[Sussex] SPAM Filtering Revisited

Steven Dobson steve at dobson.org
Mon Aug 21 15:48:12 UTC 2006 

On Mon, 2006-08-21 at 13:39 +0000, Andy Smith wrote:
> On Mon, Aug 21, 2006 at 01:32:32PM +0100, Steven Dobson wrote:
> > Because if you're not part of the solution you're part of the problem. A
> > prime example would be an open relay.  It may not generate spam but it
> > surely does distrobute it!
> 
> Since I am not the one running the open relay and I am not the one
> sending you the forged emails I'm not sure where the parallel lies.
> I can justify a lot of actions under the banner of "well if you
> don't want to be part of the solution..!"  Whose solution?

But you are sending me the forged e-mails, at least you are forwarding
them on to me.  Here is a real world example from today.

I received some spam to day which come from my vanity domain.  It was
addressed to sussex-owner at mailman.lug.org.uk which forwards all e-mails
to two other people beside me.

   Received: from spf6-2s.us4.outblaze.com ([205.158.62.230])
             by marvin.syscall.org.uk with esmtp (Exim 4.50)
             id 1GF5XA-0000In-7D for steve at syscall.org.uk;
             Mon, 21 Aug 2006 09:53:24 +0100

But it isn't my vanity domain's fault as they got it from lug.org.uk

   Received: from xinit.lug.org.uk (xinit.lug.org.uk [217.147.93.68])
             by spf6-2s.us4.outblaze.com (Postfix) with ESMTP
             id 249C11AC52C for <steve at dobson.org>;
             Mon, 21 Aug 2006 08:53:12 +0000 (GMT)

  Received: from localhost.localdomain ([127.0.0.1]
                                        helo=xinit.lug.org.uk)
            by xinit.lug.org.uk with esmtp (Exim 3.33 #2)
            id 1GF5Wq-0006bq-00 ;
            Mon, 21 Aug 2006 09:53:04 +0100

  Received: from mail-in-01.lug.org.uk ([217.147.93.69])
            by xinit.lug.org.uk with esmtp (Exim 3.33 #2)
            id 1GF5Wp-0006bf-00 ;
            Mon, 21 Aug 2006 09:53:03 +0100

lug.org.uk is not at fault either because it got it from Blackcat
Networks.

  Received: from jet.blackcatnetworks.co.uk ([193.201.200.50]
            ident=Debian-exim) by mail-in-01.lug.org.uk with esmtp
            (Exim 4.50) id 1GF5Wn-0000nD-Ui;
            Mon, 21 Aug 2006 08:53:03 +0000

Blackcat is at fault!  They got it from proxadnet

  Received: from bos94-3-82-226-234-199.fbx.proxad.net ([82.226.234.199]
            helo=fuk.com) by jet.blackcatnetworks.co.uk
                    with smtp (Exim 4.50)
            id 1GF5Wb-0002g7-PL;
            Mon, 21 Aug 2006 09:52:55 +0100

And a check against sorbs shows that 82.226.234.199 is a known spammer.

  ; <<>> DiG 9.3.2 <<>> 199.234.226.82.dnsbl.sorbs.net
  ;; QUESTION SECTION:
  ;199.234.226.82.dnsbl.sorbs.net.        IN      A

  ;; ANSWER SECTION:
  199.234.226.82.dnsbl.sorbs.net. 3600 IN A       127.0.0.7
  199.234.226.82.dnsbl.sorbs.net. 3600 IN A       127.0.0.10

Checking SORBS's web interface show that the record for 82.226.234.199
was created Sat Jul 22 14:04:08 2006 GMT.  Had Blackcat also checked
SORBS it could have found this out too.

Therefore I will define Blackcat Networks as being part of the problem
because they where the point which accepted a email from an IP address
known to be a spam relay.  Any system that forward email outside it's
own domain may be propergating the SPAMing problem if they are not
checking.

I will also define you as part of the problem as the MX records for
mailman.lug.org.uk include mail.blackcatnetworks.co.uk as an secondary
e-mail address.

  ;; QUESTION SECTION:
  ;mailman.lug.org.uk.      IN MX

  ;; ANSWER SECTION:
  mailman.lug.org.uk. 26645 IN MX 25 mail.blackcatnetworks.co.uk.
  mailman.lug.org.uk. 26645 IN MX 10 mail-in-01.lug.org.uk.

So you trust Blackcat to do all the approprate checking that you do.

> > > There is no requirement for me to receive DSNs from this.
> > 
> > I think so - isn't the situation that you talk about below?
> 
> If you receive an email purportedly from sdfknj4u at strugglers.net and
> it turns out to be spam as determined by your systems during the
> SMTP conversation with whatever compromised machine sends you it,
> your machine can reply with a 5xx response and no one gets a DSN.
> 
> If you accept it and then later decide you aren't going to deliver
> it then my systems will receive a DSN from you.

I stand corrected.  I thought a 5xx responce generated a DSN from the
upstream MTA in all cases.

> If you engineer things correctly I do not need to receive DSNs in
> the majority of cases.

Here where I openly admit my knowledge of exim4 configuration has rached
the point where I stop relying on it.  I need to go away and read the
rest of you email, the Exim book and the RFCs with more care than I have
time right now to do.

Thanks for your help so far, and help to give me in the future.

Steve

More information about the Sussex mailing list