State of the art spam control?

Walter Dnes waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org
Thu Jan 12 05:14:03 UTC 2006 

On Mon, Jan 09, 2006 at 08:42:42AM -0500, Fraser Campbell wrote

> I rather like the idea of an anti-spam solution that rejects mail
> during SMTP transaction.  I'm not happy with the idea of any system
> that directs mail to /dev/null or even a folder that I will never
> read ... if I am not going to read it I'd like that to be explicit
> by issuing an SMTP reject, that way any unfortunate sender who gets
> blocked will know.  I'm open to differing opinions on this though ...
> 
> I haven't really looked at any spam solutions since I implemented
> TMDA so I'm hoping you can all share opinions on how to beat spam
> (a bit of a vi vs. emacs type question I suppose).

  The following is not a paid-for spam, it's the result of being a happy
customer.  I have a remote inbox with clss.net (Aurora Internet Services
in Logansport, Indiana).  They've hacked qmail to implement smtp-stage
rejection (the big 550) right after the RCPT stage under the control of
a user-configured config file.  I've automated ssh-tunneling so that any
program that can pull POPmail can get email via ssh-tunneling.

  The config file allows to block on various items.  Most of the *REJECT
options have a *ACCEPT equivalant, for enabling whitelisting.  Various
criteria include...
  - envelope-sender or portions thereof
  - rDNS, or portions thereof
  - reject from machines with no rDNS at all (China)
  - HELO, or portions thereof
  - HELOing as the *RECEIVING* MTA (dohhh)
  - IP addresses or CIDRs
  - return values from DNSbls.  Multiple values can be specified.  One
    DNS lookup to dnsbl.sorbs.net or zz.countries.nerd.dk can scan for
    multiple 127.0.X.Y codes.
  - you can add custom messages (or the DNSbl's TXT field) to the 550
    message.  E.g. temporary filter bypass addresses.

  I'm attaching my config file (with whitelist greatly cut down) to give
a feel how it works.  You also get a log file of rejects.  I wrote a
script to parse the log file.  Here's the number of attempts rejected so
far this month...

     31 Jan  1
     30 Jan  2
     28 Jan  3
    100 Jan  4
    183 Jan  5
     46 Jan  6
     29 Jan  7
     38 Jan  8
     23 Jan  9
     43 Jan 10
    115 Jan 11

