[PLUG] Email spam...

Paul Johnson baloo at ursine.ca
Sun Sep 7 10:18:02 UTC 2003 

On Sat, Sep 06, 2003 at 10:56:53AM -0700, Michael C. Robinson wrote:
> Well I've discovered the hard way that blocking ips doesn't work very
> well though I am wondering if I the following is a reasonable anti
> smut approach:

Don't try to attack the catagories of spam, attack the whole problem.
I'm down to about .0098% spam with my solution.  First half is using
the setup described recently (did you search the archives?).  Second
half is report all the spam you get after that.

-- 
 .''`.     Paul Johnson <baloo at ursine.ca>
: :'  :    
`. `'`     proud Debian admin and user
  `-  Debian - when you have better things to do than fix a system
-------------- next part --------------
From plug-admin at lists.pdxlinux.org Thu Sep 04 01:46:05 2003
Received: from [198.107.38.238] (helo=drizzle.pdxlinux.org ident=mail)
	by ursine.ca with esmtp (Exim 4.22)
	id 19upkc-0002Bg-0k
	for baloo at ursine.ca; Thu, 04 Sep 2003 01:45:58 -0700
Received: from localhost
	([127.0.0.1] helo=drizzle.pdxlinux.org ident=list)
	by drizzle.pdxlinux.org with esmtp (Exim 3.35 #1 (Debian))
	id 19upjo-0002r1-00; Thu, 04 Sep 2003 01:45:08 -0700
Received: from 12-224-165-56.client.attbi.com ([12.224.165.56] helo=ursine.ca)
	by drizzle.pdxlinux.org with esmtp (Exim 3.35 #1 (Debian))
	id 19upjV-0002py-00
	for <plug at lists.pdxlinux.org>; Thu, 04 Sep 2003 01:44:49 -0700
Received: from baloo by ursine.ca with local (Exim 4.22)
	id 19upkF-0002BQ-3g
	for plug at lists.pdxlinux.org; Thu, 04 Sep 2003 01:45:35 -0700
To: plug at lists.pdxlinux.org
Message-ID: <20030904084535.GD3105 at ursine.ca>
Mail-Followup-To: plug at lists.pdxlinux.org
References: <Pine.LNX.4.31.0309021331570.13883-100000 at lorien.wv.mentorg.com> <Pine.LNX.4.04.10309021346590.18351-100000 at aqua.hexi.com>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.04.10309021346590.18351-100000 at aqua.hexi.com>
Organization: Ursine System
X-Operating-System-Uptime: 00:59:16 up 1 day,  2:35,  3 users,  load average: 0.03, 0.04, 0.00
User-Agent: Mutt/1.5.4i
From: Paul Johnson <baloo at ursine.ca>
Sender: plug-admin at lists.pdxlinux.org
Errors-To: plug-admin at lists.pdxlinux.org
X-BeenThere: plug at lists.pdxlinux.org
X-Mailman-Version: 2.0.11
Precedence: bulk
Reply-To: plug at lists.pdxlinux.org
List-Unsubscribe: <http://lists.pdxlinux.org/mailman/listinfo/plug>,
	<mailto:plug-request at lists.pdxlinux.org?subject=unsubscribe>
List-Id: General Linux discussion and assistance <plug.lists.pdxlinux.org>
List-Post: <mailto:plug at lists.pdxlinux.org>
List-Help: <mailto:plug-request at lists.pdxlinux.org?subject=help>
List-Subscribe: <http://lists.pdxlinux.org/mailman/listinfo/plug>,
	<mailto:plug-request at lists.pdxlinux.org?subject=subscribe>
List-Archive: <http://lists.pdxlinux.org/pipermail/plug/>
X-Original-Date: Thu, 4 Sep 2003 01:45:35 -0700
Date: Thu, 4 Sep 2003 01:45:35 -0700
X-SA-Exim-Mail-From: plug-admin at lists.pdxlinux.org
Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed
Subject: [PLUG] Saner alternatives to challenge-response
X-Spam-Status: No, hits=-8.8 required=5.0
	tests=EMAIL_ATTRIBUTION,IN_REP_TO,KNOWN_MAILING_LIST,
	      PGP_SIGNATURE,QUOTED_EMAIL_TEXT,REFERENCES,
	      REPLY_WITH_QUOTES,USER_AGENT_MUTT
	autolearn=ham version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
X-SA-Exim-Version: 3.1 (built Wed Aug 20 09:38:54 PDT 2003)
X-SA-Exim-Scanned: Yes
X-deliveredBy:PLUG
Status: RO
Content-Length: 5288
Lines: 111

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Sep 02, 2003 at 02:21:23PM -0700, David Duncan wrote:
> I'll be reviewing the 'spam' issue again and deciding if I need to tune my
> rules or try a new system.  Suggestions on practical alternatives to the
> challenge-response system would be appreciated.

