[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: .49, spam

To: agulbra@troll.no (Arnt Gulbrandsen)
Subject: Re: .49, spam
From: Matti Aarnio <mea@nic.funet.fi>
Date: Sun, 29 Jun 1997 04:50:56 +0300 (EET DST)
Cc: zmailer@nic.funet.fi
In-Reply-To: <m3oh8qk3jm.fsf@lupinella.troll.no> from "Arnt Gulbrandsen" at Jun 28, 97 08:03:57 pm

> ZMailer 2.99.49 looks very good (thanks, Matti), but I'm feeling a
> little down at the moment.
> 
> The fourth message coming in after I upgraded my real mail server to
> 2.99.49p2 was spam.  1, 2, 3, spam.  Didn't even take a minute.

	I didn't feel very good either when at last weekend somebody
	at Santa Ana, California dialed in and did relay-hijack spam
	of marketing stuff all around with claiming source addresses
	of:   asdfg@utu.fi,  536533@utu.fi,  and some such bogus ones.
	Of course <abuse@utu.fi> and <postmaster@utu.fi> got hate-mail..

	The mechanisms we have are able to limit/block relay mailer
	hijack, but now that SPAMmers appear to have started individual
	message delivery straight off their machines to the destination
	addresses as per MX/A resolving, much isn't doable.

	One needs near instantaneous knowledge of spam sources, or a real
	AI system for message content analysis/spam filtering, but ...
	(if you can find this latter, I would adapt it into an auto-secretary
	 for me ;-)   I have been dreaming of it since 1986 when I go to
	 EARN/BITNET, and had 'mail flood' of 20 messages per day... )

	Of course we could consider similar approaces to the problem
	as virus scanner makers are using.  Just scan the message body
	for magic identification factors, and bingo...  but what will
	happen, if somebody forwards a message with matching string,
	but with legitimate content ?  Like when sending such a mail to
	postmaster, or abuse, or ...

> The message came from something like <1fvdf@ejfvsd.afhdjalf3.vmx>, and
> I don't see any way to reject things like that.  Could smtpserver do
> an MX/A lookup of the envelope sender domain?  Would that be a bad
> idea?

	Some sites already do, AOL.COM, for example.
	They seem to run massive amounts (10-20) parallel input
	systems all running sendmails to verify incoming MAIL FROM:<...>
	addresses per MX/A data, however ...

	... I have spent a day at fighting incoming FLOOD of error
	messages from some SMAP/sendmail pair sending same messages
	over and over again.  So far vger.rutgers.edu has received
	some 26 000 of those messages, several per second.

	The Vger did have several very high load bursts -- up to 170!
	with these incoming messages, until I realized that doing
	ident lookup (the '-a' option at the smtpserver) delays the
	server too much!   Also apparently the feeding system is a lot
	bigger one, than Vger.   Vger is a sparc-classic w/ 32 MB RAM!

	That has teached to me that MX/A resolving - while nice idea - is
	not necessarily something you can do without multiple external input
	front-end machines, or you soon run out of resources.


	By the way, we solved the problem to a large extent by defining
	the error receiving address ( owner-some-list@ver.rurgers.edu )
	to have policy attribute:  'freeze +'
	(and $POSTOFFICE/freezer/ directory had to be created there too)
	The smtpserver shunts all the most volumous errors into a freezer
	box, and leaves the system to process far fewer legitimate msgs.
	I had to patch the  smtpserver/policytest.c  to also test the
	full target address, and not just the target host.

	Noticing at Vger often even as much as 20 incoming smtpserver
	sessions from the SAME source IP address gets me wondering, if
	there would be sense to have a feature at the smtpserver, that
	it could refuse to server the client when there are already
	more than some [smtpserver.conf configurable] number of
	clients from the same IP address.

	... and it is clear that Gabor Kissigs original plan of running
	smtpserver, and router in tandem would have been terrible disaster
	at these loads...

> I know about -sf, but that seems like policy ("we ignore mail from
> such and such domain"), not a DNS query.
> 
> Btw, this patch ought to make policy-builder.sh a little better.
...
> The tr handles things like cyber-s-i-q.com vs. cyber-S-I-Q.com, the
> grep (untested, I did that by hand) should grep away stuff zmailer
> won't digest, "bhaffle,wuyffle.com" for example (note comma).

	Yeah, qmail allows any junk, while ZMailer preselects :-)
	Anyway, the  "makendbm -p ..." does translate all of the
	key strings into lowercase, and then complain duplicates,
	like in your  cyber-s-i-q.com  case above.  Also, the db
	gets visited at places of interest only, in which case a
	moderate amount of junk around the corners should not matter.

> --Arnt

Follow-Ups:
- Re: .49, spam
  - From: Arnt Gulbrandsen <agulbra@troll.no> (Wed, 2 Jul 1997 00:17:50 +0300)

References:
- .49, spam
  - From: Arnt Gulbrandsen <agulbra@troll.no>

Prev by Date: .49, spam
Next by Date: Re: .49, spam
Prev by thread: .49, spam
Next by thread: Re: .49, spam
Index(es):
- Date
- Thread