Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, May 07, 2002 at 07:09:09PM +1000, Russell Coker wrote:
> On Tue, 7 May 2002 18:41, Craig Sanders wrote:
> > yes, you have missed it because i've mentioned it several times in this
> > thread. here it is spelt out so that even you or jason should be able
> > to understand it:
> >
> > 1. is the site an open relay?
>
> Most people here agree on this, but you'll still see some debate,
> particularly about the distinction between relays that are merely open
> and relays that have been actively abused. Some people think that we
> shouldn't block an open relay until it's spammed us.
it makes little difference. an open relay is an open relay whether
spammers have found it yet or not. it's only a matter of time. here's
an experiment for you - put a mail server on the net, on a
never-used-before IP address. don't point any A or MX records at it or
advertise it in any way. time how long it takes before it receives the
first relay attempt - it'll be less than 1 day.
run squid and/or socks on the same box. see how long it takes for
spammers to attempt to exploit them. again, it will be less than a day
because the same scripts that search for SMTP open relays also search
for misconfigured wingate, socks, squid, and other abusable services.
and who is "us"? if i have to wait until an open relay has spammed me,
then that means i can only use an RBL run by me....which defeats the
purpose of RBLs.
> > 2. is the site a spam source?
>
> What is a "spam source"? If one of your customers suddenly starts
> sending out spam does that make you a spam source?
if you don't take action within a reasonable time (i.e. within a week or
so) to stop it then you are a spam source.
you can quibble about the definition of "reasonable time" but it's
certainly less than 2 weeks. anyone who hasn't taken action in that
time is not going to - either because of incompetence or because they
actively support spam.
> What if they do it just after the chief admin has gone on holidays and
> the junior people make spam blocking a low priority?
clueless is clueless whether it's temporary or permanent. blacklisting
might teach junior admins the importance of anti-spam measures. if not,
then it solves the problem anyway by blocking spam from their mismanaged
systems.
> > 3. does the site host any spamvertised sites?
>
> That is not inherantly wrong. If someone who is paying one of my
> clients for legitimate web serving and spamvertises it through another
> ISP then I won't immidiately take the site down. Firstly it's an
> issue for the other ISP to stop the spam being sent. Then I have to
> be convinced that the spam was sent out by the owner of the site
> before I will consider taking it down (otherwise if you don't like a
> site you can spamvertise it to get it taken down).
it is inherently wrong.
yes, you need to check whether your customer sent the spam or if they
are the victim of a joe-job. if they did send the spam then give them a
warning or terminate their account (depending on whether it's a repeat
offence or not).
if you, as the spammer's ISP, don't take decisive action to stop spam
from your customers then you WILL and SHOULD pay the price for that in
ostracism by other ISPs and mail servers. your customers are your
responsibility.
> > 4. does the site provide any other spam support services?
>
> OK, but that's difficult to determine.
that's why all of the above criteria except for open relay tests (which
CAN be automated 100% reliably) require human decision making, not idiot
automation.
craig
--
craig sanders <cas@taz.net.au>
Fabricati Diem, PVNC.
-- motto of the Ankh-Morpork City Watch
--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: