Spam - share current experience, please?
Steve L
I'm involved in providing the central mail gateway services for a network of
around 7500 users. Spam's always been around, but a few months ago it began
getting significantly worse. Today, it's getting to be a real problem.
In the past, I've tended to think that the people getting the spam had
brought it on themselves, by injudicious use of Usenet postings or
discussion boards or the like. I had to admit to myself today, though,
looking at the latest batch of complaints from users, that this isn't always
the case.
I can't work out where their addresses have been harvested from. I can't
believe they've been caught by a dictionary attack, either - we'd surely see
a huge number of failed emails in the Sendmail logs. Does anyone have any
ideas? I'm getting a bit paranoid, and thinking perhaps somewhere in our
networks there's been a leak - or perhaps someone's passed our directory out
somehow.
For a large network, as well, I'm not comfortable that a mail filtering
solution for Spam is viable. We do a bit of filtering with the content
management system we use for mail, but there's a fine line between stopping
spam and stopping legitimate email - and we can't afford to stop many of
those, if any!
Comments or suggestions, anyone?
Steve
Stephen M. Dunn
$In the past, I've tended to think that the people getting the spam had
$brought it on themselves, by injudicious use of Usenet postings or
$discussion boards or the like.
[...]
$I can't work out where their addresses have been harvested from. I can't
$believe they've been caught by a dictionary attack, either - we'd surely see
$a huge number of failed emails in the Sendmail logs.
I've been managing mail servers for small-to-medium companies for
several years, and the addresses on most of the spam I've seen have
been:
- harvested from Web sites (relatively uncommon - my cat's email address
occasionally gets spam, and the only place that address is published
is on his Web page)
- harvested from domain name registries (dunno if this is a problem with
recent registrations; this was quite common in the late 1990s)
- harvested from Usenet postings
- generic aliases like sales, webmaster, and info
- dictionary attacks - many times I've seen a remote site connect and
try emailing to dozens upon dozens of addresses, most of which are
names of people who don't exist and have never existed in that mail
server's domain(s). But if you're logging failed attempts and
not seeing this, then this probably isn't what's hitting you.
$ I'm getting a bit paranoid, and thinking perhaps somewhere in our
$networks there's been a leak - or perhaps someone's passed our directory out
$somehow.
Possible, but probably not likely.
Do you have a directory of email addresses on your company's
Web site? Or the email addresses of key executives, sales reps,
product managers, etc. on the Web pages pertaining to their jobs?
$For a large network, as well, I'm not comfortable that a mail filtering
$solution for Spam is viable. We do a bit of filtering with the content
$management system we use for mail, but there's a fine line between stopping
$spam and stopping legitimate email - and we can't afford to stop many of
$those, if any!
It's a very tough line, and you'll never get the balance set up so
that it satisfies everyone. My usual approach is to offer a
choice: I'll put in a reasonable filter that will block most spam
but occasionally block a legitimate email, and you can then tell
me to exempt various addresses that you care about; or no filtering
at all, so you know you get all your email but you also get no
protection from spam. This works well in a smaller organization
but would be a nightmare to manage if your user community numbers
in the thousands.
All I can suggest is that you get involvement from outside the
IT department when you're trying to make this decision. Meet with
some key representatives from your user community; present them with
the problem, the possible solutions, and the drawbacks; and ask
them to discuss it within their departments and give you some
feedback on where they think the line should be drawn. This helps
you target your efforts to meeting their needs, and also covers
your @$$ if, somewhere down the line, someone complains that an
important email was rejected - "Well, we sat down to discuss
this, and you said that you were aware of this risk but felt
that it was a reasonable risk to take."
--
Stephen M. Dunn <ste...@stevedunn.ca>
>>>----------------> http://www.stevedunn.ca/ <----------------<<<
------------------------------------------------------------------
Say hi to my cat -- http://www.stevedunn.ca/photos/toby/
Kirsten Smith
> $I can't work out where their addresses have been harvested from. I can't
> $believe they've been caught by a dictionary attack, either - we'd surely see
> $a huge number of failed emails in the Sendmail logs.
Not necessarily.
Could you have been finger scanned?
Is your naming convention and/or employees' names that unusual that
it's unbelievable that sophisticated spamware could not have a high
success rate? I get spam to an email address that I know is published
virtually nowhere.
> I've been managing mail servers for small-to-medium companies for
> several years, and the addresses on most of the spam I've seen have
> been:
<snip>
And also email worms. Even if there have been none on your network, you
have 7,500 users and even if each of their addresses are only in 5 other
people's address book, that's 37,500 email clients, over which you have
no knowledge or control, who could unwittingly be passing on your users'
addresses.
I would suggest you tried something like SpamAssasin rather than the
RBL route.
And just out of interest - why sendmail? :-)
--
Good friends help you move house.
Best friends help you move bodies.
kirsten (at) fqdn (dot) net
http://www.harlots.org.uk/
Row
> I get spam to an email address that I know is published
>virtually nowhere.
"Virtually" ?
Kirsten Smith
Igor Dombrovan [958160823]
> solution for Spam is viable. We do a bit of filtering with the content
> management system we use for mail, but there's a fine line between
stopping
> spam and stopping legitimate email - and we can't afford to stop many of
> those, if any!
store all mail tagged as spam there. You don't get rid of spam but you get
some kind of control over it.
Igor
David F. Skoll
> For a large network, as well, I'm not comfortable that a mail filtering
> solution for Spam is viable. We do a bit of filtering with the content
> management system we use for mail, but there's a fine line between
> stopping spam and stopping legitimate email - and we can't afford to stop
> many of those, if any!
Please see http://www.canit.ca/, especially the CanIt-PRO section.
--
David.
Andrew Butchart
doesn't seem to be too much of a problem for me here and I do all of the
'bad' things; posting my email address on Usenet, having it on my web page
etc. I've been doing this for years as well so any harvesting engine would
have found me several times by now.
My entire domain (you can't tell from outside that the company is 4 people
and 3 cats) gets about 30 pieces of spam / day. Most of this is in Korean
so I have a rule on my mail server to filter that to a null account based on
the language specified in the content-type header. I also pick up
everything that is not explicitly routed to a known user and route it to the
null account as well. This lets about 3 or 4 pieces of spam through per day
which is something that I can deal with pretty easily.
--
Andrew Butchart
and...@abutchartconsulting.com
http://www.abutchartconsulting.com/botdocs/ - Shareware SMTP/POP3 Server
"Steve L" <n...@the.moment.ta> wrote in message
news:avvh6m$dbi$2$8300...@news.demon.co.uk...
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 80,000 Newsgroups - 16 Different Servers! =-----
Mark Crispin
> My entire domain (you can't tell from outside that the company is 4 people
> and 3 cats) gets about 30 pieces of spam / day.
My privately-owned domain gets hundreds of spams each day, and my email
address at UW gets another hundred or so spams and viri each day.
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Eric A. Hall
I get spam on machine accounts in my lab. AFAIK, these accounts and
hostnames have never been published anywhere.
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Thor Kottelin
Steve L wrote:
> I can't work out where their addresses have been harvested from.
Please see <URL:http://www.private.org.il/harvest.html>.
Thor
--
http://thorweb.anta.net/OH2GDF PGP public key available
"Women should always wear tight clothes, and men should
carry powerful handguns." - Calvin (by Bill Watterson)
Steve L
I don't believe any of the suggestions about mail lists, finger scanning or
whatever apply to us - we've been very careful.
The thought about viruses being responsible for "leakage" of addresses from
infected users who have our people in their address books is one we hadn't
thought of, but seems blindingly obvious. It also isn't in any of the texts
I've seen on address harvesting.
If that's true, it means nothing we can do will limit the availability of
our people's addresses for spamming. We therefore have to consider how we
respond to the menace. Engaging the business in makong the decision (and
thus sharing negative aspects of the solution, like lost legitimate mails)
is a very sensible approach, which I started today. We'll look at better
filtering of the content, but also start to look at things like refusing
mail from hosts on IPs that are within modem pools of ISPs and other
measures we can incrementally apply to limit the misfiring of mail dropping.
Seriously, if the current trends continue, there will need to be a rethink
in the way we use mail, like requiring some kind of registration for mail to
be accepted, or using digital signatures.... I don't know, but something
radical. The only people that will profit from the evil spammers will be
suppliers of antispam software, in the same way that antivirus suppliers
profit from a totally negative and unnecessary problem.
*sigh*
Steve
"Steve L" <n...@the.moment.ta> wrote in message
news:avvh6m$dbi$2$8300...@news.demon.co.uk...
Thor Kottelin
Steve L wrote:
> Seriously, if the current trends continue, there will need to be a rethink
> in the way we use mail, like requiring some kind of registration for mail to
> be accepted, or using digital signatures.... I don't know, but something
> radical. The only people that will profit from the evil spammers will be
> suppliers of antispam software, in the same way that antivirus suppliers
> profit from a totally negative and unnecessary problem.
You don't necessarily need separate anti-spam software. Good mail servers
support DNS-based blocking lists straight out of the box, and access to
those lists is usually free.
Alan Clifford
SL> Hi, I'm involved in providing the central mail gateway services for a
SL> network of around 7500 users. Spam's always been around, but a few
SL> months ago it began getting significantly worse. Today, it's getting
SL> to be a real problem.
SL>
SL> In the past, I've tended to think that the people getting the spam had
SL> brought it on themselves, by injudicious use of Usenet postings or
SL> discussion boards or the like. I had to admit to myself today,
SL> though, looking at the latest batch of complaints from users, that
SL> this isn't always the case.
SL>
You are blaming the victim. Good grief.
SL> I can't work out where their addresses have been harvested from.
Try a google on the addresses.
SL> For a large network, as well, I'm not comfortable that a mail filtering
SL> solution for Spam is viable.
SL> Comments or suggestions, anyone?
Don't filter out spam. Filter in non-spam. Only people in a list
of "good" people are allowed to email your users. Obviously, you should
offer this as an option to the users of the system rather than naively
implementing it yourself.
Alan
( If replying by mail, please note that all "sardines" are canned.
There is also a password autoresponder but a "tuna" will swim
right through. )
Alan Clifford
MC> On Tue, 14 Jan 2003, Andrew Butchart wrote:
MC> > My entire domain (you can't tell from outside that the company is 4 people
MC> > and 3 cats) gets about 30 pieces of spam / day.
MC>
MC> My privately-owned domain gets hundreds of spams each day, and my email
MC> address at UW gets another hundred or so spams and viri each day.
MC>
During the past couple of days, I have received 12 emails from
b...@boss.com. These were caught by a very simple spam rule and put in the
spam mailbox. But the irritating bit is that they are 91k in size and
cause a delay in downloading on a dialup.
David F. Skoll
> b...@boss.com. These were caught by a very simple spam rule and put in the
> spam mailbox. But the irritating bit is that they are 91k in size and
> cause a delay in downloading on a dialup.
