[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: smtp time spam filtering

On Thu, 2007-02-22 at 16:38 +0000, David Hart wrote:
> On Thu 2007-02-22 10:33:34 -0500 Greg Folkert wrote:
> > 
> > The real problem I see now, is SPAM zombies delivering mail to the ISP
> > mail server, then it becomes RFC-822 compliant. I fix that by slowing
> > down the conversation in the beginning by using SA-Exim which scan for
> > SPAM on SMTP time. If it detects SPAM, it rejects... or then drops if
> > the sending server doesn't comply with the conversation rules.
> 
> If ISPs are allowing much spam through their servers then they're
> going to get blacklisted pretty quickly.  Most spam I've sampled lately
> appears to come directly from compromised end user boxes and the rest I
> haven't been able to identify.

Why do you think my inside contact in Atlanta at Cox is spending more on
outgoing than incoming? Cox still has a bad name for SPAM though. Heck
even AOL spending many time what Cox spends hasn't bettered its name.
AOL has resorted to drastic policy measures. Even with SPF or domain
keys, a valid MX/SPF/Domain Keys record(s) that is in a Dynamic "range"
of IP addresses is rejected with a 554. Infact the greeting says this:

        220-America Online (AOL) and its affiliated companies do not
        220-     authorize the use of its proprietary computers and computer
        220-     networks to accept, transmit, or distribute unsolicited bulk
        220-     e-mail sent from the internet.  Effective immediately:  AOL
        220-     may no longer accept connections from IP addresses which
        220      have no reverse-DNS (PTR record) assigned.

As you can see, they now also do the no PTR thinger.

> I can't see any advantage in scanning during smtp connect time.
> By the time you've got the DATA you've used up the bandwidth and might
> as well accept it.

Not really, I've got usage data dating back to Sasser. Significantly
lower bandwidth once I started using scanning and reject at SMTP time.

In fact today... just to see, I disabled SA-Exim. I've quadrupled the
amount of bandwidth My COLO provider has seen my machine use. I only
have 1TB a month. I'll let it go for a few days (through the weekend
when peaks are usually happening) to track overall usage.

>   It also doesn't scale well at the receiving end
> and hurts the good guys at the sending end by keeping the connection
> open for longer.

Without SA-Exim average message right now is taking ... 3 seconds on the
connection. I run my own DNS on the machine and it uses it, falls back
on my secondary service provided by dyndns.org (which is
$14.95US/year/domain and well worth it)

With SA-Exim, since no remote checks are made... ~4 seconds. Exim
handles multiple connections at a time (greater than I have ever seen,
even during Sasser's peak)... Spamassassin (on this box) has 20
children, possible. Usually 5 (the minimum) are on, 3-4 idle.

So, the difference is 1.5 seconds, Better that, than a tear-grube. Or
even worse a Challenge-Response system.

> > Again, I know I am breaking RFC compliance by rejecting at SMTP time.
> > Once again though, I have reduced my traffic a hundred fold, from SPAM.
> 
> What RFC is it breaking?  Not that I really care.  If it's my server
> I'll accept or reject mail from whoever I want to.  I do keep postmaster
> open though, for any problems.

Of course, postmaster and abuse are required. unfortunately many, many
sites/companies do not even have them setup.
 
> > Yes, I also know I use my e-mail address publicly and scraper-bots find
> > my e-mail all the time. I just deal with the SPAM.
> 
> That's my attitude too.  I have always refused to obfuscate my email
> address.  Doing so would feel too much like giving in.

Agreed, I can't stand people complaining about SPAM, without
understanding the tools that are available to realistically deal with
HUGE amounts.
 
> > My last problem is how-to whitelist murphy.debian.org, but still reject
> > SPAM that gets through the Debian SPAM traps... I used to not whitelist
> > murphy, but that got me auto-unsub'd from (most) Debian lists I
> > subscribe to, for "bouncing" the SPAM.
> 
> This is an example of hurting the good guys.  I think once you've
> got past the RCPT TO: you might just as well accept the email and
> deal with it later.

I already have whitelisted it and therefore even SPAM that gets through
murphy's setup now since the whitelist give a -100 score added to the
spam score, gets through my stuff to.

> > I guess it is a fine, fine line.
> 
> We have to deal with the world as we find it, not as we'd like it to be.

Indeed. Like I typed, a fine, fine line.
-- 
greg, greg@gregfolkert.net

Novell's Directory Services is a competitive product to Microsoft's
Active Directory in much the same way that the Saturn V is a competitive
product to those dinky little model rockets that kids light off down at
the playfield. -- Thane Walkup
Reply to: