l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2004 Apr 27 17:47

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] The Great Spam Investigation
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] The Great Spam Investigation

Hash: SHA1

On Sunday 25 April 2004 09:24 am, p-at-dirac.org (Peter Jay Salzman) |lugod| 
> Raw Data
> ========
> I) SMTP Conversation Dropped Before Spam Gets Delivered
> 	A) HELO rejected
> 		1. Sender claimed he was "dirac.org" or "localhost":        51
> 		2. RBL: bl.spamcop.net:                                    179
> 		3. RBL: list.dsbl.org:                                      20
> 		4. RBL: relays.ordb.org:                                     0
> 		5. RBL: cbl.abuseat.org:                                     7
> 		6. RBL: sbl.spamhaus.org:                                    0
> 		7. RBL: opm.blitzed.org:                                     0
> 		4. RBL: dul.dnsbl.sorbs.net:                                 3

Pete, I reccomend you replace cbl.abuseat.org,  opm.blitzed.org, 
sbl.spamhaus.org with sbl-xbl.spamhaus.org.

sbl-xbl.spamhaus.org includes all hosts from those three RBLs.

See http://www.spamhaus.org/xbl/index.lasso

> Spams will include bounce messages due to viruses forging their headers to
> make it look like their from dirac.org, as well as the uhhh.... "helpful"
> messages I get from hosts that tell me that "my" email was not delivered
> because it contained a virus.  I consider the idiotic administrators of
> these systems to be another source of unwanted email, and therefore, not
> much different from UCE.  Honestly, this is a DOS waiting to happen. 
> Sheesh.

I feel your pain, these annoy me as well. The virus scanner (qmail-scanner + 
clamav) we run on our mail gateway at work is configured (by default, even) 
only to send a notification to the sender when the message is blocked because 
of a policy signature (mostly checks for broken headers).

The delimma here is that virus scanners _DO_ get false positives, and having 
your mail fall into a black hole kinda sucks. The best way to do solve this 
probelm is have the virus scanner check the message before the destination 
MTA tells the source MTA that the message was accepted. If it's a virus, 
reject it during the SMTP conversation. Though I feel this is the best 
solution, it does still have a problem. Some sites use MTAs that do relay the 
destination MTA's reason for rejeting the message to the user, so you get 
people wondering why mail bounced.

Any mail that an MTA isn't going to deliver should be bounced by rejecting it 
during the SMTP conversation.

(now i have to set up the virus scanner at work to do this)

> Total emails sent to dirac.org:               386
> 	Total spams sent to dirac.org:             367
> 		Total spams caught                      355
> 			Total spam caught by Postfix:        347
> 				Total spam caught by RBL:         209
> 			Total spam caught by Bogofilter:       7
> 			Total spam caught by procmail:         1
> 		Total spams uncaught                     12
> 	Total "real" email delivered:               19
> Email that is spam:                     95%
> Email that is not spam:                  5%
> Spam caught before delivered to MTA:    95%
> Spam caught before delivered to inbox:  97%
> Spam delivered to my inbox:              3%    <-- what I care about
> Spam caught by RBLs:                    57%    <-- nice!
> Spam claiming it came from "me":        15%
> Spam with improper SMTP envelope:       18%
> Spam giving non-existant domain
> 	in SMTP envelope:                     2%    <-- dumbest of the dumb
> Conclusions
> ===========
> First, I knew that I had a high spam to email ratio, but I was shocked
> to see that my spam to ham ratio was 20 to 1.

I see around 80% spam across the domains we filter mail for at work.

> Second, I'm quite pleased with the results.  Postfix along with RBLs
> shot down most of the crud.  Only a very small trickle passed through.
> I'm convinced more than ever that Postfix + RBL is the way to go for
> spam control.  This is more preferable than relying on spam assassin,
> bogofilter and procmail as a first line of defense, since they sap up
> more system resources.

Yeah, RBLs smite a supprisingly large amount of spam.

> As a last note, I'm nearly certain that if I had spam assassin installed on
> dirac.org, my total spam delivered count would've been truly, truly zero.

SpamAssassin isn't perfect. It misses stuff once in a while, though custom 
rules can help. I've seen some spam sneak past spamassassin with less then 
one point, (though bayesian filtering is turned off) though this not 

- -- 
PGP/GPG Fingerprint: 3B30 C6BE B1C6 9526 7A90  34E7 11DF 44F3 7217 7BC7
On pgp.mit.edu, import with `gpg --keyserver pgp.mit.edu --recv-key 72177BC7`
Version: GnuPG v1.2.2 (GNU/Linux)

vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.