Re: OT Boincing Spam
What I've do now is: 1) Spam over a certain score goes to /dev/null 2) Spam under a certain score, and over a certain score go to spamtrap incase someone's looking for something. 3) Low scoring spam gets delivered the user with **SPAM** in the subject which the users have a client side rules to move those to a spam folder. That seems sane. What levels do you set? First off, I use Postfix Policyd to greylist delivery. With all the sare rules for SA 3.x, Razor, Dcc, and pyzor, I set our thresholds to: Over 15 -- /dev/null Over 9 -- /spamtrap Over 5.5 -- Rewrite Subject Most false positives fall between 5.5 6.5 (maybe 2 a day and it is usually due to a raher high score RBL). I have yet to have to into spamtrap to find good mail and I've used this for 4 months now. Just once was I given a false negative.
Re: OT Boincing Spam
On Sat, 25 Dec 2004 13:10:04 -0900, John Andersen [EMAIL PROTECTED] wrote: From your web page: Bodytest support - allows you to run filters like spamassassin and clamscan on the body of a mail message before replying to the final . of the SMTP DATA command. (See the edinplace(1) man page and the bodytest description in the avenger(1) man page.) This would imply that you hold the connection open from the sender till SA has had a look at the mail, (which may entail several network based hits in the process of checking surbl etc). Does this not entail some rather large number of open connections on the mail server, some of which might time out when SA is working hard? Yes, it does mean that there is a potential delay here. I think the biggest danger is that if you get unlucky, you could get a duplicate mail message, if the client timed out but the mail ended up going through. However, in practice I'm running the software on several production mail servers, one of which has hundreds of users (the others are smaller), and I have not noticed this problem. Usually clients have a timeout of at least several minutes during the DATA portion of the SMTP session, while spamassassin seems to take only seconds or tens of seconds in the worst case. Note that external network queries are fairly common during SMTP transactions. For example, almost all MTAs do reverse DNS lookups and RFC 1413 ident lookups (the latter of which can be very slow for clients behind firewalls that block TCP port 113). Nowadays, servers including Mail Avenger increasingly support SPF, which requires more DNS lookups. Mail Avenger also does its own RBL lookups if you ask it to, which will prime your nameserver's cache before invoking spamassassin. (Mail Avenger does the lookups concurrently and before the DATA command, so the latency is less and there is no chance of a duplicate message.) This doesn't apply to SURBL lookups, of course. Further mitigating the problem, you can configure Mail Avenger both to limit the number of concurrent connections and to limit the number of connections from any given IP address. Some MTA clients like certain versions of qmail have a habit of opening 20 TCP connections to the same mail server concurrently. Mail Avenger can, if you so configure it, accept 5 connections from a client, then tweak the kernel's firewall rules to drop further SYN packets from that particular client until one of the 5 existing connections closes. Thus, instead of having 20 connections stuck waiting for spamassassin on an overloaded server, you'll have most of the connections waiting for the TCP connection to complete (for which you usually have about 2 minutes), and again no risk of duplicate messages. So all in all I'd say you've identified a potential concern, and it is something I worried about initially, but in practice it really doesn't seem to be a problem. Also does avenger sit ahead of sendmail or is it called by sendmail? (Who is listening on 25? Avenger or sendmail/qumail? Yes, Mail Avenger listens on port 25. It needs to in order to coordinate client connections with firewall rules, as well as to do things like infer the client's operating system from its TCP SYN fingerprints and determine the network route to the client while it is connected. We've seen some evidence that a few spam sources are correlated with BGP route flaps, meaning that some spammers may be temporarily stealing IP address space to send their spam. Thus, it's important to record the network path at the time of the TCP connection. Mail Avenger passes mail messages off to an arbitrary program you can configure. The default is sendmail -oi -os -oee -f SENDER -- RECIPIENT1 RECIPIENT2 ..., which works with both sendmail and qmail. I would imagine something similar should also work with postfix, exim, and other mailers, though I haven't yet tried it myself. David
Re: OT Boincing Spam
I think people are missing an important point in this discussion about bouncing spam. Really, bouncing spam can be used to mean two different things: 1. Generate a bounce message to the envelope sender of the message, and 2. During the SMTP session, refuse to accept mail from the client, by returning a 500-series SMTP error code. Option 1 is almost always a terrible idea, unless perhaps the sender has published an SPF record and the result of an SPF check at the server is pass (but definitely not anything else, including neutral or none). Anyway, option 1 is strictly inferior to option 2, as it will always require more resources at the mail server. Option 2 is actually in my opinion a good idea, because in the case of false positives, it lets the sender know that the mail might not be read. In the case of actual spam, assuming you refuse the