[Sussex] SPAM Filtering Revisited

Andy Smith andy at lug.org.uk
Mon Aug 21 11:03:39 UTC 2006


On Mon, Aug 21, 2006 at 08:01:30AM +0100, Steven Dobson wrote:
> Andy
> 
> On Sun, 2006-08-20 at 19:50 +0000, Andy Smith wrote: 
> > Sender CBV is much much better than accepting the mail and then
> > bouncing a DSN back to the forged sender (in the above scenario I
> > would then receive thousands of bounce messages for mail I never
> > sent, which is far worse than just connections that check for
> > deliverability without actually doing a delivery).  But I believe it
> > to be far too abusive on inncoent uninvolved parties if everyone
> > were to implement it.
> 
> Given that CBV is not as onerous as a DSN storm aren't you better off
> accepting the CBV load?  CBV requires no human intervention.  Aren't
> completely automatic the best way to stop spam?

Why do I have to accept either?  There is no requirement for me to
receive DSNs from this.

>   2). Before accepting the command it makes a DNS request of
>        fake-sender.-at-.example.com.cbv.spam-beaters.org
> 
>   3). If the DNS response is blank then the incoming message cab be
>        accepted (subject to other checks).  If the DNS response does
>        contain an address (something in the loopback range like the
>        other DNS blacklists) then the incoming message is rejected.
> 
> This way the CBV load on MTAs will be negliable, and I would have though
> acceptable given that it will only be a few spam-beaters.org servers
> that are making the CBV requests.

This would indeed be better that many remote servers connecting to my MXes
but not sure who would volunteer to run such a DNS service as it
would still be subject to a lot of load.  A query for every local
part that can be generated.. Interesting idea though.

> > Get rid of bounces and stop there.
> 
> But the SMTP protocol [RFC821] requires that a DSN be generated if an
> e-mail can't be delivered.  Is there a proposal out to change the
> standard?  I can't believe (given what you've posted on other threads)
> that you're advicating a policy that is unlikly to be widely adopted
> without such a change.

I'm proposing not any change to the RFC.  A DSN need only be generated
once an email is accepted.  There is no need to accept an email that
is destined for a user that does not exist, that comes from a site
that does not exist in DNS, that you have already identified as
spam, or for any other reason if you don't want to.  You just issue
a 5xx response at RCPT or DATA phase of the SMTP conversation and
the connection is dropped without anyone getting a DSN.

> > When implementing anti-spam measures I urge people to consider what
> > effect it would have on remote sites if everyone did it.  Lack of
> > consideration for third parties leads to ideas like sender CBV and
> > challenge-response.
> 
> Not an unreasonable request.  However, as you also pointed out in  the
> other thread, mail forwarding creates a problem with checking e-mail
> baded on origin.  To fight spam we need methods that work with the
> current way e-mail is handled or, as spam gets worse, there is going to
> come a time (if it hasn't already) where e-mail is unusable because of
> the spam load.

Well, one interesting situation is where you are forwarding your
mail from an intermediate system, for example:

(Internet)----------(mx1.example.org)-----(mx1.you.com)

If mail for *@example.org is going to be relayed on to you at you.com
then unless mx1.example.org has visibility of the full list of
allowed local parts @example.org it is going to be accepting all
mail and passing on to mx1.you.com.  mx1.you.com will then give an
error regarding unknown recipients, and mx1.example.org will have to
generate a DSN.

The best thing to do in that situation is to abandon wildcard vanity
domains (they don't behave well in the face of dictionary attacks
either) and arrange for mx1.example.org to have full knowledge of
acceptable local parts @example.org.

There is only a limit to how far you can go though.  For example,
andy at lug.org.uk forwards to andy at strugglers.net which are on
different machines.  If mail-in-01.lug.org.uk accepts some spam for
andy at lug.org.uk but mail.strugglers.net decides to not accept it
then I am going to cause mail-in-01.lug.org.uk to generate a DSN.

At the moment since it's just me I tend to silently discard such
crap that I know's been frowarded, but that is a violation of the
RFCs.  This is a situation where using sender CBV would be the
lesser of two evils as mail-in-01.lug.org.uk could do a sender CBV
for mail it knew it was going to forward on in order to lessen the
amount of DSNs it will generate.

Another situation where I have proposed using sender CBV:
lug.org.uk's mailman lists.

It should be possible for exim to check if the from address is
subscribed to a list and if the list disallows postings from
non-subscribers.  If such a post is allowed to get to mailman then
mailman will be sending back a notification to the (mostly likely
forged) sender, as well as the list admin, and putting the mail in
the moderation queue.  It would be a lot less harsh if such mails
could be subjected to sender CBV and rejected inside the smtp
conversation with mail-in-01.lug.org, then no one gets DSNs, no held
mail and no notifications to list owners!

So I'm not 100% against CBV but I am against its use on all email
because it seems a bit lazy and relying on remote sites taking the
load.

Cheers,
Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20060821/a27cef38/attachment.pgp 


More information about the Sussex mailing list