First off, like most of the HOWTOs I've seen on tldp, I assume Debian
because it's what I use[1].  If this doesn't match up with your RPM based
distro, that's a personal problem, switch to Xandros, Knoppix
installed to a hard drive, Debian, or another similarly sane distro.
8:o)

Here's what I have done to get my site down to ~0.009% spam.  All
packages are in sid, so if you're using woody, don't be stupid, use
backports and DO NOT USE APT-PINNING.  If you need to know why, google
for apt pin harmful site:lists.debian.org.

Get exim-daemon-heavy and sa-exim (it'll pull in the necissary
depends, like spamassassin).  Out of the box, you'll have an automatic
teergrube (anything that scores higher than 30 gets teergubed instead
of delivered, watch the headers sa-exim puts in
/var/log/exim4/reject.log to make sure this is a sane number, though
the default is high enough that I've yet to see any ham get nailed by
it).

Then, go dig around through
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt and add this to the
(empty) blacklist section.  Please note: When you use RBLs, please do
the RBL maintainers a *huge* favor by *not* mentioning them in your
reject messages (do not use the defaults).  It only appears to serve
to confuse users and anger some, the angry ones then turn around and
harass the RBL maintainers for blocking their email, something that
the maintainers had zero to do with.  Also, spammers that use
dropboxes in their From: will get the bounces, see who is giving them
the most grief, and DDOS them (witness osirusoft).

<example>

  # Currently spamming

  deny  message         = Your mail server is currently spamming.  You can either wait it out or find an ethical ISP.
        log_message     = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
        dnslists        = bl.spamcop.net

  # Broken sites that refuse bounce messages, God only knows if
  # they'll get this.

  deny  message         = Your domain refuses bounce messages, despite breaking RFCs 821, 2821, 2505 and 1123.  Contact your mail provider to have this fixed.
        log_message     = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
        dnslists        = dsn.rfc-ignorant.org/$sender_address_domain

# There are a *lot* of ignorant/retarded sites that fail to have a
# postmaster.  This would probably make a better spamassassin +1.000 rule.

#  deny message         = Your domain refuses mail to postmaster, despite breaking RFC 2821.  Contact your mail provider to have this fixed.
#       log_message     = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
#       dnslists        = postmaster.rfc-ignorant.org/$sender_address_domain


# Sites with bad whois data are almost always spammers, except in the
# UK.  The UK, for reasons beyond my comprehension, has no whois.  The
# British seem to put the fear of God into people trying to spam
# through them, hence the exception for *.uk in the rule below.

  deny  message         = Your domain has bad whois information, despite breaking RFC 954.  Please contact your mail provider to have this problem fixed.
        log_message     = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
        sender_domains  = !*.uk
        dnslists        = whois.rfc-ignorant.org/$sender_address_domain

# Fortunately, it doesn't appear anybody legitimate has a broken
# ipwhois (or if I'm wrong, I haven't been burned by it yet).

  deny  message         = Your domain has bad ipwhois information, despite breaking RFC 954.  Please contact your mail provider to have this problem fixed.
        log_message     = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
        dnslists        = ipwhois.rfc-ignorant.org

# Known spam havens.

  deny  message         = All mail from China, South Korea, Hong Kong, Brazil, Nigeria and Taiwan is rejected.  Please clean up your collective act and kill your spammers.
        log_message     = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
        dnslists        = brazil.blackholes.us : cn-kr.blackholes.us : nigeria.blackholes.us : taiwan.blackholes.us

</example>

This combinations of RBLs turns up about one false positive every four
months or so for my site.



[1] I feel the whole United Linux and LSB issues are solutions looking
for problems Debian solved years ago...

- -- 
 .''`.     Paul Johnson <baloo at ursine.ca>
: :'  :    
`. `'`     proud Debian admin and user
  `-  Debian - when you have better things to do than fix a system
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/VvuvUzgNqloQMwcRAirXAKDcaaM9/NeqoY2GjWQ7zjwX+rL5fgCfSKsD
2iucbhdjXtE9magT7vyct2c=
=edcU
-----END PGP SIGNATURE-----

_______________________________________________
PLUG mailing list
PLUG at lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20030907/040eb6fe/attachment.asc>

More information about the PLUG mailing list