mail at the outermost mail relay at your organization, very often the mail is coming from a spambot that will never generate the bounce message. In other cases, the client may be an open mail relay, but such machines are very often blacklisted anyway, so I don't view causing them to send bounces as a terrible thing. Others may disagree on that point, but at any rate you are not risking getting your own server blacklisted--only the open mail relay is in danger of being blacklisted (which it should be anyway). I've been quite interested in this issue of bouncing/refusing spam messages, and so built an SMTP server that makes it easy for individual users to refuse spam at the SMTP level. (See www.mailavenger.org for details.) Recently, I have set up my account to reject with a 554 SMTP error code anything that spamassassin flags as spam, using the default threshold of 5.0, which is more aggressive than other people have been suggesting here. However, I also keep a copy of the messages I bounce, both so as to monitor how this is working out, and to build a corpus with which to train the Bayesian filter. At least anecdotally, this seems to be working well for me. When I spot check spams, I don't think I'm causing a lot of innocent people to get bounce messages. Note that I'm definitely sensitive to the issue of bad bounce messages, as I used to receive a huge number of bounces for forged messages--even though I publish strict SPF records. These were mostly bounced viruses, not spam, which meant that spamassassin didn't do a great job of weeding them out. However, I found a relatively simple solution. I now send all my mail from temporary envelope sender addresses that expire after 21 days, and I refuse messages from the empty envelope sender to my real (header From:) email addresses. So far so good, though I do realize there is the danger of a false positive, some some people still send mail from the empty envelope sender. David
Re: OT Boincing Spam
1. Generate a bounce message to the envelope sender of the message, and 2. During the SMTP session, refuse to accept mail from the client, by returning a 500-series SMTP error code. Option 1 is almost always a terrible idea, unless perhaps the sender has published an SPF record and the result of an SPF check at the server is pass (but definitely not anything else, including neutral or none). Anyway, option 1 is strictly inferior to option 2, as it will always require more resources at the mail server. Option 2 is actually in my opinion a good idea, because in the case of false positives, it lets the sender know that the mail might not be read. In the case of actual spam, assuming you refuse the mail at the outermost mail relay at your organization, very often the mail is coming from a spambot that will never generate the bounce message. In other cases, the client may be an open mail relay, but such machines are very often blacklisted anyway, so I don't view causing them to send bounces as a terrible thing. Others may disagree on that point, but at any rate you are not risking getting your own server blacklisted--only the open mail relay is in danger of being blacklisted (which it should be anyway). I've been quite interested in this issue of bouncing/refusing spam messages, and so built an SMTP server that makes it easy for individual users to refuse spam at the SMTP level. (See www.mailavenger.org for details.) Recently, I have set up my account to reject with a 554 SMTP error code anything that spamassassin flags as spam, using the default threshold of 5.0, which is more aggressive than other people have been suggesting here. However, I also keep a copy of the messages I bounce, both so as to monitor how this is working out, and to build a corpus with which to train the Bayesian filter. At least anecdotally, this seems to be working well for me. When I spot check spams, I don't think I'm causing a lot of innocent people to get bounce messages. Well I've reached the point with those that bounce spam using Option 1 I block with the following bounce: 554 Tell your admin to quit bouncing spam as that type of thing does nothing but DoS innocent domains. Bouncing spam is IMHO just as big a problem as the spam itself. It seems a certain appliance named after a fish likes to bounce spam by default which has caused our server to receive over 30,000 false bounces to legitimate email addresses in less an hour yesterday. What I've do now is: 1) Spam over a certain score goes to /dev/null 2) Spam under a certain score, and over a certain score go to spamtrap incase someone's looking for something. 3) Low scoring spam gets delivered the user with **SPAM** in the subject which the users have a client side rules to move those to a spam folder. Viruses 1) Identifiable viruses go to /dev/null 2) Executeable's get quarantined in a filetrap
Re: OT Boincing Spam
Tim B wrote: Bouncing spam is IMHO just as big a problem as the spam itself. Agreed. It seems a certain appliance named after a fish likes to bounce spam by default which has caused our server to receive over 30,000 false bounces to legitimate email addresses in less an hour yesterday. Considering the CEO of that company is a reformed spammer this is hardly surprising What I've do now is: 1) Spam over a certain score goes to /dev/null 2) Spam under a certain score, and over a certain score go to spamtrap incase someone's looking for something. 3) Low scoring spam gets delivered the user with **SPAM** in the subject which the users have a client side rules to move those to a spam folder. That seems sane. What levels do you set?
