mouss escribió: > Roman Medina-Heigl Hernandez wrote: >> What about creating a REJECT recipient rule for "abuse@", etc, with a >> message like: "Mailbox disabled due to spam. Please, contact us by: >> http://xxx/contact.php";. > > This defeats the purpose of [EMAIL PROTECTED] if I get attacks from your > networks, and if your [EMAIL PROTECTED] doesn't work, I will consider > that you have no business sending mail. I will at no moment try to parse > your abuse auto-response and go to your web server.
Why? You're tremendously negative :) If I get attacks from your network and read the reject message redirecting to another source, I'd go to that new source (at least if I consider the attack sufficiently serious). Remember we're qualified ppl (sysadmins, etc) and are expected to understand a mail delivery error message... The main drawback is that my idea doesn't deal with automatic mails sent to [EMAIL PROTECTED] (that's bad, you could be easily rbl-isted). > Also, if your web server is owned, there is no point to refer people > telling you about it to the same owned web server. If my web server gets owned *and* the contact page changed/defaced, the reporter will have to be clever enough to find a security contact. But we're talking about spamming, not owning. My customers could get owned but it doesn't mean *I* am (or *my* webserver is) owned. Btw, if you are very aware of that, you could add both messages: URL contact page and [EMAIL PROTECTED] address. >> And then having some kind of ticket system in >> contact.php requiring at least a Turing test -aka Captcha- to accept the >> new request? > > This is wrong: > - captchas have usability/accessibility problems > - captchas are not secure. google will help you if you're not aware of > this. Captchas are not perfect but we're talking about reducing spam, not 100% eliminate it (btw, if you find a 100% anti-spam solution, please, tell me ;-)). >> In this way you can still be contacted and you avoid typical >> spam to known addresses (root@, postmaster@, webmaster@, ...). >> > > if you have spam problems, use access controls and content filters. if > you can't, don't use email. Best practices tell you that an abuse mailbox *should* not be filtered at all, at least theoretically... :) > I've found that spam sent to role addresses is good for training (bayes, > local bl, ... etc) and this is easy to automate (less FP risks since no > luser behind). That's a good point, although not better than using a dedicated account/domain as a spamtrap. >> Another idea would be: "Mailbox disabled due to spam. Please, contact us >> at: [EMAIL PROTECTED]". And then having the >> real >> support mailbox at [EMAIL PROTECTED] You could change this >> last >> one from time to time (and updating REJECT message, of course). > > sill y games don't help. they are quickly discovered. Greylisting could be also quickly discovered but the fact is that it reduces greatly the spam (yes, it has its own drawbacks...). KISS principle uses to be good, not silly :) Cheers, -r
