Spam
In the spirit of trying as many things as possible to defeat the spammers, I've added greylisting through postgrey to my mail server. So far it works very well, but with one notable exception:
I have one user who has another email account (on another domain/mailserver) which forwards to her. So the spammers send email to her forwarded account, it gets transmitted to her, with a 10 minute delay because of the greylisting. So I added her to the greylisting white list.
I'm concerned that some mailers (mostly list managers) won't like the greylisting service. I'm using the sender whitelist, but there's a possiblility that there are other senders that I don't know about that won't show up. We'll see.
I've been watching my mail logs fill up with dictionary attacks, and have been thinking about a way to teergrube (tarpit) them.
What I'd like to do is to add an entry to a database whenever there's a 450 (User unknown) error. I would track the IP address of the machine that connected, as well as the time of the error.
Then, when a new connection is made, I look up the connection in the database and if there's been another connection in the past 10 minutes or so, I pause for a few minutes before sending the 450.
If I wanted to be really nasty, once my software's decided that there's a dictionary attack going on, I could stop sending 450's back and start sending OK for all addresses (with a pause, of course) just to keep the TCP connection open.
I may be able to do this using Postfix 2.1's policy server, but I'm not yet sure.
I've left the SPF PostFix plug-in installed for the time being, despite the fact that SpamAssassin can call it itself.
I haven't figured out how to enable the right Envelope-To: header in PostFix, which will let SpamAssassin call the Mail::SPF::Query module and adjust the score accordingly.
At last! SpamAssassin 3.0.0 is out!
I just installed it on my Mac OS X Server box, and it went off almost without a hitch. I had to remove the hand-installed SURBL plug-in I had on the 2.64 installation, but that's it.
The new SA seems much more accurate, we'll see as my bayes databases refill how well the new bayes code works.
I have been having problems with occasional spam making it past SpamAssassin without being marked up. The logs seem to indicate that the spamc client waited 600 seconds, and then went on ahead.
I'm hoping that installing a new Razor2 2.61 will fix the problem, the docs talk about it not handling malformed headers well.
I just upgraded all my perl CPAN modules on my OSX server that's running SpamAssassin, and lo and behold none of my bayes databases would tie!
It seems that when I re-compiled the DB CPAN module it
finally picked up the newer DB libraries I'd installed, which are no longer compatible with the DB-1.85 libraries that shipped with OSX. Sadly the new module would have loaded the DB-7 databases from my redhat install of SpamAssassin, even though they're little-endian.
Oh well. Rather than upgrade I just blew them all away and let SA rebuild.
I've recently updated to Postfix 2.1.4 (from 2.0.16), and implemented the built-in SPF checking stuff (through the policy mechanism). I quickly found a bug in Meng Wong's code, where it checks mail that's being relayed (via SASL authentication). Nasty.
Since I didn't want my SPF record to include all of the places where my
users might send from, I updated the code to add:
if (!$attr{sasl_method}) {
Before the call to
Mail::SPF::Query. I ended the conditional after the line which returns
"dunno". Now it bypasses the SPF check for authenticated users, so my users can use the system, and all incoming mail will get checked. Much better!
Installed SA 2.6.3 today, and have been routinely reporting the spammers to SpamCop. We'll see if it makes any difference. There are a ton of custom rules going around, some of which are far better than Bayes, most of which are based off of it.
My latest idea is to write some code that will add tokens to the Bayes database based on the whois information derived from the hosts of the URLs in the messages. That should, by itself, eliminate roughly 90% of my messages, at the cost of hitting the whois databases fairly hard. Only trouble is that it's pretty easy for the bad guys to embed links that can spoof the system, but the more bogus links they present the less likely it is that they'll be clicked on. Plus, if the bad guys haven't figured out by now that SpamCop uses the URLs for pretty much the same purpose, well too bad.
I added a few custom rules to my SA install:
TripWire, BigEvil, et al. Seem to work okay.
I wrote a small script to give me a count of users spam and ham. It's terribly inefficient, but got the job done:
set lastname=""; set count=1; for name in `grep "identified spam" /var/log/maillog* | sed -e "s/.* identified spam .* for \(.*\):.*/\1/" | sort -u`; do nonspam=`grep "clean message" /var/log/maillog* | grep $name | wc -l`; spam=`grep "identified spam" /var/log/maillog* | grep $name | wc -l`; ratio=`perl -e "print $spam/$nonspam"`; echo $name: $spam spam, $nonspam non-spam, $ratio; done
Produces output like this:
ed: 1341 spam, 144 non-spam, 9.3125
fred: 3276 spam, 948 non-spam, 3.45569620253165
ned: 797 spam, 32 non-spam, 24.90625
jed: 3411 spam, 2433 non-spam, 1.4019728729963
sed: 657 spam, 248 non-spam, 2.6491935483871
bed: 204 spam, 17 non-spam, 12
bled: 3701 spam, 233 non-spam, 15.8841201716738
med: 173 spam, 162 non-spam, 1.0679012345679
ved: 159 spam, 129 non-spam, 1.23255813953488
zed: 1785 spam, 328 non-spam, 5.44207317073171
Is there an English dictionary for perl that I could run messages through? Most email that comes to the server is in English, and an easy SA rule would be to check for a lot of non-english words in sequence. Of course, there are several cases where this won't work: URLs, source code, etc, but it would elminate one more tool from the spammers toolbox.
I run a small mail server, and get inundated with spam (2-3 time more than non-spam). This log keeps track of my spam notes.
ARCHIVES
