I agree that using a negative database has been proven to be quite effective. I indeed tried using that sort of thing a while ago and got frustrated with it. Not sure what things are like these days, but back then there were political, economical, and legal issues that made using them a headache. They basically rely on others reporting sources of spam, and scanning for open relays on the Internet.
My biggest issue is with baloney spam - "crap spam". That stuff that has zero commercial value, and arrives in buckets and barrels. I can't figure out the purpose of it really. It is either a way of purposely generating a problem that needs to be addressed and taken care of, or maybe some of it has the purpose of ending up on a random public mailling list. I noticed that on some public boards, sometimes had high PR. Basically keyword loaded emails with specific links had been sent to their mailling list and published live on the web. And showing up in search results. That just had to be the bag, somebody actually reading that garbage wouldn't make heads or tails out of it probably.
Other than that, I just think there must be a lot of people with nothing but time on their hands sending that junk out for no reason.
My second issue is with these people using my domains as the "from" address. I am really glad to see something like SPF that will definitely hamper that sort of thing when it is in widespread use.
In my opinion, SPF is great because it allows each person to specify valid hosts for their own domains. There isn't a clearinghouse or gateway or revocation list, etc. It doesn't stop commercial mail. I don't mind legitimate commercial advertisements in my email one bit. I am talking about email that provides legitimate and identifiable contact information and isn't deceptive.
My third issue is worm/virus emails. Especially these recent ones that have encrypted zip files. I just got sick of it and set the mail server to strip off attachments and provide a URL to download in the email if the recipient really wanted it, with the "potential virus" warning.
But I was looking for a way to drop email before even getting any DATA. After the DATA comes in is where most of the work is done. When a new worm or virus hits, things start cooking. I remember about a year ago one server running at 1200% load. Normally it does around 10,000 a day but at that time it was more like 60,000 a day.
Take care
Waitman
Matt Sergeant wrote:
On 1 Jun 2004, at 20:46, Waitman Gobble wrote:
1. Compare the country of the originating IP address to the country of the "domain" in the "from address". Basically want to dump email that claims to be "from" a US company/domain but originates out of China, etc. and vice-versa.
2. Keep track of ips that send multiple "from" domains. And black-list those.
3. If the "from" address is a well-known mail service such as yahoo, hotmail, msn, aol, etc. Then the connecting IP has to be on "their" network.
You'd get a lot more blocked just by using some well chosen blocklists.
My recommendations are:
sbl.spamhaus.org cbl.abuseat.org opm.blitzed.org zombie.dnsbl.sorbs.net relays.ordb.org list.dsbl.org http.dnsbl.sorbs.net socks.dnsbl.sorbs.net misc.dnsbl.sorbs.net smtp.dnsbl.sorbs.net web.dnsbl.sorbs.net dul.dnsbl.sorbs.net
That takes out a lot of the spam (they are listed in order of preference in case you want to trim off ones that look dodgy).
Then add in DCC. That takes out a further large chunk. (yes I know DCC only detects bulk mail, not spam, but by my measurements it's accurate enough to use as an outright block).
Add in the early_talkers plugin - that's a further chunk. Then drop anything without a Message-ID. Then drop anything without any Received headers.
This gets pretty much all of my spam (I actually have a few other tricks up my sleeve, but can't reveal them as they are quite sensitive to being found out by the spammers). I get a few Nigerian scams slipping through every now and then. And I'm still annoyed by anti-virus bounces and by challenge-response bounces, but these tend to be manageable.
Matt.