Re: OT Boincing Spam
On Friday 24 December 2004 06:59 pm, [EMAIL PROTECTED] wrote: Recently, I have set up my account to reject with a 554 SMTP error code anything that spamassassin flags as spam, using the default threshold of 5.0, From your web page: Bodytest support - allows you to run filters like spamassassin and clamscan on the body of a mail message before replying to the final . of the SMTP DATA command. (See the edinplace(1) man page and the bodytest description in the avenger(1) man page.) This would imply that you hold the connection open from the sender till SA has had a look at the mail, (which may entail several network based hits in the process of checking surbl etc). Does this not entail some rather large number of open connections on the mail server, some of which might time out when SA is working hard? Also does avenger sit ahead of sendmail or is it called by sendmail? (Who is listening on 25? Avenger or sendmail/qumail? -- _ John Andersen pgpVXEujfgw7M.pgp Description: signature
Re: OT Boincing Spam
Timeout should not be a problem. My SA seems to take 3 to 6 seconds to scan a message. SMTP timeout should be 10 minutes, for any server that's compliant with rfc. jay John Andersen wrote: On Friday 24 December 2004 06:59 pm, [EMAIL PROTECTED] wrote: Recently, I have set up my account to reject with a 554 SMTP error code anything that spamassassin flags as spam, using the default threshold of 5.0, >From your web page: "Bodytest" support - allows you to run filters like spamassassin and clamscan on the body of a mail message before replying to the final "." of the SMTP DATA command. (See the edinplace(1) man page and the bodytest description in the avenger(1) man page.) This would imply that you hold the connection open from the sender till SA has had a look at the mail, (which may entail several network based hits in the process of checking surbl etc). Does this not entail some rather large number of open connections on the mail server, some of which might time out when SA is working hard? Also does avenger sit ahead of sendmail or is it called by sendmail? (Who is listening on 25? Avenger or sendmail/qumail?
Re: OT Boincing Spam
Exactly. I can show him excerpets of emails (which I already did) and it helps some. An article on the internet , a howto I don't know about or an example of someone who did this and got blacklisted over the net would be best. Maybe, like me, y'all have looked and not found anything suitable. Lets hope this collection of emails appeases him some. Thanks. Chris Santerre wrote: -Original Message- From: ChupaCabra [mailto:[EMAIL PROTECTED] First he wanted that. I did it but actually kept em all. So then his partner didn't get an urgent email so it was turned back to the users to decide. I get a different kneejerk each week. What fun dealing with an 80 yo ex military man. This am it was Lets spambomb every isp that sends spam and maybe *they* will do something about it. And screw the rest of the world too. America owns the internet. Fsck Em, they would all die without the american economy, etc. Boy you guys are all missing it. He needs to put it in terms his boss understands. Tell him it is like hearing shots fired and putting surpressive fire on the area without determining WHO is actually firing! He's looking at an internet courtmartial, for failing to act calm under fire. --4 Star Major of antispam, Chris -- Michael H. Collins Admiral, Penguinista Navy http://linuxlink.com /\ASCII Ribbon Campaign \ / No HTML/RTF in email x No Word docs in email / \ Respect for open standards Take your laptop and yell out: Can a brother get a ip address?
