l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2004 Jun 22 12:45

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Anyone running a mail server on a dynamic IP?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Anyone running a mail server on a dynamic IP?



On Tue, Jun 22, 2004 at 04:19:03AM -0700, Rod Roark wrote:
> On Tuesday 22 June 2004 12:06 am, Brian Lavender wrote:
> > On Wed, Jun 16, 2004 at 10:15:18PM -0700, Rod Roark wrote:
> > > Seems like most of the spam that I (and thus LUGOD) are not
> > > successfully filtering out these days is from dynamic IPs -
> > > dialup, cable modem, and dynamic DSL.
> > > 
> > > So I'm wondering if it's reasonable to refuse mail from
> > > servers that connect directly from a dynamic IP.  Is anyone
> > > here running such a server?  And if you are, are you finding
> > > that many sites are refusing your mail?
> > > 
> > > Please reply off-list unless you think that what you have to
> > > say is of general interest.  Also if you're not sure if your
> > > IP is considered dynamic, you can check it at
> > > "http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?IP=";.
> > 
> > Well, consider this. You have a valid send who is sending you email from
> > a dynamic IP. You would want to receive that email, right?!!
> > 
> > The answer lies in SpamAssassin. I believe it scores on this blacklist.
> > SpamAssassin has been 100% effective with over 300+ spams in the last
> > 24+ hours!
> 
> 100% is astounding.  My experience with SA was nothing like
> that.  But it has a huge number of options; how do you have
> it configured?  What about false positives?  Any idea how
> many unique spam sources are represented in those 300
> messages?

I pipe'ed my known good messages into a whitelist tool, plus the
Bayesian filtering is helping a lot. The RAZOR check and other
blacklist, RFC, open relays lists have helped as well. I know some of
this stuff requires that you have dependent PERL modules installed to
work. Admittingly, I just put this latest implementation into place this
last weekend. But, yes, no false positives thus far. 

Also, here's a script that will add whitelist entries for people you
send mail to. This is a great idea I want to implement, because as you 
say, false positives are a concern and this is a good way to
automatically get people on a whitelist.

http://www.estey.com/scripts/auto-whitelist.pl.txt

Here's a spam scoring from my current installation of SpamAssassin. You
can see it already has your dynamic IP listing. But I think the Bayes
scoring working really well at the moment. I think it has to do with the
fact that I am on a lot of mailing lists, so it has a lot of ham to
base its analysis.


Content analysis details:   (13.8 points, 4.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.1 HTML_MESSAGE           BODY: HTML included in message
 5.4 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 0.9 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 0.1 HTML_50_60             BODY: Message is 50% to 60% HTML
 0.1 BIZ_TLD                URI: Contains a URL in the BIZ top-level domain
 0.5 FORGED_HOTMAIL_RCVD    Forged hotmail.com 'Received:' header found
 0.7 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
                            [<http://dsbl.org/listing?ip=218.135.214.75>]
 1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
              [Blocked - see <http://www.spamcop.net/bl.shtml?218.135.214.75>]
 2.6 RCVD_IN_DYNABLOCK      RBL: Sent directly from dynamic IP address
                            [218.135.214.75 listed in dnsbl.sorbs.net]
 0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
                            [218.135.214.75 listed in dnsbl.sorbs.net]
 1.1 MIME_HTML_ONLY_MULTI   Multipart message only has text/html MIME parts
 0.7 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay


> 
> > The next question is, do you want to process this email? I 
> > don't. That's why I have been testing SA-Exim. If it gets flagrant
> > spam from an IP, it can put in a temporary reject. Or, it can put in a
> > permanent reject. Or....  if it's really bad spam, you can teergrub it.
> > Or, say I do have a sender who does use mail server on a dynamic IP. I
> > can whitelist him and get his email.
> > 
> > I am doing a talk on integrating SpamAssassin at the SMTP layer. The
> > implementation is SA-Exim. http://www.saclug.org/
> 
> Well I use Postfix.  I believe the rough equivalent with
> that would be something like amavisd-new which runs
> SpamAssassin "internally", using the "before queue content
> filter" which Postfix introduced with release 2.1.  I don't
> know anyone who has tried this combination yet.

Well, does Postfix do the following?!!! This mail was rejected at the
SMTP layer.  This way, the sender doesn't think he sent it. If the mail
had been accepted, it would have returned a code 500. If I had tried to
bounce this spam, it would have gone to some unknow domain "gandalf".

bash-2.05$ telnet pptp.brie.com 25
Trying 158.222.124.74...
Connected to pptp.brie.com.
Escape character is '^]'.
220 pptp ESMTP Exim 4.34 Tue, 22 Jun 2004 04:44:44 -0700
mail from: merlin@gandalf
250 OK
rcpt to: brian@pptp.brie.com
250 Accepted
data
354 Enter message, ending with "." on a line by itself
From: merlin@gandalf
To: merlin@gandalf
Subject: $$$ Make Money Fast $$$ !!!

viagra 100% GARANTEE AMAZING FULL REFUND
This is not spam
.
451 Please try again later




brian
-- 
Brian Lavender
http://www.brie.com/brian/
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.