Thread: Re: [OT] Tom's/Marc's spam filters?
"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
> Doesn't that just force the delivering system to send the spam through your
> secondary server?
A 500-series error isn't supposed to be retried is it? But in any case,
I run the same filters on my secondary server. Both the IP and the HELO
checks would be quite useless if I used an MX that wouldn't support 'em.
regards, tom lane
Tom Lane <tgl@sss.pgh.pa.us> wrote: > > "Nigel J. Andrews" <nandrews@investsystems.co.uk> writes: > > Doesn't that just force the delivering system to send the spam through your > > secondary server? > > A 500-series error isn't supposed to be retried is it? Nope. But we're talking about spammers, so all bets are off. In fact: Spammers will frequently try the secondary (or beyond) MX in favour of the primary, as they know that frequently secondary MX' aren't under the target domain's control and likely will have lowered shields. > But in any case, > I run the same filters on my secondary server. Both the IP and the HELO > checks would be quite useless if I used an MX that wouldn't support 'em. Yup. If you can't employ the same anti-UCE checks on a secondary as you can on a primary, dump the secondary. Secondary MX' are of no value if they just queue things up for the primary, anyway. -- Jim Seymour | Spammers sue anti-spammers: jseymour@LinxNet.com | http://www.LinxNet.com/misc/spam/slapp.php http://jimsun.LinxNet.com | Please donate to the SpamCon Legal Fund: | http://www.spamcon.org/legalfund/
jseymour@LinxNet.com (Jim Seymour) writes:
> Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> But in any case,
>> I run the same filters on my secondary server. Both the IP and the HELO
>> checks would be quite useless if I used an MX that wouldn't support 'em.
> Yup. If you can't employ the same anti-UCE checks on a secondary as
> you can on a primary, dump the secondary. Secondary MX' are of no
> value if they just queue things up for the primary, anyway.
Nowadays, yeah :-(. Still another part of the internet that spammers
have managed to render nonfunctional --- backup MX service used to be
essential, but now it's better to risk losing incoming mail than to
accept a ton of spam that didn't get filtered properly. Just a couple
weeks ago I was complaining to my new ISP because he'd set up a backup
MX for sss.pgh.pa.us without asking me whether I wanted it.
It's *way* past time to declare open season...
regards, tom lane
Tom Lane wrote:
> jseymour@LinxNet.com (Jim Seymour) writes:
> > Tom Lane <tgl@sss.pgh.pa.us> wrote:
> >> But in any case,
> >> I run the same filters on my secondary server. Both the IP and the HELO
> >> checks would be quite useless if I used an MX that wouldn't support 'em.
>
> > Yup. If you can't employ the same anti-UCE checks on a secondary as
> > you can on a primary, dump the secondary. Secondary MX' are of no
> > value if they just queue things up for the primary, anyway.
>
> Nowadays, yeah :-(. Still another part of the internet that spammers
> have managed to render nonfunctional --- backup MX service used to be
> essential, but now it's better to risk losing incoming mail than to
> accept a ton of spam that didn't get filtered properly. Just a couple
> weeks ago I was complaining to my new ISP because he'd set up a backup
> MX for sss.pgh.pa.us without asking me whether I wanted it.
I don't have any problem using a backup MX. My sendmail rules skip over
the received line from my MX and check the host that sent to my MX.
http://candle.pha.pa.us/main/writings/spam/
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> jseymour@LinxNet.com (Jim Seymour) writes:
[snip]
> > Secondary MX' are of no
> > value if they just queue things up for the primary, anyway.
>
> Nowadays, yeah :-(. Still another part of the internet that spammers
> have managed to render nonfunctional ---
You'll probably appreciate this:
http://linxnet.com/misc/spam/thank_spammers.html
> backup MX service used to be
> essential, but now it's better to risk losing incoming mail than to
> accept a ton of spam that didn't get filtered properly.
