[Sussex] SPAM Filtering Revisited

Steven Dobson steve at dobson.org
Mon Aug 21 12:32:40 UTC 2006 

Andy

On Mon, 2006-08-21 at 11:03 +0000, Andy Smith wrote:
> On Mon, Aug 21, 2006 at 08:01:30AM +0100, Steven Dobson wrote:
> > Andy
> > 
> > On Sun, 2006-08-20 at 19:50 +0000, Andy Smith wrote: 
> > > Sender CBV is much much better than accepting the mail and then
> > > bouncing a DSN back to the forged sender (in the above scenario I
> > > would then receive thousands of bounce messages for mail I never
> > > sent, which is far worse than just connections that check for
> > > deliverability without actually doing a delivery).  But I believe it
> > > to be far too abusive on inncoent uninvolved parties if everyone
> > > were to implement it.
> > 
> > Given that CBV is not as onerous as a DSN storm aren't you better off
> > accepting the CBV load?  CBV requires no human intervention.  Aren't
> > completely automatic the best way to stop spam?
> 
> Why do I have to accept either?

Because if you're not part of the solution you're part of the problem. A
prime example would be an open relay.  It may not generate spam but it
surely does distrobute it!

> There is no requirement for me to receive DSNs from this.

I think so - isn't the situation that you talk about below?

Please concider this.  If my MTA isn't quiery your MTA to do a CBV then
one of three thing can happen:

  1). The spam has an undeliverable local part to my domain and is
      rejected.  As per the RFC the MTA upstream from me generates a
      DSN that it couldn't deliver the message to me.

  2). The spam has a valid local part and is deliver to a user.
      The user has two option:

      a). Ignore the spam - The Netiqutee way.

      b). Decides that enough is enough and replay say saying "Please
          do not spam me again" and for good measure copy the postmaster
          at your domain your domain so you can take action against your
          user abusing your systems.

> >   2). Before accepting the command it makes a DNS request of
> >        fake-sender.-at-.example.com.cbv.spam-beaters.org
> > 
> >   3). If the DNS response is blank then the incoming message cab be
> >        accepted (subject to other checks).  If the DNS response does
> >        contain an address (something in the loopback range like the
> >        other DNS blacklists) then the incoming message is rejected.
> > 
> > This way the CBV load on MTAs will be negliable, and I would have though
> > acceptable given that it will only be a few spam-beaters.org servers
> > that are making the CBV requests.
> 
> This would indeed be better that many remote servers connecting to my MXes
> but not sure who would volunteer to run such a DNS service as it
> would still be subject to a lot of load.  A query for every local
> part that can be generated.. Interesting idea though.

I was thinking it could be spread across a number of servers, each one
takeing part of the internet address space.

> > > Get rid of bounces and stop there.
> > 
> > But the SMTP protocol [RFC821] requires that a DSN be generated if an
> > e-mail can't be delivered.  Is there a proposal out to change the
> > standard?  I can't believe (given what you've posted on other threads)
> > that you're advicating a policy that is unlikly to be widely adopted
> > without such a change.
> 
> I'm proposing not any change to the RFC.  A DSN need only be generated
> once an email is accepted.  There is no need to accept an email that
> is destined for a user that does not exist, that comes from a site
> that does not exist in DNS, that you have already identified as
> spam, or for any other reason if you don't want to.  You just issue
> a 5xx response at RCPT or DATA phase of the SMTP conversation and
> the connection is dropped without anyone getting a DSN.

This is basic server verification without callback is it not?  In exim
that's the "verify = sender" in acl_check_rcpt.  I'm doing that.  But if
I generate 5xx response doesn't the upstream MTA gernerate a DSN for you
because it was unable to deliver the message to me?

> The best thing to do in that situation is to abandon wildcard vanity
> domains.

Agreed.  I don't believe my vanity domain does - I certainly don't get
every email that must be sent to dobson.org.  :-)

> There is only a limit to how far you can go though.  For example,
> andy at lug.org.uk forwards to andy at strugglers.net which are on
> different machines.  If mail-in-01.lug.org.uk accepts some spam for
> andy at lug.org.uk but mail.strugglers.net decides to not accept it
> then I am going to cause mail-in-01.lug.org.uk to generate a DSN.

Without CBV my MTA has no way of knowing if the e-mail claiming to come
from your domain is from a valid user.  If the user isn't valid (the
most likely if spamers are just selecting local parts at random) then
CBV could cost you noting extra if I accept the message from up stream
and deliver it to /dev/null on the assumpt that it is spam.  I'm happy
to pay the cost of eating the spam if you're prepared to paid the CBV
costs.

Problems occure when the spam's sender address is valid:

1). The local part is undeliverable.  I have to reject this and you have
to get the DSN because this is not distingishable from an e-mail sent by
a user at your domain that just made a typo in desitination local part.
In this case you get to pay twice - once for the CVB and once for the
DSN.

2). The local part is deliverable.  I get to pay to accept the spam
content and will slap my users if they start sending "Don't spam me
again" messages.

Steve

More information about the Sussex mailing list