Those were viruses. My e-mail filter rejects *.exe, *.pif, etc. so I would
normally never see them. However, some ISP is "clever" enough to strip
out the offending attachment, so I got a few blank e-mail from b...@boss.com
until I blacklisted that address.
I do this on my server, so there's no dial-up penalty.
--
David.
David F. Skoll
> The thought about viruses being responsible for "leakage" of
> addresses from infected users who have our people in their address
> books is one we hadn't thought of, but seems blindingly obvious. It
> also isn't in any of the texts I've seen on address harvesting.
Thank you, Microsoft.
> If that's true, it means nothing we can do will limit the availability of
> our people's addresses for spamming.
Right. Hiding your e-mail address is security through obscurity. Not
a long-term solution.
> We'll look at better
> filtering of the content, but also start to look at things like refusing
> mail from hosts on IPs that are within modem pools of ISPs and other
> measures we can incrementally apply to limit the misfiring of mail
> dropping.
There is a far simpler heuristic you can apply. Simply return an SMTP
temporary-failure code for unknown senders (where you keep track of
senders PER recipient.) This defeats about 40% of spamware out there.
(Obviously, you only send the tempfail code once. Otherwise, you'd
block valid senders.)
A very simple thing you could try is to publish three MX records. The
highest-priority and lowest-priority records are dummy machines that
always return a temporary failure code, and the middle one is the real
mail server. Again, that will stop a lot of spamware, but no
legitimate e-mail servers.
> Seriously, if the current trends continue, there will need to be a
> rethink in the way we use mail, like requiring some kind of
> registration for mail to be accepted, or using digital
> signatures.... I don't know, but something radical.
That won't work. The killer application of e-mail is for people you
don't know to get in touch with you. My business could not survive
if I couldn't easily be reached via e-mail. That was part of my
motivation in developing CanIt -- to keep e-mail useful for me.
> The only people
> that will profit from the evil spammers will be suppliers of
> antispam software, in the same way that antivirus suppliers profit
> from a totally negative and unnecessary problem.
To some extent, that's true. :-) However, viruses are far more easily
prevented than spam, so I think anti-spam solutions are more worthy
than anti-virus ones (but I'm biased...)
--
David.
David F. Skoll
> You don't necessarily need separate anti-spam software. Good mail servers
> support DNS-based blocking lists straight out of the box, and access to
> those lists is usually free.
DNS-based blacklists are either ineffective or over-zealous, in my
experience. I cannot take the risk of rejecting e-mail from a potential
client.
--
David.
Thor Kottelin
"David F. Skoll" wrote:
> DNS-based blacklists are either ineffective or over-zealous, in my
> experience. I cannot take the risk of rejecting e-mail from a potential
> client.
The only method I know to have a false positive rate of zero is not to
reject any email at all, IOW eat your spam.
Kirsten Smith
> I don't believe any of the suggestions about mail lists
do you know none of them 'sign' those online petitions or
forward chain mail?
> we've been very careful.
To be entirely honest, and without wanting to sound like a flame
that statement is not what I'd typically expect to hear from
someone who is extremely vigilant. Exploits come out everyday
and the people I know who I consider security experts are usually
the *least* sure. Paranoia and a little bit of doubt (enough to
make you go back and double check) are required.
It would appear (and I say appear because I don't know) that
none of these posts, or even the problem itself, have made
you audit your own systems again. Anyway, a little OT as the real
issue is what to do about it. I hope I haven't offended you
with these observations. No offence was intended :-)
> is a very sensible approach, which I started today. We'll look at better
> filtering of the content, but also start to look at things like refusing
> mail from hosts on IPs that are within modem pools of ISPs and other
> measures we can incrementally apply to limit the misfiring of mail dropping.
I really would advise against going the RBL route, or denying
connections like that. It's like using a sledgehammer to crack a nut.
You *will* end up more legitimate mail than is worth it for the results
you see. You *will* one day annoy the wrong person, someone trying
to mail your CEO something important. You *will* be blocking mail
from innocent people who simply using a smarthost to send their mail
that has been blacklisted because of someone else they have nothing to do
with. I have just left the systems department of a very large ISP and
having to deal with the problems that the over-zealous use of these
things cause.
We used Brightmail http://www.brightmail.com/ for our customers uses a
'honeypot' method for attracting spam which is then analysed and then
the rules are sent to your mail server.
The other thing we've used with excellent results was SpamAssasin with
really good results. It uses a scoring system based on several tests as
well as Vipul's Razor, a database of spam.
http://spamassassin.taint.org/
http://razor.sourceforge.net/
Best of luck with whatever you decide to go with
Kirsten
William Park
> Thanks for all the useful replies - it's been very helpful.
>
> I don't believe any of the suggestions about mail lists, finger scanning or
> whatever apply to us - we've been very careful.
>
> The thought about viruses being responsible for "leakage" of addresses from
> infected users who have our people in their address books is one we hadn't
> thought of, but seems blindingly obvious. It also isn't in any of the texts
> I've seen on address harvesting.
>
> If that's true, it means nothing we can do will limit the availability of
> our people's addresses for spamming. We therefore have to consider how we
> respond to the menace. Engaging the business in makong the decision (and
> thus sharing negative aspects of the solution, like lost legitimate mails)
> is a very sensible approach, which I started today. We'll look at better
> filtering of the content, but also start to look at things like refusing
> mail from hosts on IPs that are within modem pools of ISPs and other
> measures we can incrementally apply to limit the misfiring of mail dropping.
>
> Seriously, if the current trends continue, there will need to be a rethink
> in the way we use mail, like requiring some kind of registration for mail to
> be accepted, or using digital signatures.... I don't know, but something
> radical. The only people that will profit from the evil spammers will be
> suppliers of antispam software, in the same way that antivirus suppliers
> profit from a totally negative and unnecessary problem.
>
> *sigh*
I get the feeling that email addresses are harvest from traffic to/from
large ISPs; that is, the ISPs themselves gather the data and sell to the
spammers. I am particularly suspicious large Korean ISPs.
--
William Park, Open Geometry Consulting, <openge...@yahoo.ca>
Linux solution for data management and processing.
Timo Salmi
Steve L <n...@the.moment.ta> wrote:
> I'm involved in providing the central mail gateway services for a network of
> around 7500 users. Spam's always been around, but a few months ago it began
> In the past, I've tended to think that the people getting the spam had
> brought it on themselves, by injudicious use of Usenet postings or
Addresses are obviously (also) automatically harvested from
WWW-pages usings "crawlers".
> For a large network, as well, I'm not comfortable that a mail filtering
> solution for Spam is viable. We do a bit of filtering with the content
Spam filtering can and is typically set at two levels, system-wide
and individual. For example all our university's incoming email is
screened with a black list. This eliminates part, but not nearly all
the spam, because the sieve cannot be made too tight, for obvious
reasons.
The second level is what the users do. Most don't know how to fight
it and succumb to just a daily deletion of spam from their
mailboxes. Having a modicum of programming skills, I have a balanced
combination of three measures which effectively has made my own
mailbox spamfree. The inner level of my system is a whitelist
allowing my associates and contacts to get through without further
ado. On the outer level I have a further black list of my own. These
two measures are not alone sufficient. The core of my system is an
email autoresponder (for users/hosts others than in those two
groups). It automatically sends (from a null address) back my
simple, public email password which all the other emailers are
required to use on the subject line in order to reach me. My system
employs procmail and Bourne shell scripts. The huge disadvantage is
that this system is too involved for a non-experienced user. Other
than that it is the only system that I know of that effectively
stops ALL spam at an individual's level. The spam usually comes from
forged addresses, so a spammer most often won't see my response, and
that's that. Furthermore, since spamming is typically a huge mass
activity, the spammers do not have the time nor the resources to
keep track of my public email password, even if they got the
autoresponse. For me this combined solution is a must, since being
active on the net, as I see from my logs, a lot of spam comes my
way. More on my solution at
Foiling Spam with an Email Password System
http://www.uwasa.fi/~ts/info/spamfoil.html
Timo's procmail email filtering tips and recipes
http://www.uwasa.fi/~ts/info/proctips.html
All the best, Timo
--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:t...@uwasa.fi <http://www.uwasa.fi/~ts/> ; FIN-65101, Finland
Timo's FAQ materials at http://www.uwasa.fi/~ts/http/tsfaq.html
those who know me have no need of my name
>During the past couple of days, I have received 12 emails from
>b...@boss.com. These were caught by a very simple spam rule and put in the
>spam mailbox. But the irritating bit is that they are 91k in size and
>cause a delay in downloading on a dialup.
sobig virus.
--
bringing you boring signatures for 17 years
Dave Sill
> Seriously, if the current trends continue, there will need to be a rethink
> in the way we use mail, like requiring some kind of registration for mail to
> be accepted, or using digital signatures.... I don't know, but something
> radical.
Something like TMDA, perhaps?
With TMDA, you have a whitelist and a blacklist. If you receive mail
from a blacklisted host or sender, it's rejected. Mail from
whitelisted hosts or users is automatically accepted. The trick is
what happens with mail from addresses that aren't on either list: TMDA
sends a message back to the sender, which they have to reply to in
order to confirm their address. This step weeds out 99.44% of spam,
which doesn't have a valid return address. In the unlikely event that
a spammer does confirm himself, you simply add him to your blacklist.
Optionally, TMDA can automatically add confirmed addresses to your
whitelist, so each sender only has to confirm once. TMDA also supports
"dated" addresses--which have a predetermined lifetime, and "sender"
addresses--which only accept messages from a particular sender.
It's free, of course, and it works with most Unix mailers. See
http://tmda.net/ for more info. Feel free to send me a test message.
--
Dave Sill Oak Ridge National Lab, Workstation Support
Author, The qmail Handbook <http://web.infoave.net/~dsill>
<http://lifewithqmail.org/>: Almost everything you always wanted to know.
coll...@yahoo.com
> what happens with mail from addresses that aren't on either list: TMDA
> sends a message back to the sender, which they have to reply to in
> order to confirm their address. This step weeds out 99.44% of spam,
IOW, the "prove you love me" theory of spam fighting. Comments on this
method may be seen at http://www.google.com/search?q=prove+you+love+me+spam
I haven't done this myself (ISP provides spamassassin -- works really
well for the kinds of spam I get). One class of spam it hasn't caught
lately (but may be updated by now?) is email sent to my ISP's server
bearing my address in the envelope-sender and also in the header-
recipient. Very easy to weed these out in procmail. I do, however,
read the log daily to see if anything tagged LIKELY SPAM is a false
positive. False negatives of course are analyzed for .procmailrc
tuning.
--
Collin Park Not a statement of my employer.
David F. Skoll
> IOW, the "prove you love me" theory of spam fighting. Comments on this
> method may be seen at
> http://www.google.com/search?q=prove+you+love+me+spam
I find the TMDA mechanism irritating and intrusive. If a large percentage
of people I try to correspond with use TMDA, I find I stop bothering
to even talk to them. The poster at
http://www.rosat.mpe-garching.mpg.de/mailing-lists/procmail/2002-09/msg00099.html
appears to agree. :-)
It's not an option for a business that relies on e-mail queries for leads,
--
David.
Dave Sill
> I find the TMDA mechanism irritating and intrusive. If a large percentage
> of people I try to correspond with use TMDA, I find I stop bothering
> to even talk to them.
Beyond the initial confirmation, TMDA is invisible. What exactly do
you object to?
> The poster at
> http://www.rosat.mpe-garching.mpg.de/mailing-lists/procmail/2002-09/msg00099.html
> appears to agree. :-)
That poster is highly opinionated and frequently wrong, not that that
detracts from a good rant. :-)
> It's not an option for a business that relies on e-mail queries for leads,
Agreed, it's not a universal solution. But, unlike spam filters, there
are no heuristics involved, spammers can't get around it, and real
senders can always get their messages through.
Steve L
Unfortunately, most of our users either don't have the technical ability to
set filters on mail up themselves, or simply expect it should all be done
for them!
Steve
"Timo Salmi" <t...@UWasa.Fi> wrote in message
news:b02sba$a...@poiju.uwasa.fi...
Steve L
"Alan Clifford" <sard...@purse-seine.net> wrote in message
news:Pine.LNX.4.50.03011...@mundungus.clifford.ac...
> On Mon, 13 Jan 2003, Steve L wrote:
>
> You are blaming the victim. Good grief.
<grin> It's usually true, though!
>
>
> SL> I can't work out where their addresses have been harvested from.
>
> Try a google on the addresses.
>
Been there, done that (to death), got the T-shirt. Once in a while you'll
find someone's left muddy footprints, but there are a lot that haven't!
>
> SL> For a large network, as well, I'm not comfortable that a mail
filtering
> SL> solution for Spam is viable.
>
> SL> Comments or suggestions, anyone?
>
>
> Don't filter out spam. Filter in non-spam. Only people in a list
> of "good" people are allowed to email your users. Obviously, you should
> offer this as an option to the users of the system rather than naively
> implementing it yourself.
>
Rather difficult to implement - and rather depends on the co-operation of
the users, who in the main don't see themselves as part of the solution.
Thanks for the comments, though.
Steve
Steve L
"Kirsten Smith" <bl...@nospam.com> wrote in message
news:slrnb29ds8...@host.fqdn.net...
> On Tue, 14 Jan 2003 22:31:57 -0000, Steve L <n...@the.moment.ta> wrote:
> > I don't believe any of the suggestions about mail lists
> How do you stop your users subscribing to mailing lists? How
> do you know none of them 'sign' those online petitions or
> forward chain mail?
Some of them may have done. However there have been enough getting spam
that haven't wouldn't didn't that makes me believe my statement is true.
>
> > we've been very careful.
> To be entirely honest, and without wanting to sound like a flame
> that statement is not what I'd typically expect to hear from
> someone who is extremely vigilant. Exploits come out everyday
> and the people I know who I consider security experts are usually
> the *least* sure. Paranoia and a little bit of doubt (enough to
> make you go back and double check) are required.
Believe me, I'm paranoid, and we have re-examined things, as well as having
undertaken our own, and third-party pen and vuln testing.
>
> It would appear (and I say appear because I don't know) that
> none of these posts, or even the problem itself, have made
> you audit your own systems again. Anyway, a little OT as the real
> issue is what to do about it. I hope I haven't offended you
> with these observations. No offence was intended :-)
None taken - however, those audits have been taken, and little has been
offered to suggest that we overlooked any issues.
>
> > is a very sensible approach, which I started today. We'll look at
better
> > filtering of the content, but also start to look at things like refusing
> > mail from hosts on IPs that are within modem pools of ISPs and other
> > measures we can incrementally apply to limit the misfiring of mail
dropping.
>
> I really would advise against going the RBL route, or denying
> connections like that. It's like using a sledgehammer to crack a nut.
> You *will* end up more legitimate mail than is worth it for the results
> you see. You *will* one day annoy the wrong person, someone trying
> to mail your CEO something important. You *will* be blocking mail
> from innocent people who simply using a smarthost to send their mail
> that has been blacklisted because of someone else they have nothing to do
> with. I have just left the systems department of a very large ISP and
> having to deal with the problems that the over-zealous use of these
> things cause.
I suspect you're right.
>
> We used Brightmail http://www.brightmail.com/ for our customers uses a
> 'honeypot' method for attracting spam which is then analysed and then
> the rules are sent to your mail server.
>
> The other thing we've used with excellent results was SpamAssasin with
> really good results. It uses a scoring system based on several tests as
> well as Vipul's Razor, a database of spam.
> http://spamassassin.taint.org/
> http://razor.sourceforge.net/
>
> Best of luck with whatever you decide to go with
> Kirsten
>
Thanks for your help and comments.
Steve
Steve L
"David F. Skoll" <d...@roaringpenguin.com> wrote in message
news:6u2V9.24783$j5.103484@news...
Interesting idea - worth thinking about. Thanks for that.
Steve
Alan Clifford
DS>
DS> > It's not an option for a business that relies on e-mail queries for leads,
DS>
DS> Agreed, it's not a universal solution. But, unlike spam filters, there
DS> are no heuristics involved, spammers can't get around it, and real
DS> senders can always get their messages through.
