Spam fighting tools

Walter Dnes waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org
Tue Apr 6 10:19:07 UTC 2004 

On Mon, Apr 05, 2004 at 11:50:34AM -0400, talexb-SBdzbUvMQDunS0EtXVNi6w at public.gmane.org wrote

> If I ever get as far having my own mail server (not possible while I
> live at the end of a Sympatico DSL line), I will definitely go with
> some sort of white list -- domains or E-Mail addresses that I trust
> get through without a problem; anyone else gets an automatically
> generated challenge.

  The concept of the "automatically generated challenge" in the form of
a DSN (i.e. bounce message) is getting an *EXTREMELY* bad reception on
nanae and spamfighting mailing lists.  It's considered equivalent to the
"you sent us a virus" notification.  Spammers and viruses both forge
"From:" *AND* envelope-sender.  On the other hand, if you send a 5XX
reject at the SMTP transaction, that's OK, because it doesn't contribute
to mailbombing innocent third-parties.

  I've got a remote account with clss.net (Aurora Internet), in
Logansport, Indiana.  They have a hacked-up qmail that allows
*END-USERS* to set up blocking rules that are implemented *DURING THE
SMTP TRANSACTION*, right after the "MAIL TO:".  I've now got it
fine-tuned to the point where I get approx one or two spams per week
leaking through with almost no false-positives.  Here is my
email-blocked count, by month, from Feb 2003 to March 2004.

120  178  285  801  243  308  317 2160 1148  951 2556 1497  780  706
FEB  MAR  APR  MAY  JUN  JUL  AUG  SEP  OCT  NOV  DEC  JAN  FEB  MAR

  March 2004 seems to be an anomaly.  My blocks are stopping more in
April, at a rate that would extrapolate to 900 for the month.  The first
Accept/Reject that matches is implemented immediately, and subsequent
rules are not read.  The various ruleset options available include...

REJECTNOHOSTNAME (reject where there is absolutely zero/zilch/nada rDNS)

reject when forward DNS of rDNS of the connecting MTA does not equal the
IP address of the connecting MTA.

The following rules can be invoked as either/or Accept/Reject criteria.
This allows whitelisting as well as blocking

envelope-sender

rDNS

tail-end of envelope-sender or rDNS

regexp match against envelope-sender or rDNS

CIDR (I block 4.0.0.0/8 and 200.0.0.0/7 and a few others)

Accept/ reject based on specific return values from DNSbls.  I block
over a dozen countries with just one lookup to zz.countries.nerd.dk

Other useful DNSbls include dnsbl.sorbs.net, list.dsbl.org, and
sbl-xbl.spamhaus.org

At the end of my ruleset I have
accept email with rDNS ending in hotmail.com
reject email with envelope-sender ending in hotmail.com

Ditto for Yahoo.  These are the most heavily forged addresses.  The
logic is that the accept rule will match stuff that is *REALLY* from
Hotmail.  If an email gets past that rule, then it hasn't been sent from
Hotmail, and is most likely a fogery.  The next rule rejects non-Hotmail
email with a Hotmail envelope-sender.  Yes, it will trip over a Hotmail
user sending legitimately from another ISP, but this beats blocking *ALL*
Hotmail/Yahoo email like some people do.

Here's a summary of March blockages.  The list is in the order that the
rules are implemented.  So rules near the end only get to see email that
hasn't been accepted/rejected by earlier rules...

Total = 706
===========
No hostname = 247
Dynamic IP by rDNS regex = 213
Provider by envelope-sender = 14
Provider by rDNS = 35
Country by envelope-sender = 15
Country by rDNS = 66
200.0.0.0./7 CIDR = 3
countries.nerd.dk = 14
Various lists of dnsbl.sorbs.net = 59
verio.blackholes.us = 1
list.dsbl.org = 12
Spamhaus lists = 15
Commonly forged from not verified = 12

  The current spammer favourite is trojaned home machines.  These tend
to either have no hostname, or have a hostname which includes their IP
address and/or the string "dhcp".  I block on rDNS containing "dhcp" or
matching regexp "[0-9]+-[0-9]+-[0-9]+".  The no-hostname and regexp
matches combine for almost 2/3rd of the blocks.  They catch stuff that
DUL DNSbls would miss.  I deliberately put DNSbls as close to the end as
possible.  This minimizes calls to them, cutting down IP traffic, and
making things easier on the DNSbls.

  The one disadvantage is that they're not set up to take credit cards
over the net, so I have to make a long-distance call to Logansport,
Indiana once a year to renew.  The cost is US$30 per year for a single
account, which allows you to create up to 10 email addresses.  You can
also arrange to have them accept email for your domain.  This is all
strictly shell access via ssh; dialup costs more.  But dialing to
Indiana daily would be somewhat expensive.  No, I don't get commissions
or freebies/gifts for promoting them.  Just a happy customer.

-- 
Walter Dnes <waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list