Re: OT Boincing Spam
From: Evan Platt [EMAIL PROTECTED]
ChupaCabra said:
My boss is twisting off today because he got 350 messages marked [SPAM]
over the weekend. His Reaction is to Bounce em all, Let the isps sort
it out. I tried explaining about forged headers and the myriad of
other methods spammers use to look like they come from someplace else.
Apparantly he feels like I am blowing smoke.
I don't have a link for you, but tell your boss to imagine if someone
decided to dictionary attack every ISP they could find, using not only
dictionary words, but every combination of letters up to 9 letters, i.e.
a, b, c, etc up to z for every ISP they
can find. And tell your boss that they intend to use HIS address as the
reply-to address for the spam. Now ask him if he still thinks it's a good
idea for ISP's to 'bounce' spam to this unintended victim - him.
Nice to fantasize about, Evan; but, doing so can truncate a budding
career woefully short.
If he uses procmail then he can toss all the spam above 10 points into
/dev/null. For the rest teach your boss how to setup a SPAM folder in
his email program. Then explain the false positive problem and how he
might lose customers that way. That might get him to cull through the
few 5.0 to 9. spams he'd receive. I am sure something equivalent
can be done with the spam stars with virtually any filter mechanism be
it milter, amavis, or whathaveyou.
Also, a note for the SARE folks:
There might be an alternate set of scores for the sexual related spams
that give them very high weights. These are things that do not belong in
most business environments. Let the employees be kinky at home.
{^_^}
Re: OT Boincing Spam
From: Evan Platt [EMAIL PROTECTED]
Evan Platt said:
I don't have a link for you, but tell your boss to imagine if someone
decided to dictionary attack every ISP they could find, using not only
dictionary words, but every combination of letters up to 9 letters, i.e.
a, b, c, etc up to z for every ISP they
can find. And tell your boss that they intend to use HIS address as the
reply-to address for the spam. Now ask him if he still thinks it's a
good
idea for ISP's to 'bounce' spam to this unintended victim - him.
Let me follow up to myself (please allow myself to introduce... myself.) I
posted a message to a yahoo group last week. A few minutes later, I get a
e-mail that my message has been marked as Spam by some software, and if I
wish to confirm my identity, I must click on a link to that companies web
site (tracking numbers and all that in the URL). And, of course, this will
add me to the persons allowed list so I won't have to do it again.
Needless to say, I will NOT do that. This company could then sell its
lists of CONFIRMED addresses for a goldmine.
I then posted to the list, asked if anyone else had received this message,
and a number of people did, and for the most part, no one clicked on the
link. So now there's some 1d10t wondering why he's not getting any mail. I
know this isn't your boss'es intention, but it sounds like he wants
anything marked as spam deleted? Not a good idea, IMHO.
(Baby, bathwater).
Evan
I consign such tweebles to the bit bucket in procmail before they ever
get to SpamAssassin. I very seldom review that very slowly growing set
of rules. If someone reforms I'm still not interested in the critter.
{^_^}
Re: OT Boincing Spam
So true. If the boss wants to make an effort, then submit the spams to spamcop -- or personally go to the upstream providers with individual abuse complaints--- But attempting to bounce spam to likely bogus servers and users is futile, with results about the same as him going outside and pissing into the wind. On Mon, December 20, 2004 8:34 pm, jdow said: Let your boss know that this policy he suggests WILL get him blocked at many sites permanently and spammers will find him such a convenient bounce spam relay that he'll end up on every blacklist in the world.