DS>
DS>
I have a whitelist and an autoresponder. The password is a "do it once"
and you are in the list. When I send email, I have a filter in Pine to add
the outgoing address to the whitelist.
There are a couple of areas that I am not happy with. I recently bought
something on a website and had to give my email address. As I did not
know the address that the company would use to email me, I knew it would
hit the autoresponder. In fact, they sent from several addresses for the
invoice, order tracking etc. This doesn't worry me too much as the
addresses really were not known to my computer but it is a tad impolite.
My current thought is to use an address such as me+company.date@... such
as alan+dabs.25jan2003@... that would automatically bypass the
autoresponder up until the date and maybe add the sender automatically to
the whitelist. This would protect me if the address were sold on. How do
other people overcome this sort of problem.
The second area is mail lists. As I get spam to my address that I use in
maillists, I can't just allow mail through to that address. Currently, if
I do join a new maillist, I temporarily allow in such mail until I receive
a list email so that I can determine a proper rule for that list. This is
tedious. My current thoughts are to use the date solution above and then
change my list address once everything is in place.
I have received the password back from a spammer just once -
li...@rethinkers.net, But, not only was it after the period that my
computer keeps the "grey" mail, they used a different email address from
the original so their original spam address wasn't added to my database.
David F. Skoll
> Beyond the initial confirmation, TMDA is invisible. What exactly do
> you object to?
Imagine if everybody started using TMDA. It would be a royal pain to
communicate with anyone.
> Agreed, it's not a universal solution. But, unlike spam filters, there
> are no heuristics involved, spammers can't get around it, and real
> senders can always get their messages through.
Those points are not always true.
- If lots of people use TMDA, spammers *will* figure out a way around it.
They will use real (but disposable) e-mail addresses and have software
that can answer the N most common TMDA agents. Alternatively, they'll
fake the sender address to be the same as the target address. Or more
likely,
they'll use fake-but-valid e-mail addresses so some poor third-party sucker
gets annoyed by TMDA requests and treats *them* as spam.
- Real senders may not always get their messages through, because (for
example)
they may not understand what they need to do (don't laugh -- you'd be amazed
at the green-ness of some newbie e-mail users) or they might not understand
English well enough.
In my opinion, the only way to effectively fight spam is with human
knowledge,
coupled with computer assistance. In other words, you want the computer
help to make the human sorter as efficient as possible, so one person
can clear the spam for hundreds of mailboxes in a few minutes.
That way, computers do what they do best (boring text analysis, sorting and
scoring) while leaving it to the human brain to do what it does best --
making
a judgement call.
--
David.
Timo Salmi
David F. Skoll <d...@roaringpenguin.com> wrote:
> Dave Sill wrote:
> > Beyond the initial confirmation, TMDA is invisible. What exactly do
> > you object to?
> Imagine if everybody started using TMDA. It would be a royal pain to
> communicate with anyone.
That, of course, is the problem with Tagged Message Delivery Agent
ideas. I guess, my own http://www.uwasa.fi/~ts/info/spamfoil.html
"Spam foiling, elm filter will first return a required email
password" can be considered a variant of that, so I'll comment on
that since it is more familiar to me. If both ends have that kind of
a system, I have not figured out yet how to make the initial contact
smooth without any potential problems. If the system is at one end
only, it is not a problem. If I send email, I put the password on
the subject line, so any response with that subject will get back
through. (Or, alternatively, I'll whitelist the target in advance).
Now the essential question for an individual considering such a
system is to what extent one wants to make previously unknown
contacts via email. For some it is crucial, for others not so. If
the situation between the parties is roughly balanced, then yes.
Likewise if one oneself asks for services. But if the normal
situation is that most of the incoming email is from users who
one-sidedly just want something, requiring a non-whitelisted
newcomer to jump through the prove-you-love-me hoops is more
warranted.
Apropos Collin (Park) provided the interesting reference
http://www.google.com/search?q=prove+you+love+me+spam
As you see from the above, I do not quite share the strong views
expressed there by David W. Tamkin, especially in a typically
one-sided relation. In a balanced relation, whitelisting (asap) is
the best option, anyway. Yes, I know. This still leaves the problem
of an auspicious first contact.
> - If lots of people use TMDA, spammers *will* figure out a way around it.
In a more involved TMDA, maybe. But with a simple password
requirement for the subject line, sent back by an autoresponder
within the body of the message, I do not see how that would be
possible? Most spam come from forged addresses anyway, so the
autoresponse will never be seen. And even when it is seen, from the
spammer's point of view, the userid/password combination is in
practice an insurmountable database problem. Contrary to the
user-id, the public email password can be altered anytime in a
second. I have used my email password-requirement (for
non-whitelisted users) system for six years now, and I still have
exactly the same public email password as I had six years ago. It is
that effective.
But, indeed, no system is without considerable drawbacks. One just
have to weigh them. In my own case, I have chosen to keep spam
strictly off my main mailbox besdipte the undeniable disadvantages,
and the complexity that would prohibitive for a considerable number
of email users.
Nancy McGough
>
> > I find the TMDA mechanism irritating and intrusive. If a large percentage
> > of people I try to correspond with use TMDA, I find I stop bothering
> > to even talk to them.
>
> > http://www.rosat.mpe-garching.mpg.de/mailing-lists/procmail/2002-09/msg00099.html
> > appears to agree. :-)
>
> That poster is highly opinionated and frequently wrong, not that that
> detracts from a good rant. :-)
David W. Tamkin might be highly opinionated, but he is definitely
not frequently wrong.
-Nancy
Procmail mailing list participant since 1994
--
PROCMAIL <http://www.ii.com/internet/robots/procmail/qs/>
IMAP <http://www.ii.com/internet/messaging/imap/isps/>
PINE <http://www.ii.com/internet/messaging/pine/>
-- I N F I N I T E I N K www.ii.com N A N C Y M c G O U G H --
Dave Sill
> I have a whitelist and an autoresponder. The password is a "do it once"
> and you are in the list. When I send email, I have a filter in Pine to add
> the outgoing address to the whitelist.
>
> There are a couple of areas that I am not happy with. I recently bought
> something on a website and had to give my email address. As I did not
> know the address that the company would use to email me, I knew it would
> hit the autoresponder. In fact, they sent from several addresses for the
> invoice, order tracking etc. This doesn't worry me too much as the
> addresses really were not known to my computer but it is a tad impolite.
>
> My current thought is to use an address such as me+company.date@... such
> as alan+dabs.25jan2003@... that would automatically bypass the
> autoresponder up until the date and maybe add the sender automatically to
> the whitelist. This would protect me if the address were sold on. How do
> other people overcome this sort of problem.
TMDA automatically sends outgoing mail with a dated return address.
> The second area is mail lists. As I get spam to my address that I use in
> maillists, I can't just allow mail through to that address.
I use qmail (of course), which allows me to subscribe to each list
with a unique address (e.g., dave-list-whatever@). I don't use TMDA on
mail to these addresses. Another alternative with TMDA is to subscribe
using a "sender" address that only accepts mail from the list.
Dave Sill
> On 15 Jan 2003 Dave Sill (MaxFr...@sws5.ctd.ornl.gov) wrote:
> >
> > > I find the TMDA mechanism irritating and intrusive. If a large percentage
> > > of people I try to correspond with use TMDA, I find I stop bothering
> > > to even talk to them.
> >
> > > The poster at
> > > http://www.rosat.mpe-garching.mpg.de/mailing-lists/procmail/2002-09/msg00099.html
> > > appears to agree. :-)
> >
> > That poster is highly opinionated and frequently wrong, not that that
> > detracts from a good rant. :-)
>
> David W. Tamkin might be highly opinionated, but he is definitely
> not frequently wrong.
He is in this message. For example:
The rationales [for not auto-whitelisting correspondents] are
laziness, self-centered inability to consider the issue from the
other person's position, self-importance, a smug rapture with any of
one's own ideas that precludes analysis before implementing them,
and a basic failure to understand that choices and actions have
consequences.
That's wrong. The reason *I* don't auto-whitelist correspondents is
that I use TMDA, which automatically uses a dated return
address. Rather than permanently whitelisting my correspondents I
give them an address that's good for a week.
Prove-you-love-me texts invariably take the tone that the
implementer's time and attention are far too important for email
from mere mortal specks like you, that you're a worthless piece of
crap spammer, and how dare you consider yourself worthy of a Greater
Creature's notice, but just in case you might repent for the sin of
sending email, the implementer will be a gracious and forgiving
Superior Being and deign to read your undeserving prose for laughs
if you'll perform the assigned penance.
My confirmation request takes no such tone. See for yourself:
From: "Dave Sill's Helper"
Subject: Re: subject
Hi. This is Dave Sill's e-mail assistant. He gets so much junk mail
these days that he's asked me not to forward messages to him from
people he doesn't recognize. Unfortunately, he doesn't have your
address on file.
If you want me to forward your message to him, just reply to this
message. By replying to this message, you're affirming that your
original message was NOT an unsolicited commercial offer. I've used
a special return address so the reply can be empty--I won't even
read it.
I'm sorry for the inconvenience and I hope you understand why it's
necessary.
Tamkin writes:
None of them think it through to grasp that the only people who see
the autoresponse are those whose mail should have been accepted.
That's not true. People not on my whitelist are supposed to get this
message, and that's exactly who sees it. The only people who don't see
it are those on my whitelist, spammers, and people whose return
address is invalid.
None of them realize that the autoresponse should be phrased to fit
the people who read it, not those who don't.
My message is tailored exactly to those who should see it.
None of them realize that the mistake is theirs for rejecting
legitimate personal email as spam, not the sender's for daring to
write in the first place.
I don't reject legitimate mail as spam. That's the whole point.
Consider what happens when one of them writes to another, (even if
the second one whitelists his/her own addressees). The
autoresponses bounce back and forth between the two, growing ever
longer as each one includes the previous one's text with all of its
inclusions, and neither ever gets delivered.
Not true. If I send a message to another user who requires
confirmation, I see the confirmation (because the confirmation request
goes to a dated address) and reply to it.
I could go but I'll stop here. I think I've made my point.
Dave Sill
> Imagine if everybody started using TMDA. It would be a royal pain to
> communicate with anyone.
I disagree. Many of the people I correspond with use TMDA or similar
systems. A one-time-per-correspondent confirmation is not a heavy
burden in exchange for highly effective spam blocking.
> - If lots of people use TMDA, spammers *will* figure out a way
> around it.
Perhaps, but that will cost them, and raising the cost of spam will
reduce the amount of it.
> They will use real (but disposable) e-mail addresses and have software
> that can answer the N most common TMDA agents.
The servers that host these autoresponders will be blocked and
blacklisted immediately. Legal action (where possible) will be taken
against the spammers, who are now traceable through their
autoresponders.
> Alternatively, they'll fake the sender address to be the same as the
> target address.