The truth is that most modern MTAs have a reasonable default timeout on
email queued due to failed delivery attempts, anyway. That's why I
specifically mentioned that last bit.
For a more extensive discussion of secondary MX issues see:
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
and look for the section entitled "When There's No Point To A Secondary
MX," near the bottom. (No sense in repeating it here.)
> Just a couple
> weeks ago I was complaining to my new ISP because he'd set up a backup
> MX for sss.pgh.pa.us without asking me whether I wanted it.
My ISP for my home 'net connection did that for me right off. And it
was all right--for a while. Then the spammers started exploiting
secondary MX' on a large scale and I asked my ISP to remove that
secondary MX.
>
> It's *way* past time to declare open season...
Yeah...
--
Jim Seymour | Spammers sue anti-spammers:
jseymour@LinxNet.com | http://www.LinxNet.com/misc/spam/slapp.php
http://jimsun.LinxNet.com | Please donate to the SpamCon Legal Fund:
| http://www.spamcon.org/legalfund/
Bruce Momjian <pgman@candle.pha.pa.us> wrote: > [snip] > > I don't have any problem using a backup MX. My sendmail rules skip over > the received line from my MX and check the host that sent to my MX. What do you do if you don't like the client that delivered it to your backup MX? You can't just throw it away. Well, you *can*, but doing so breaks the email delivery system. If reject it, your backup MX will then bounce it to the ostensible sender, which is very likely forged. -- Jim Seymour | Spammers sue anti-spammers: jseymour@LinxNet.com | http://www.LinxNet.com/misc/spam/slapp.php http://jimsun.LinxNet.com | Please donate to the SpamCon Legal Fund: | http://www.spamcon.org/legalfund/
Jim Seymour wrote: > Bruce Momjian <pgman@candle.pha.pa.us> wrote: > > > [snip] > > > > I don't have any problem using a backup MX. My sendmail rules skip over > > the received line from my MX and check the host that sent to my MX. > > What do you do if you don't like the client that delivered it to your > backup MX? You can't just throw it away. Well, you *can*, but doing > so breaks the email delivery system. If reject it, your backup MX will > then bounce it to the ostensible sender, which is very likely forged. For stuff I block via sendmail, I 550 it, even from my MX. I am not sure what my MX does with it, but no one has complained. For email that hits procmail, I ignore viruses and report spam to the domain administrator of the mail sender host. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Bruce Momjian <pgman@candle.pha.pa.us> wrote: > > Jim Seymour wrote: > > Bruce Momjian <pgman@candle.pha.pa.us> wrote: > > > > > [snip] > > > > > > I don't have any problem using a backup MX. My sendmail rules skip over > > > the received line from my MX and check the host that sent to my MX. > > > > What do you do if you don't like the client that delivered it to your > > backup MX? You can't just throw it away. Well, you *can*, but doing > > so breaks the email delivery system. If reject it, your backup MX will > > then bounce it to the ostensible sender, which is very likely forged. > > For stuff I block via sendmail, I 550 it, even from my MX. I am not > sure what my MX does with it, but no one has complained. [snip] What it should do, and probably does do, with it is bounce it to what it believes the sender to be. Problem with that, as I noted earlier, is that the sender address in spam is frequently forged. Sometimes forged to be a valid, tho innocent, person. Trust me: You really shouldn't do that as standard policy. See the URL I mentioned earlier, in reply to Tom (IIRC), pointing to a bit I wrote on backup MX servers. Mail admins are beginning to find such mis-bounces nearly as objectionable as the direct spam. There's been some discussion that spammers may even be using known "mis-bouncing" servers as "reflectors," to propagate spam. -- Jim Seymour | Spammers sue anti-spammers: jseymour@LinxNet.com | http://www.LinxNet.com/misc/spam/slapp.php http://jimsun.LinxNet.com | Please donate to the SpamCon Legal Fund: | http://www.spamcon.org/legalfund/
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Jim Seymour wrote:
>> What do you do if you don't like the client that delivered it to your
>> backup MX? You can't just throw it away. Well, you *can*, but doing
>> so breaks the email delivery system. If reject it, your backup MX will
>> then bounce it to the ostensible sender, which is very likely forged.
> For stuff I block via sendmail, I 550 it, even from my MX. I am not
> sure what my MX does with it, but no one has complained.
You're contributing to the problem then. Your MX will bounce the
message back to the (likely forged) envelope sender.
These days I actually have a worse problem with bogus bounce reports
than I do with spam. It's very difficult to filter mail bounce messages
without risking losing real bounces --- over the past month or two I'd
say that only one or two spams have made it into my inbox, but hundreds
of bounces of spam and viruses with my name forged to them have made it.
regards, tom lane
Tom Lane wrote: > Bruce Momjian <pgman@candle.pha.pa.us> writes: > > Jim Seymour wrote: > >> What do you do if you don't like the client that delivered it to your > >> backup MX? You can't just throw it away. Well, you *can*, but doing > >> so breaks the email delivery system. If reject it, your backup MX will > >> then bounce it to the ostensible sender, which is very likely forged. > > > For stuff I block via sendmail, I 550 it, even from my MX. I am not > > sure what my MX does with it, but no one has complained. > > You're contributing to the problem then. Your MX will bounce the > message back to the (likely forged) envelope sender. I think I looked into this a while ago and couldn't figure out a way to discard a message from my MX without downloading it. Any ideas out there? The sendmail code looks like: R$* from $+ ($-@[$+]) by west.navpoint.com $* $: $>Basic_check_relay [$4] $| $4 Maybe I have to make a custom version of Basic_check_relay that does a download/discard? > These days I actually have a worse problem with bogus bounce reports > than I do with spam. It's very difficult to filter mail bounce messages > without risking losing real bounces --- over the past month or two I'd > say that only one or two spams have made it into my inbox, but hundreds > of bounces of spam and viruses with my name forged to them have made it. I actually ignore bounces from my PostgreSQL account. I gave up. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
> [snip] > > I think I looked into this a while ago and couldn't figure out a way to > discard a message from my MX without downloading it. Any ideas out > there? The problem is, again, as I noted earlier, this also breaks the mail system. Would you really trust blind blocking by IP address not to suffer the occasional false positive? It's bad enough when a FP causes a reject but, at least then, the legitimate sender gets the bounce and *knows* their email wasn't delivered. If you throw email that some rule says you don't want into the bit-bucket, that feedback goes away. IOW: It breaks the mail system. > > The sendmail code looks like: [snip] > /me doesn't do sendmail. (One of the first things I replace on every install I do, as a matter-of-fact.) The MTA I use (Postfix) would allow me to specify DISCARD, after a rule, to accomplish this. But, again, your backup MX is probably doing no more for you than causing you to agonize over which different way to break the mail system or irritate unwitting, innocent 3rd parties ;). Better to just rid yourself of the backup MX, IMO. -- Jim Seymour | Spammers sue anti-spammers: jseymour@LinxNet.com | http://www.LinxNet.com/misc/spam/slapp.php http://jimsun.LinxNet.com | Please donate to the SpamCon Legal Fund: | http://www.spamcon.org/legalfund/
On Thu, Apr 22, 2004 at 12:44:05AM -0400, Tom Lane wrote: > > These days I actually have a worse problem with bogus bounce reports > than I do with spam. Especially the bounces that contain oh-so-helpful warnings that one's email contained a virus. I wouldn't grouse about that, except that my account at work recently got such a message from, of all places, Berkeley. It contained the helpful note that, since this is one of those email virus thingies, it may be that I didn't send the mail, because a lot of them forge the From: header. It's bad enough that the incredibly stupid, lazy, evil antivirus programs "helpfully" send mail about this. It's just mind-boggling that someone would on purpose enable this brain-dead "feature" and take the time to point out how totally worthless it is. </rant> -- Andrew Sullivan | ajs@crankycanuck.ca