Re: OT Boincing Spam
On Monday, December 20, 2004, 12:49:59 PM, ChupaCabra ChupaCabra wrote: My boss is twisting off today because he got 350 messages marked [SPAM] over the weekend. His Reaction is to Bounce em all, Let the isps sort it out. I tried explaining about forged headers and the myriad of other methods spammers use to look like they come from someplace else. Please don't bounce spams back to the (forged) senders. All that does is create more noise, and it's considered by most to be a poor practice. If you're not already, consider using the RBL sbl-xbl.spamhaus.org at the MTA level. It's quite safe and rejects a lot of spam before it's even seen by SpamAssassin, etc. What SpamAssassin or other anti-spam features are you currently using? SURBLs are quite effective and pretty safe IMO. :-) Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: OT Boincing Spam
If you're not already, consider using the RBL sbl-xbl.spamhaus.org at the MTA level. It's quite safe and rejects a lot of spam before it's even seen by SpamAssassin, etc. I'd have to disagree with you Jeff. A lot of the Irish and UK ISP netblocks end up in there as well, so you run a higher risk of FPs if you are not careful. Mr Michele Neylon Blacknight Internet Solutions Ltd Hosting, co-location domains http://www.blacknight.ie/ Tel. +353 59 9137101 http://www.blacknight.ie/specialoffers.html -- Email scanned by Blacknight for viruses and dangerous content. Visit http://www.blacknight.ie for more information
RE: OT Boincing Spam
-Original Message- From: ChupaCabra [mailto:[EMAIL PROTECTED] First he wanted that. I did it but actually kept em all. So then his partner didn't get an urgent email so it was turned back to the users to decide. I get a different kneejerk each week. What fun dealing with an 80 yo ex military man. This am it was Lets spambomb every isp that sends spam and maybe *they* will do something about it. And screw the rest of the world too. America owns the internet. Fsck Em, they would all die without the american economy, etc. Boy you guys are all missing it. He needs to put it in terms his boss understands. Tell him it is like hearing shots fired and putting surpressive fire on the area without determining WHO is actually firing! He's looking at an internet courtmartial, for failing to act calm under fire. --4 Star Major of antispam, Chris
OT Boincing Spam
My boss is twisting off today because he got 350 messages marked [SPAM] over the weekend. His Reaction is to Bounce em all, Let the isps sort it out. I tried explaining about forged headers and the myriad of other methods spammers use to look like they come from someplace else. Apparantly he feels like I am blowing smoke. Does anyone have some good links fo why it is not a good idea to bounce spam? I am getting nowhere with my speil. Untill he hears it from somewhere else I am in s--t city. I can see where he gets the idea in that I still see people on the internets saying bouncing it is good but in all my readings I have learned better. Or does anyone think bouncing all spam is a good idea. Thanks ahead. -- Michael H. Collins Admiral, Penguinista Navy http://linuxlink.com /\ASCII Ribbon Campaign \ / No HTML/RTF in email x No Word docs in email / \ Respect for open standards Take your laptop and yell out: Can a brother get a ip address?
Re: OT Boincing Spam
* ChupaCabra [EMAIL PROTECTED]: My boss is twisting off today because he got 350 messages marked [SPAM] over the weekend. His Reaction is to Bounce em all, Let the isps sort it out. I tried explaining about forged headers and the myriad of other methods spammers use to look like they come from someplace else. Apparantly he feels like I am blowing smoke. Does anyone have some good links fo why it is not a good idea to bounce spam? Bounce where? -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
Re: OT Boincing Spam
On Monday 20 December 2004 20:49, ChupaCabra wrote: I can see where he gets the idea in that I still see people on the internets saying bouncing it is good but in all my readings I have learned better. Or does anyone think bouncing all spam is a good idea. Backscatter will get you blacklisted these days - there's enough junk mail on the net that backscatter doesn't help. Crank up your SMTP rejections if you can - greylisting works quite well for the hit-and-run spammer who doesn't use a real SMTP server to send the spam. Add in things like 'don't say HELO with my IP or name, or with a reserved IP' and you're doing well. Finally, look at using something like amavisd-new and quarantine mode - spam with a score n gets quarantined instead of passed through. There are commercial products that will do this, along with Maia MailGuard and a few others, including a plugin for squirrelmail.
Re: OT Boincing Spam
On Mon, 20 Dec 2004 14:49:59 -0600, ChupaCabra [EMAIL PROTECTED] wrote: Or does anyone think bouncing all spam is a good idea. Thanks ahead. -- Michael H. Collins Admiral, Penguinista Navy Bouncing spam will do two things. First, it'll generate a lot of useless traffic, which may or may not cost you money, but will (slightly) increase the costs for everyone who's networks your bounces transit. The other thing it will do is queue up a lot of email in your outbound MTA queue. A lot of spam is sent with completely bogus usernames/domains/etc.., or is sent from domains that refuse connections to their MX records. You'll spend a fair amount of time purging invalid email out of your mail queue, which tends to be boring :) We did bounce spam for a while, but have since just let the end users decide what to do with it. Ultimately, this is the best solution, as what may be good for one person, may not be an option for another. It's not hard to create a rule to delete all email heading to your boss that is marked spam. Mike
Re: OT Boincing Spam
Evan Platt wrote: Evan Platt said: I don't have a link for you, but tell your boss to imagine if someone decided to dictionary attack every ISP they could find, using not only dictionary words, but every combination of letters up to 9 letters, i.e. a, b, c, etc up to z for every ISP they can find. And tell your boss that they intend to use HIS address as the reply-to address for the spam. Now ask him if he still thinks it's a good idea for ISP's to 'bounce' spam to this unintended victim - him. Let me follow up to myself (please allow myself to introduce... myself.) I posted a message to a yahoo group last week. A few minutes later, I get a e-mail that my message has been marked as Spam by some software, and if I wish to confirm my identity, I must click on a link to that companies web site (tracking numbers and all that in the URL). And, of course, this will add me to the persons allowed list so I won't have to do it again. Needless to say, I will NOT do that. This company could then sell its lists of CONFIRMED addresses for a goldmine. I then posted to the list, asked if anyone else had received this message, and a number of people did, and for the most part, no one clicked on the link. So now there's some 1d10t wondering why he's not getting any mail. I know this isn't your boss'es intention, but it sounds like he wants anything marked as spam deleted? Not a good idea, IMHO. (Baby, bathwater). Evan First he wanted that. I did it but actually kept em all. So then his partner didn't get an urgent email so it was turned back to the users to decide. I get a different kneejerk each week. What fun dealing with an 80 yo ex military man. This am it was Lets spambomb every isp that sends spam and maybe *they* will do something about it. And screw the rest of the world too. America owns the internet. Fsck Em, they would all die without the american economy, etc. -- Michael H. Collins Admiral, Penguinista Navy http://linuxlink.com /\ASCII Ribbon Campaign \ / No HTML/RTF in email x No Word docs in email / \ Respect for open standards Take your laptop and yell out: Can a brother get a ip address?
Re: OT Boincing Spam
shane mullins wrote: Could you just discard it? I was till a couple of vips lost important email. I was actually keeping it all because I knew better.
RE: OT Boincing Spam
My boss is twisting off today because he got 350 messages marked [SPAM] over the weekend. His Reaction is to Bounce em all, Let the isps sort it out. And then when a spammer sends tons of e-mail to your site forged as, say, [EMAIL PROTECTED], you stand a good chance IBM may end up blocking all email from your site, at least for a while. Also, check the terms of service with your ISP. I suppose it is possible they might consider such a configuration as abusive, and could use it as grounds to terminate your service. Plenty of people are savvy enough to report spam to the ISP of the sender. (In this case, you would in effect be that sender.) What you want to do, IMO, is run SpamAssassin during the SMTP session, such as with http://duncanthrax.net/exiscan-acl/. Then reject messages with a very high score, but simply label and deliver messages for a lower spam score. For example, reject mail scoring 15 or higher, mark and deliver if 5 or over, and classify as ham if the score is below 5. Other MTAs provide other ways of doing this as well. -- John C. Ring, Jr. [EMAIL PROTECTED] Network Engineer Union Switch Signal Inc. If all mankind minus one, were of one opinion, only one person of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind -- John Stuart Mill
Re: OT Boincing Spam
ChupaCabra said: First he wanted that. I did it but actually kept em all. So then his partner didn't get an urgent email so it was turned back to the users to decide. I get a different kneejerk each week. What fun dealing with an 80 yo ex military man. This am it was Lets spambomb every isp that sends spam and maybe *they* will do something about it. And screw the rest of the world too. America owns the internet. Fsck Em, they would all die without the american economy, etc. Perhaps he doesn't understand the thinking behind let's spambomb every ISP that sends spam Back to my second Joe-Job example. For example, let's say I'm connected with a dial up account in China. I spoof all headers to indicate my spam comes from [EMAIL PROTECTED] . Who gets the bounce messages, ChinaSpamHaven.hk , or [EMAIL PROTECTED] / aol.com ?