-- 
Walter Dnes <waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org> In linux /sbin/init is Job #1
My musings on technology and security at http://tech_sec.blog.ca
-------------- next part --------------
#!/var/qmail/bin/dnsblfilter -lf
# whitelist
SIACCEPTTAIL york.ca,newmarket.ca
PIACCEPTTAIL york.ca,newmarket.ca
IACCEPT 209.139.212.0/24
PIACCEPTTAIL grp.scd.yahoo.com
# idiots helo'ing as my mx
REJECTSELFHELO Just who do you think you're kidding with that helo?
# idiots helo'ing as my domain
HIREJECTTAIL waltdnes.org Just who do you think you're kidding with that helo?
# Spam seems to be the only thing I get from this H E L O
HIREJECT addr.com H E L O and goodbye.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# reject email from machines with absolutely no rdns
REJECTNOHOSTNAME Rejected due to lack of hostname.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# reject email from sites whose rdns smells dynamic
PIREJECTREGEX [0-9]+-[0-9]+-[0-9]+ Rejected email from dynamic IP.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
PIREJECTREGEX [0-9]+\.[0-9]+\.[0-9]+ Rejected email from dynamic IP.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
PIREJECTREGEX tiscali Rejected email from tiscali affiliate.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
PIREJECTTAIL ipt.aol.com Rejected email from dynamic IP.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
PIREJECTTAIL cpe.net.cable.rogers.com Rejected email from dynamic IP.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
PIREJECTTAIL ar,br,cl,cn,fr,gb,gt,hk,in,id,il,it,jp,kr,my,nl,ng,pl,ro,ru,su,sg,es,za,tw,uk Certain countries (pireject-tail) If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
SIREJECTTAIL ar,br,cl,cn,fr,gb,gt,hk,in,id,il,it,jp,kr,my,nl,ng,pl,ro,ru,su,sg,es,za,tw,uk Certain countries (sireject-tail) If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
PIREJECTTAIL biz,info,hinet.net (Certain providers by rDNS) If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
SIREJECTTAIL biz,info,hinet.net (Certain providers by envelope-sender) If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# For viruses allegedly from support at waltdnes.org and blatantly obvious phishing from outfits I don't have accounts with.
SIREJECTTAIL waltdnes.org,e-gold.com,egoldshop.net,paycard2000.com,paypal.com,aceinkjet.com,ebay.com,chase.com  I don't have an account with you, so bugger off.
# Residential address space
IREJECT 12.0.0.0/8 Block of all 12.0.0.0/8 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# Residential address space (broadband)
IREJECT 24.0.0.0/8 Block of all 24.0.0.0/8 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# AFRINIC
IREJECT 41.0.0.0/8 Block of all 41.0.0.0/8 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# APNIC
IREJECT 58.0.0.0/7 Block of all 58.0.0.0/7 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# APNIC
IREJECT 60.0.0.0/7 Block of all 60.0.0.0/7 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# APNIC
IREJECT 124.0.0.0/7 Block of all 124.0.0.0/7 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# APNIC
IREJECT 126.0.0.0/8 Block of all 126.0.0.0/8 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# LACNIC
IREJECT 189.0.0.0/8 Block of all 189.0.0.0/8 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# LACNIC
IREJECT 190.0.0.0/8 Block of all 190.0.0.0/8 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# LACNIC (200 and 201) and APNIC (202 and 203)
IREJECT 200.0.0.0/6 Block of all 200.0.0.0/6 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# APNIC
IREJECT 210.0.0.0/7 Block of all 210.0.0.0/7 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# APNIC
IREJECT 218.0.0.0/7 Block of all 218.0.0.0/7 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# APNIC
IREJECT 220.0.0.0/6 Block of all 220.0.0.0/6 IP space.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
IREJECT 216.184.96.0/19 No Hablo E-spam-ol (Telefonica). If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
IREJECT 216.230.128.0/19 No Hablo E-spam-ol (intelnet.net.gt). If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# Seeing several spam from these
IREJECT 65.52.0.0/14 Rejected email from spam spigot Hotmail.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
IREJECT 64.4.0.0/18 Rejected email from spam spigot Hotmail.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
#        dnsbl.sorbs.net aggregate return codes are:
#   http.dnsbl.sorbs.net    127.0.0.2
#  socks.dnsbl.sorbs.net    127.0.0.3
#   misc.dnsbl.sorbs.net    127.0.0.4
#   smtp.dnsbl.sorbs.net    127.0.0.5
#   spam.dnsbl.sorbs.net    127.0.0.6
#    web.dnsbl.sorbs.net    127.0.0.7
#  block.dnsbl.sorbs.net    127.0.0.8
# zombie.dnsbl.sorbs.net    127.0.0.9
#    dul.dnsbl.sorbs.net    127.0.0.10
#badconf.rhsbl.sorbs.net    127.0.0.11
# nomail.rhsbl.sorbs.net    127.0.0.12
REJECT dnsbl.sorbs.net A 127.0.0.2,127.0.0.3,127.0.0.4,127.0.0.5,127.0.0.7,127.0.0.9,127.0.0.10 %TXT% Email rejected on advice of dnsbl.sorbs.net.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
REJECT list.dsbl.org A 127.0.0.2 Email rejected on advice of list.dsbl.org.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
# REJECT sbl-xbl.spamhaus.org A 127.0.0.2 %TXT% Email rejected on advice of spamhaus.org.  If yours was a legitimate email see http://www.waltdnes.org/bypass.html to bypass block.
PIACCEPTTAIL aol.com
SIREJECTTAIL aol.com I only accept From: @aol.com addresses if the email actually originates from a aol.com server.
PIACCEPTTAIL msn.com
SIREJECTTAIL msn.com I only accept From: @msn.com addresses if the email actually originates from a msn.com server.
PIACCEPTTAIL yahoo.com
SIREJECTTAIL yahoo.com I only accept From: @yahoo.com addresses if the email actually originates from a yahoo.com server.

More information about the Legacy mailing list