[Nottingham] Tux Games Antispam - Your message is being held

Graeme Fowler graeme at graemef.net
Mon Dec 10 20:49:51 GMT 2007 

On Mon, 2007-12-10 at 20:19 +0000, Martin wrote:
> And so the question remains: What is there that solves or at the very
> least removes the present spam/phishing email mess?

A reasonable understanding of SMTP at protocol level helps, as does
knowing the spammer/botnet operators' modus operandi. I'm not saying I
do, mind you - I ride on the coat-tails of others. How you do the
following depends on your MTA, but it's fairly easy in Exim.

My current practice, in order of config:

0. Check against at least one (or more) of:
    zen.spamhaus.org
    dnsbl.njabl.org
    list.dsbl.org

Consider using a "multiple hit" rule, ie. 2/3 gets the chop. Do this
before any form of SMTP conversation has taken place and you'll remove a
mass of possible inbound junk.

1. Ensure the HELO or EHLO is valid. It should be a valid FQDN, or an IP
literal of the form [1.2.3.4]. Underscores in hostnames are invalid but
occur so frequently they may aswell be accepted (yuck). Reject if this
test fails.

2. Make sure the HELO or EHLO isn't purporting to be  the machine itself
when coming from an external host.

3. Reject if MAIL comes with no EHLO/HELO.

4. Reject invalid recipients at SMTP time. Under no circumstances
accept'n'bounce, you're contributing to backscatter if you do (aswell as
clogging your own queues).

5. Run an inline AV scanner, such as ClamAV.

6. Run the message through SpamAssassin. The list of tests available
here is massive, and prone to change, so choose your poison.


That's more or less my current Exim ACL setup, and it proves pretty good
for me. I run the linuxvirtualserver.org mailing lists - since May, only
one single spam has got through to any of the lists. Most recently I've
had two spates of very prolonged dictionary attacks against domains I
handle, but they all got spat back at SMTP time. Doing the above in that
order reduces dramatically the work SA and Clam have to do, since many
rejections happen way before the message is injected.

My stats are here: http://boom.graemef.net/mail/

Apologies for the colour scheme :)

Graeme

More information about the Nottingham mailing list