Hi,
On Thu, 09 Oct 2003 11:56:29 -0300 Fabiano Bonin <[EMAIL PROTECTED]> wrote:
> I am using SpamAssassin sice yesterday and i put it in production today,
> site wide.
> It's amazing.
> It's filtering 95% on my daily messages, and all blocked messages are
> really spams.
>
> BUT, in my particular point of view, spam generates 2 big problems:
>
> 1 - Lots of crap in our mailboxes
> 2 - Lots of internet traffic
>
> Today, SpamAssassin is solving problem number 1 greatly, but problem
> number 2 is unsolved, since i will continue to receive all this crap all
> day (i just will not see it), and the internet traffix will continue
> suffering.
End-user filtering and tagging reduces the obvious symptoms of the
disease but does little to cure it. Blocking bad mailers at your
network's edge reduces the cost to you and begins to solve the problem.
Ultimately, we need to isolate spammers, those that support them, and
those that benefit from them from the public internet. Without force of
arms or force of law, we're left with dropping their packets at the
firewall.
Since spamming at its essence[1] is a denial of service attack and an
effort at shifting cost from sender to recipient, we want to push our
spam defenses as close to the edge of our network as possible to reduce
our costs and our vulnerability. That means rejecting inbound
connections at the firewall, rejecting (not bouncing) mail at the SMTP
level, discarding (not bouncing) obviously spammy mail, tagging the
remainder, and passing it to the end user.
> If there was a way to reject the spam in the mail server (returning the
> rejection to the sender), maybe the spammers will remove our addresses
> from its lists, and the traffic will decrease.
>
> Is this step possible? If yes, where can i find more documentation?
See the sendmail documentation and talk to your networking staff (if
that's you, consult your router and firewall documentation.)
Remember that some techniques are only useful for small sites and will
have unacceptable false positive rates if used at larger sites.
First, I firewall off bad actors (generally large swaths of Korean and
Chinese network space; I can do this because I'm a small site and I
receive no legitimate mail from China or Korea. If you have more than a
handful of users, I'd advise against this.)
Then I reject mail with MTA rules. I use Postfix but this general method
should work with any reasonable MTA.
I allow all mail from my own networks,
I allow mail from whitelisted systems
I reject mail from mailers with no forward DNS (A records) - this
causes false positives
I reject mail from open proxies (anything listed in opm.blitzed.org or
proxies.blackholes.easynet.nl)
I reject mail from dynamically-assigned network space (anything listed
in dynablock.easynet.nl) - this may cause false positives, though
dynamic users should send mail through their ISP's mail server or get a
static IP address.
I reject mail from mailers listed in sbl.spamhaus.org
I reject mail from open relays (listed in relays.ordb.org)
I reject mail from hijacked network space (listed in zombie.dnsbl.sorbs.net)
That's all based on the connecting server's IP address.
Then I reject based on the HELO parameter:
I accept mail from my networks
I reject mail that does not send a HELO parameter
I whitelist legitimate servers with broken HELO
I reject mail with a HELO parameters that
- aren't valid hostnames
- aren't fully-qualified domain names
- do not resolve in DNS
These last few will cause false positives due to misconfigured mail
servers. If you do this, check your mail logs and update your whitelist
regularly
I then reject on the MAIL FROM parameter (envelope sender?):
Again, I accept mail from my networks
I whitelist specific senders
I reject mail from domains that have neither an A or MX record
I reject mail from sending domains that are not in fully-qualified
domain name format
I then reject on the RCPT TO parameter:
I accept mail from my networks,
I accept mail for servers I act as backup MX for
I reject mail for unauthorized destinations (open relaying)
I reject unauthorized pipelining
I reject mail for recipients whose address is not in fully-qualified
domain name format
I reject mail for unknown recipient domains
This is all done before I ever see the content of the email.
Finally, I reject mail containing Windows executable files (poor man's
antivirus solution.)
Compare this process to
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt (specific to Postfix
but the general techniques should be apparent.)
One additional thing I could do is to reject mail based on SpamAssassin
score (probably anything over 15.) Since I occasionally contribute to
SA's mass-check process, I keep all the spam I get. Most people don't
need to do this. Check the spamass-milter documentation on how to reject
based on SA score at the MTA level in sendmail.
Also, if I was running Sendmail, I might greylist (tempfail) inbound
mail; this is a process of recording the sender, recipient, and IP
address (triplet) of the sender before the DATA phase of the SMTP
transaction, reponding with a temporary rejection (450) response, then
accepting mail from previously-seen triplets some time later (5 minutes
to an hour.) This causes a one-time delay per triplet, and the amount of
bandwidth consumed by the repeated rejections is much smaller than the
amount of spam that would be accepted, meaning (counter-intuitively)
this actually saves bandwidth. There are some issues to be aware of; see
http://projects.puremagic.com/greylisting/ for more detailed analysis.
This may not be appropriate for sites where timeliness is more important
than bandwidth savings.
hth,
-- Bob
[1] <rant>Spamming is behavior and has nothing to do with content;
content is only relevant to show the message was sent in bulk. A million
copies of an empty message is just as abusive as a million copies of
pr0n spam. The problem is the resources that are consumed by the million
messages, not that Grandma just got some nudie pictures. Filter pr0n if
you want, but don't mistake spam as "anything that I don't want in my
mailbox." Spam has nothing to do with your individual mailbox or
anyone's freedom to express themselves and someone needs to beat this
into the head of the EFF and ACLU, preferably with a good solid piece of
hardwood. This won't happen so long as John "Please use my open relay to
send spam and viruses" Gilmore is involved with either organization.
Spam is a denial of service attack and should be prosecuted
accordingly.</rant>
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
