Re: Unusual spam recently - hummm

To: debian-security@lists.debian.org
Subject: Re: Unusual spam recently - hummm
From: Rick Moen <rick@linuxmafia.com>
Date: Thu, 3 Jun 2004 16:24:35 -0700
Message-id: <[🔎] 20040603232435.GD12051@linuxmafia.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20040603223621.GI17849@infidel.spots.ab.ca>
References: <[🔎] 20040603173255.GA16713@infidel.spots.ab.ca> <[🔎] Pine.LNX.3.96.1040603105047.3147A-100000@Maggie.Linux-Consulting.com> <[🔎] 20040603180656.GC16713@infidel.spots.ab.ca> <[🔎] 20040603181618.GX12051@linuxmafia.com> <[🔎] 20040603201911.GC17849@infidel.spots.ab.ca> <[🔎] 20040603204038.GB12051@linuxmafia.com> <[🔎] 20040603223621.GI17849@infidel.spots.ab.ca>

Quoting s. keeling (keeling@spots.ab.ca):

> I actually meant the typical "worst practices" for which spammers are
> so well known.  Spammers use these things to avoid detection.  Average
> users do them without even realizing it.

Thanks for clarifying.

Yes, this is an excellent point:  Spammers lean towards the dodgy side
of mail standards in order to better avoid being tracked down and for
other reasons.  Reasserting control of the SMTP stream is going to
require enforcing RFC requirements that have traditionally been laxly
applied, and also enforcing a couple of other standards that are
currently de-facto.

This will entail temporary problems for sites and users that have become
dependent on badly set up MUAs and MTAs -- in exactly the same way they
used to be with open relays.  

One can pretend that the matter's open for debate, but that would be a
waste of time:  It's happening.

> For instance, Alvin automatically deep-sixes html mail.

Noted.  The practice strikes me as a bit silly.  Moreover (if I
understand your recounting of that policy), unlike with SMTP-time
rejection, the sending MTA receives no indication of refused delivery --
a bad thing.  Oh well.  Not my problem.

> > 2.  Most silly things legitimate mail does can be accomodated by an
> >     efficient antispam regime; a few cannot.  Remember the screams
> >     of outrage when people started being told "You shouldn't run 
> >     open relays any more?"  We're entering another round of that.
> 
> Immaterial, I know, but Last time I looked Gilmore was still fighting
> that one.  :-)

My point, of course, was to compare that transition with the current
one.  (And, yeah, sorry, John, but you lose.  ;->  )

[HTML mail:]

> No, it was just an example since Alvin mentioned it.  I don't see much
> point in html mail but the headhunters who send me job offers appear
> to like it, so I have to find a way to accept it in an inoffensive (to
> me) manner.

Using a suitable mailcap does the trick for me.  If you're having to 
do post-MDA filtering based on content (such as discarding HTML mail),
that means that your primary mail-handling is failing to do the job,
ealrier in the process.

People who put significant stock in content-based filtering are pursuing
a losing antispam strategy.  They'll probably figure that out by
themselves, eventually.  In either case, not my problem.

> > And another fine, ruddy herring!  Delicious, thanks.
> 
> Uhh, what?  My original starting point in all this was to find out if
> Alvin's suggestions had merit.  

Oh, sorry:  I actually didn't see Alvin's post, having been a bit busy
today.  Accordingly, I was responding to yours.

A "What's spam" discussion struck me as irrelevant to the point I was
discussing with you -- so thank you for explaining where it came from.
(You're welcome to have that other conversation with Alvin, of course.)

> Following on that, what would it take to implement them?  My favourite
> admin is loathe to do _anything_ that could cause his users to
> complain of lost mail.  How he cuts out the %60-%80 of crap without
> causing a riot is all I wanted to know.

A good point.  It's unfortunate that so many mail admins, especially
corporate ones, are obliged to resort to that sort of doublespeak.

Anyhow, although I don't have Alvin's list of suggestions, I do have my
own:

o  Do all possible detection and rejection at SMTP time.
o  Use MTA ACLs (preferably using Exim 4.x's extremely cool callout
   interface) to test for RFC-compliance and to check SPF records.
o  Season with punitive teergrubing, to taste.  ;->
o  Help advance the state of the art by introducing SRS rewriting
   for any required forwarding, using SMTP AUTH, etc.

> BTW, regarding "2." above.  Remember the days when there was such
> reticence on the part of Sendmail's maintainers to actually change
> Sendmail to comply with RFCs?  It was pretty well a given then that
> doing so would turn half the planet dark overnight because so many
> admins were still running Sendmail versions that had been obsoleted
> years before.
> 
> Ah, those were the days.  :-P

Yes, indeed!

http://linuxmafia.com/pub/humour/500-mile-e-mail

-- 
Cheers,                    Remember:  The day after tomorrow is the third day
Rick Moen                  of the rest of your life.
rick@linuxmafia.com

Reply to:

Follow-Ups:
- Re: Unusual spam recently - hummm
  - From: Michael Stone <mstone@debian.org>

References:
- Re: Unusual spam recently - hummm
  - From: "s. keeling" <keeling@spots.ab.ca>
- Re: Unusual spam recently - hummm
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>
- Re: Unusual spam recently - hummm
  - From: "s. keeling" <keeling@spots.ab.ca>
- Re: Unusual spam recently - hummm
  - From: Rick Moen <rick@linuxmafia.com>
- Re: Unusual spam recently - hummm
  - From: "s. keeling" <keeling@spots.ab.ca>
- Re: Unusual spam recently - hummm
  - From: Rick Moen <rick@linuxmafia.com>
- Re: Unusual spam recently - hummm
  - From: "s. keeling" <keeling@spots.ab.ca>

Prev by Date: Re: Unusual spam recently - hummm
Next by Date: Re: Unusual spam recently - hummm - postprocess
Previous by thread: Re: Unusual spam recently - hummm
Next by thread: Re: Unusual spam recently - hummm
Index(es):
- Date
- Thread