anti-spam, was Re: [XCSSA] Looking for Guidance, Experiences, Email Services

xcssa@xcssa.org xcssa@xcssa.org
Fri, 6 Apr 2007 02:09:35 -0500 

--kadn00tgSopKmJ1H
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 04, 2007 at 09:16:25PM -0500, xcssa-admin@xcssa.org wrote:
> Bandwidth:  90% of the incoming bytes on port 25 are spam even though
> 90% of the connections get dropped at the HELO because of RBLs.

Hrml, not a problem for me, but I only serve a couple of users.

I do graylisting/blacklisting though...

I'm half tempted to create the "ultimate mail server distro".
Does anyone thing this would be worth putting together?

See my security wiki for some anti-spam stuff I do.

> Spam: Most of the 10% that gets past the RBLs and land in valid mail
> boxes are SPAM.  I'm getting tired of updating Spam Assassin and the
> RBLs every time something new comes out.

I don't use signatures (spamassassin).  If I had to use any filtering,
it'd probably be a combination of hand-coded rules like spamassassin
(don't need HTML email) for things best recognized by humans, and
a Bayesian classifier like dspam or crm114 for the bulk.

If I were to offer a commercial mail service I'd have an easy web
interface for marking things spam/nonspam, which feeds the bayesian
classifer, and then some shared learning between users; if Joe and
Mary already marked it as spam, I really don't need to read it.

Of course the user should have full control over how it works.

> Search:  Gmail's search is awesome.  I have found nothing that can
> search IMAP as fast or as well.

This is apples and oranges; gmail searches locally, not over an IMAP
connection.  I find mairix to be quite fast.

> Security:  I no longer need to worry about smtp, imap, or pop
> exploits.

Like having someone else host your web site, if it gets hacked it's
still your data, but you don't have to clean up.  Conversely, you
can't do anything to protect it.  As long as your security needs don't
exceed what the company offers, that's probably okay.  Sounds like
you're mostly worried about being a negative externality; that is,
you're less concerned about what happens to the data than being the
source of an attack on another site.  Given that email is unencrypted
anyway, that's perfectly reasonable.

What do people think?  I know from personal experience that the best
anti-spam setup I've gotten from anywhere is ten times less effective
than the one I'm using now, and that mine could be about a hundred
times better (no kidding; see the CRM114 page for how that program
outperformed its author at spam classification).  I know that most
companies (virtually all non-IT shops) really can't do better and
need/want to outsource.

FWIW, my current setup uses OpenBSD's spamd (blacklisting spews1,
china and korea), greylisting for everyone the first time, spamtraps
on my web page and in my sig file (email john -> instant
blacklisting), and the following postfix config mods:

stmpd_delay_reject =3D yes
smtpd_client_restrictions =3D permit_mynetworks, reject_unknown_client, per=
mit
smtpd_require_helo =3D yes
smtpd_helo_required =3D yes
smtpd_helo_restrictions =3D permit_mynetworks, reject_invalid_hostname, rej=
ect_non_fqdn_hostname, reject_unknown_client, permit
smtpd_sender_restrictions =3D permit_mynetworks, permit_sasl_authenticated,=
 reject_unknown_address, reject_unknown_sender_domain, reject_non_fqdn_send=
er, reject_unknown_client, permit
smtpd_recipient_restrictions =3D reject_unauth_pipelining, reject_unknown_r=
ecipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unaut=
h_destination, reject_unknown_client, permit

I can easily imagine dspam/crm114, a bottrap on the web site,
a CGI-BIN that generates a graphical email address instead of
having mailto links in the HTML, a decent web UI for whitelisting
and bypassing the various checks.

Plus I get a special feeling every time I waste a spammer's time:

spamd[6530]: 202.109.78.222: disconnected after 543 seconds. lists: china

Thoughts?
--=20
Kill dash nine, and its no more CPU time, kill dash nine, and that
process is mine. -><- <URL:http://www.subspacefield.org/~travis/>
For a good time on my UBE blacklist, email john@subspacefield.org.

--kadn00tgSopKmJ1H
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (OpenBSD)

iQIVAwUBRhXyL2QVZZEDJt9HAQI3qA//c1QTitcP/Y1G8XMyFSnKzANX5d9b+auz
/LcTETCjHw/MugUf3yUwACDxUEEZZwxbB6WTw7Dh6hKLh3Tmq5fxkZkyyx/bfWDN
ACHs35N0KMsY6obXl+UOEfOrpzGFJc2B3p50u4XP2qwOB/nr5+lon6J6voBu4yqS
jKXQ1rkQx2wOAjYwH652Nm/txjjuM3oKXmkl6PaSfDpfCLEAeABTRpUU3BX8yzXr
gA2/5SOyZ+1uIuV7vT/QtTAsE51IS0IEplytNNBDp6OqJ2wur0/B2JzrGh7eUi2W
EXgLgxuvokOmVnSt0ZRwYadxkRYmOFU7s/PGxN9plTJz7Sh61VeWXAD4QndkCEcT
v/iOtcG9QKvD5NU/e5C8UrR7dWNjrjMoevyhOeazzIqi5e0MH4rto+7mNdMUzcS6
xVf7t+vrS77So3W8+nvMaCjxCj3N0WR34946wQtEYk2qmMFo6JZLHMBoSmXSf2Dj
lfbVgjwezkYArynNV4Q5Nlq3iJXc0hjyYvTXPGeQEAM3luQuNj/W1pxExJN1Sl02
WJHdexSjvMTDDm3giXcIk/S/b/dqgD9dZudb+6/DRnQH9lnbDvjRVn2vbAj/jq7p
/nVbvOZhVWeW00fA1YIkzkdK8ahgS6G1ueuly7JB0NdUJeollo0tC9x2GNi7t3yU
k/ulpuiG9JM=
=UjMB
-----END PGP SIGNATURE-----

--kadn00tgSopKmJ1H--