That won't help. I blacklist my own address--I don't send myself
mail.
> Or more likely, they'll use fake-but-valid e-mail addresses so some
> poor third-party sucker gets annoyed by TMDA requests and treats
> *them* as spam.
It sucks to be a poor third-party sucker. But that still won't get
the spam delivered.
> - Real senders may not always get their messages through, because (for
> example) they may not understand what they need to do (don't laugh
> -- you'd be amazed at the green-ness of some newbie e-mail users) or
> they might not understand English well enough.
I keep unconfirmed messages in a separate folder that I periodically
scan (after running them through spamassassin). Whether they realize
it or not, their message--if it's not spam--does get through.
> In my opinion, the only way to effectively fight spam is with human
> knowledge, coupled with computer assistance. In other words, you
> want the computer help to make the human sorter as efficient as
> possible, so one person can clear the spam for hundreds of mailboxes
> in a few minutes.
That's what qmail+TMDA+qmail-scanner+clamscan+spamassassin do for me.
Very effectively, too.
David F. Skoll
>> - If lots of people use TMDA, spammers *will* figure out a way
>> around it.
> Perhaps, but that will cost them, and raising the cost of spam will
> reduce the amount of it.
That's true.
>> They will use real (but disposable) e-mail addresses and have software
>> that can answer the N most common TMDA agents.
> The servers that host these autoresponders will be blocked and
> blacklisted immediately. Legal action (where possible) will be taken
> against the spammers, who are now traceable through their
> autoresponders.
Not really. They'll use a Hotmail address and use software to pull the
mail off of Hotmail's web pages and do the autoresponding. It's not
trivial, but the problem is similar to script kiddies. It takes one
dedicated spamware vendor to do it, and then he can sell his software
to the spammers for $49.95.
>> Alternatively, they'll fake the sender address to be the same as the
>> target address.
> That won't help. I blacklist my own address--I don't send myself
> mail.
That breaks certain mailing lists (Bugtraq, for one.) But you can
work around it.
>> Or more likely, they'll use fake-but-valid e-mail addresses so some
>> poor third-party sucker gets annoyed by TMDA requests and treats
>> *them* as spam.
> It sucks to be a poor third-party sucker. But that still won't get
> the spam delivered.
Indeed. It may also get a lot of complaints headed your way, and you
might find yourself blacklisted.
> I keep unconfirmed messages in a separate folder that I periodically
> scan (after running them through spamassassin). Whether they realize
> it or not, their message--if it's not spam--does get through.
But then how does TMDA save you time? :-) You might as well take TMDA
out of the picture and just use qmail+spamassassin.
--
David.
Dave Sill
> But then how does TMDA save you time? :-) You might as well take TMDA
> out of the picture and just use qmail+spamassassin.
When I get new mail, I *know* it's not junk, and I read it
immediately. High s/n ratio in my main mailbox is very important to
me.
I don't get interrupted throughout the day for spam or
viruses. At my convenience, I check my unconfirmed-probably-not-spam
mailbox for messages from people who can't be bothered with (or can't
understand) the confirmation process--I get a couple of these per
week, but it's mostly spamassassin false negatives--and my
probably-spam mailbox, to catch the occasional spamassassin
false-positive.
Alan Clifford
SL> > Don't filter out spam. Filter in non-spam. Only people in a list
SL> > of "good" people are allowed to email your users. Obviously, you should
SL> > offer this as an option to the users of the system rather than naively
SL> > implementing it yourself.
SL> >
SL> Rather difficult to implement - and rather depends on the co-operation of
SL> the users, who in the main don't see themselves as part of the solution.
SL>
Ah I see, a no-win situation. As someone who strongly objects to my email
providers implementing unsolicited and dodgy filtering of MY email, I
didn't understand.
Seth
services, if your users never want to be bothered by spam again put a
link to ComThing up for them and they can download it and use it for
ever for free without any timing out. If they know how to double
click on the installation file, and they use pop mail, they're done.
http://www.comthing.com
Stephen M. Dunn
$ We'll look at better
$filtering of the content, but also start to look at things like refusing
$mail from hosts on IPs that are within modem pools of ISPs and other
$measures we can incrementally apply to limit the misfiring of mail dropping.
There is a DNS blacklist of model/dialup/broadband IP addresses
available from the folks at dnsrbl.net. It's not complete, but
it may help.
Here's one other thing you might try. A couple of years ago,
I noticed that a significant portion of the spam that made it
through my filters was mail claiming to be from a major ISP or
free email site which has its servers hosted in the U.S. (hotmail.com,
yahoo.com, etc.) but the IP address was in a block allocated to
a regional registry outside the U.S. - see www.iana.org for the
list of CIDR allocations to apnic, ripe, et al. There are tons
of open relays in those areas, and spammers seem particularly
fond of using them, so by blocking any mail claiming to be from
the U.S. but coming from another continent, I managed to cut down
on the spam a fair bit. I only know of one legitimate email
that was blocked in almost two years by this - someone who was
travelling and used an Internet cafe in Europe to send mail
claiming to be from her hotmail.com account. Had she simply
signed into Hotmail from the cafe, instead of configuring a local
mail client to pretend to be part of Hotmail, she'd have been
able to send the mail to its intended recipient.
--
Stephen M. Dunn <ste...@stevedunn.ca>
>>>----------------> http://www.stevedunn.ca/ <----------------<<<
------------------------------------------------------------------
Say hi to my cat -- http://www.stevedunn.ca/photos/toby/