Please confirm your message - Re: [Wylug-discuss] server based /home

[Gary Stainburn]

On Tuesday 16 Mar 2004 11:07 am, meltie wrote:
> On Tuesday 16 March 2004 09:50, James Holden (WYLUG) wrote:
> > gARetH baBB wrote:
> > [...]
>
> Guys this isn't appropriate for public discussion on WYLUG. Take it
> off-list.
>
> alex/melt
>

On the contrary, I think this is a completely appropriate topic for the WYLUG
discuss thread, although the tone could do with being a little milder.

As the person making the original rant, and as a postmaster to a 100+ user
network, which receives (more than) it's fair share of SPAM I am interrested
in other peoples opinions, procedures and systems.

I must concede James' original point that the response I received that started
this topic was to him directly and not via the list.  However, I do dislike
this growing pain of whilelisting, and on principle do not send
confirmations.

I also dislike using keywork filtering as it's very easy to bypass and unless
handled properly could end up blocking non-SPAM. It does catch a large
percentage and therefore I use it.

I do use a blacklist though and this works well. This list is added to
manually by myself as well as automatically from the keyword filtering.

I recon that I manage to block 90%+ without having to resort to a whitelist,
which even if I had the inclination I could not implement in my work
environment anyway.

Now for the previous comments:

James and
gARetH baBB wrote:
[...]

 > viz. when abuse at blueyonder started doing a similar thing - "email doesn't
 > work, only use this dodgy web form" - they just started getting
blocked by
 > loads of people as basically being an abuse sink.

| Which is exactly what I'm *not* doing, cos it's dumb.

So what's with BlueYonder anyway? As a customer of theirs I keep getting
emails from abuse@ stating that they're testing my system and that I can
simply ignore the messages.  Yet more emails to  filter out.

 > You're not doing exactly the same thing, but something damn close -
people
 > use email because it's email and they don't have to prat about, and
 > needing to go through any further stage is just going to get people to
 > tell you to fuck off.

| I agree it's not perfect, but do you want to talk to me or not?

(See my comments above)

 > And as soon as you start sending stuff out in response to bogus addresses
 > derived from spam runs, people will just either block you or complain to
 > ntl.

| Really? So when somebody's address gets used as a spam return address,
| they complain to other peoples ISPs because of the bounces? They would
| still get a bounce message even if the mail was rejected by my server.
| At least *this* bounce message serves a useful purpose.

This is getting a touchy subject too. To bounce or to drop?  A large part of
my SPAM messages these days are errors generated by my bounces to
non-existant addresses (even the bounces generated by exim because the
reply-to or from is invalid (figure that one out)).

The bounce messages no longer serve a function anyway as the senders don't
drop the address.

I am seriously considering simply dropping SPAM instead of bouncing them.
Anyone got any commments on this idea?

 >>Well I happen to not like getting around 500 (mostly pornographic or
 >>fraudulent) spams per day to wade through. I think of the filter making
 >>me a bit like being ex-directory.
 >

ex-directory or ex-communicated?

 >
 > You're doing it wrong then, I don't filter on content nor do I resort to
 > bizarre tactics like you have (I do have blacklists for sender and helo
 > though) and I get at *most* 2 or 3 a day.

| Well you're lucky then. Most people have huge problems with spam.

I can vouch for that.  Just one of my users used to receive 300+ per day (her
PC was in an open-plan office and people would come up and use it on a
week-end) and many of them not the sort that she should have to look at.

 > Let's look at your primary MX, zion.2dcube.co.uk.
 >
 > (I'm presuming some of these things, because depending on how you config
 > things it's hard to tell without going through a full mail delivery
 > including the DATA part)
 >
 > It's accepted a non-qualified HELO (fish).
 >
 > It's accepted a bogus HELO/EHLO of "jamesholden.net"
 >
 > It's accepted a bogus HELO/EHLO of 80.84.72.131.
 >
 > It's accepted MAIL without any previous valid HELO/EHLO.

| None of these will result in any mail actually being accepted. The
| delayed reject of the first test you did is in order to do further checks.

I think that the topic of securing MTA's  would make a fine topic for a talk.

 > It's not doing sender verify callouts.

| Granted, but it's something I mean to look into. Easier on exim than
| postfix I believe.

In exim you simply include 'sender_verify = true' in the config file, I
haven't got a clue with postfix.

 > That's 80% of spam allowed through which otherwise would have been
caught.

| 70% is about the right figure for mail that never gets further than a
| RCPT TO. Of the remaining 30%, Spamassassin catches about 90% of that,
| and TMDA deals with the rest.

I haven't looked at spamassassin yet, but I may be soon. I understand it's
relatively easy to set up. Anyone got any suggestions, ideas or howtos I can
have?

 > Looking at www.jamesholden.net you have in the first few lines
 > "james at jamesholden.net" raw, no encoded @ or anything - you deserve all
 > you get ! Stop complaining and eat your spam.

| Actually, james at jamesholden.net doesn't get very much at all. I don't
| think the spammers harvest from the web much these days. There are much
| more efficient methods of getting addresses.

I agree here. I have a number of email addresses quoted on various web sites
without any form of obfustication and I receive very little SPAM on them.
They don't seem to be trawling mailing lists much these day either as
addresses I use for them don't get hit that much any more.

One method that does still seem popular is grabbing the email address when
people visit web sites, which makes sense as these will be better targetted.
This is easy to get around as our firewall blocks all personal data leaving
the building.

--
Gary Stainburn

This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000