[Sussex] SPAM Filtering Revisited

Steven Dobson steve at dobson.org
Sun Aug 20 19:07:31 UTC 2006


Desmond

First my apologies for the hijacking of your original positing on this
subject.  However, the one good thing about it (from my point of view)
was that it forced me to go back and re-examine my mail handling rules.

First a little background.

Like you I have a vanity email address.  I don't know about you but
most emails sent to me (both proper and spam) are routed via my vanity
domain as I use it as a forwarding service.  Blacklisting the incomming
connection on my MTA goesn't gain me much.  Most of the inbound
connections from the Net are from one of the vanity domain's mail
servers.

Also, like you, I do most of my spam filtering by hand, filtering mostly
based on the content of the subject line.  I don't like the idea of a
spam filter filtering out an important e-mail.  I've seen it happen on
some of my clients' networks and I don't like the idea of missing
something important.

However my spam:e-mail ration has become to much.  So a while ago I
installed spamassassin but wasn't actively training it.  I just wantted
to see how go it was.  So far it hasn't made and false positives.  So
now I've started to train it in the hope I can make it better.

Yesterday I was looking over my exim4 config file and I found a note to
myself telling me that I might light to try callouts on sender
verification.  There are a number of reasons why sender verification may
fail - mostly bad configuration on the part of the up stream MTA, but
"[f]orgery, which is very common in spam mail" is on reason why you
might light to turn this feature on.

For a while I just ran standard sender verification.  This just does a
DNS lookup on the message envolope's sender's address to verify that if
the message needs to be bounced then it looks like it has a valid
address to bounce the message back to.  However, you can configure it to
do more checking.  By added the "callout" option exim tries to make a
SMTP connect back, as if it were trying to send such a bounce message.
If the connection successed and the server at the other end validates
the address then exim accepts the incoming message, otherwise it defers
it.

In monitoring the exim logs I appear to have stop over fifty messages in
the last 24 hours.  None of these messages came from e-mail addresses I
recongised.  In fact most seamed to come from only one or two addresses.

Further examination showed me that while the sender's domains are in DNS
they either don't have an MX record or the server that the MX record
points at does not have a SMTP connection to connect back to.  The IP
addresses fall into four obvious groups (differing only in the last
value).  When I checked these for geographical location [1] two where
from the US and two where from China.

I don't know what MTA you use, but I thought you might like to look into
such filtering yourself as this might help you with your own spam
filtering.

Steve

[1]
http://www.ip2location.com/free.asp









More information about the Sussex mailing list