to the score ... hmm looking at them again - I don't think my surbl is working they all have geocities links in them. I'll check on that first.
spf fails for smtp auth clients
dig rima.ws txt spf fails when mails sent to my own mail server, but it should work for all others that recieve mail from rima.ws ? is this a bug or just my config ? my smtp auth ip is both in internal networks and trusted networks what have i done wroung ? -- Benny
Re: What changes would you make to stop spam? - United Nations Paper
Marc Perkel wrote: Magnus Holmgren wrote: On Wednesday 02 August 2006 14:37, Marc Perkel took the opportunity to say: Why not just eliminate the SMTP protocol for end users and keep SMTP as a server to server protocol and have users send theit email to the server by extending POP/IMAP to send email. It created an authenticated connection back to the server where the POP/IMAP server hands it off to the SMTP server. That way email clients aren't using the same protocol as email servers. Why? It's not, like, that MUAs try to deliver directly to the recipient MX. If all ISPs block port 25 outbound, it doesn't matter what protocol end users use to submit their mail to their local MTA. Otherwise, zombies can still try to connect directly, and you'll have to rely on DUL and other blacklists to figure out which IP addresses belong to end users. The zombies wouldn't be able to connect because the zombies wouldn't have the IMAP password. I think part of the problem is that the receiving SMTP server can't tell if email is coming from another SMTP server or a virus infected spam zombie. Yes, but that problem isn't solved by using a different protocol to submit mail. How are you going to enforce it, without also blocking port 25 outbound? That, or a global whitelist, is the necessary and sufficient condition for stopping direct zombie connections. If you use IMAP for your outgoing email from the client you no longer need port 25 except for server to server transfers. The only outgoing path is the IMAP connection which requires authentication. Zombies wouldn't have the password and wouldn't have access to any way to send email. And this differs from SMTP AUTH in what way? ISP: *Blocks pt 25 outbound. *Requires all of its users to AUTH sending through its servers. I see using IMAP as a bad reason to stop spam. Think of this. The normal user knows to get their mail from mail.isp.com and send mail to mail.isp.com (SMTP,POP respectively.) All email clients I've ever seen are setup to delete messages off the server when they have downloaded them by default (POP3.) POP3/SMTP AUTH Mail storage for ISP? Say 100MB. (ISP's don't allocate this my the number of users, they know that they won't be storing that much mail for that long.) Help desk calls because of over limit? Very few. IMAP/IMAP SEND Mail storage for ISP? Say 100MB. (ISP WILL HAVE TO allocate this much for every user, say you have 40K users... you can see how expensive this will become.) Help desk calls because of over limit? Quite a few because the email client will just keep the messages on the server. I'd be surprised if you'd convince a broad range of ISP's to implement IMAP for all their users... ISP's complain about network infrastructure upgrades, what do you think will happen when their server farm will have to grow by 1X for storage? They'll just laugh. Now if you are a small time ISP, and have deep pockets, sure implement this strategy. But I'm very doubtful they will. I know I won't. I block locally all outbound and inbound port 25 (except where needed.) I work for a private company and can do this. By not blocking on even a corp LAN, you are exposing yourself to possible infections by users setting up their MUA to get mail from their ISP's server... I may be thought of as a Mail Nazi, but I also can say with 100% assurance, our network here will not spread a virus or spam. Everything scanned, everything checked, what isn't is blocked. -- Thanks, James
Re: What changes would you make to stop spam? - United Nations Paper
On Wednesday 02 August 2006 21:29, Marc Perkel took the opportunity to say: The zombies wouldn't be able to connect because the zombies wouldn't have the IMAP password. In that case, neither the SMTP password, which we have to assume is required. But in most cases I think the spamware has access to the password if it wants to. Especially with admin privileges. If you use IMAP for your outgoing email from the client you no longer need port 25 except for server to server transfers. The only outgoing path is the IMAP connection which requires authentication. Zombies wouldn't have the password and wouldn't have access to any way to send email. Not with SMTP on port 587 either. Not that it's easy, but getting everyone in the world to use a different port sure is easier than getting everyone in the world to use a different protocol, one that would need code to be written for first. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpji23AvYAMc.pgp Description: PGP signature
Re: What changes would you make to stop spam? - United Nations Paper
JamesDR wrote: And this differs from SMTP AUTH in what way? With SMTP AUTH te authentication for the outbound email isn't necessarilly the same as the incoming email. If you use IMAP to send email then the user has to know the IMAP password to send email. It also doesn't require a separate connection on a separate port. Why use 2 protocols when you can use one? IMAP/IMAP SEND Mail storage for ISP? Say 100MB. (ISP WILL HAVE TO allocate this much for every user, say you have 40K users... you can see how expensive this will become.) Help desk calls because of over limit? Quite a few because the email client will just keep the messages on the server. There would have to be a POP SEND as well.
RE: same name spams
I am getting quite a few spams that even with most of the sare rules are sneaking in under 5 points. 4.7 - 4.9 one common thing I've noticed the last 2 days is 80% or so are addressed to more than one email address like this [EMAIL PROTECTED], [EMAIL PROTECTED] the part before the @ is always the same as my email address. is there a rule set the can check for this and add .2 to the score ... hmm looking at them again - I don't think my surbl is working they all have geocities links in them. I'll check on that first. SURBL doesn't really work well with geocities sites since geocities CAN contain real sites, not just spammer sites. However, in our environment, we only have one person (currently) sending real e-mail with a geocities link, so I simply whitelisted the person and use KAM's geocities rule to pretty much block the rest. You can find the rule here: http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf Caution: scoring the rule too high is subject to false positives. YMMV. Bret
Re: What changes would you make to stop spam? - United Nations Paper
Magnus Holmgren wrote: On Wednesday 02 August 2006 21:29, Marc Perkel took the opportunity to say: The zombies wouldn't be able to connect because the zombies wouldn't have the IMAP password. In that case, neither the SMTP password, which we have to assume is required. But in most cases I think the spamware has access to the password if it wants to. Especially with admin privileges. SMTP passwords go away because SMTP goes away. If the user doesn't store the password then they would type it in when say Thunderbird first starts. At that point obly thunderbird, not the virus program would have access to the IMAP port. If the virus wanted access it would have to establish it's own connection which would require it's own authentication. If you use IMAP for your outgoing email from the client you no longer need port 25 except for server to server transfers. The only outgoing path is the IMAP connection which requires authentication. Zombies wouldn't have the password and wouldn't have access to any way to send email. Not with SMTP on port 587 either. Not that it's easy, but getting everyone in the world to use a different port sure is easier than getting everyone in the world to use a different protocol, one that would need code to be written for first. The idea is that outgoing IMAP would replace SMTP and there would be no SMTP between clients and servers. SMTP would be a server to server protocol.