[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A potential way to cut down on spam.

To: acli@ada.dhs.org, zmailer list <zmailer@nic.funet.fi>
Subject: Re: A potential way to cut down on spam.
From: Jeff Warnica <jeffw@chebucto.ns.ca>
Date: Wed, 04 Feb 2004 22:54:57 -0400
In-Reply-To: <HsL8r1.F29@ada.dhs.org>
Original-Recipient: rfc822;zmailer-log@nic.funet.fi
References: <4020F71F.5030606@iplink.net> <HsL8r1.F29@ada.dhs.org>
Sender: zmailer-owner@nic.funet.fi
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4

There was an article written on this subject, now relatively old in the 
fight (from Aug of last year). It suggests greylisting of new messages 
based on not just IP address of the sender, but the tuple {IP address, 
envelope sender, envelope recipient}

http://projects.puremagic.com/greylisting/

ZMailer has particularly good support for customizing its /routing/ 
abilities. (the somewhat vaguely documented ZMSH is infinitely easier 
then the line-noise of Sendmail, even with my 2" thick bat book). The 
question last week which the answer was DNSRBLs, and this one, has me 
wondering about its abilities to do custom processing at the SMTP server 
level.. I can parse virus checker logs and update DNS, but I want a 
temporary failure for my auto-generated list, permanent for another.

Are there generic hooks to implement custom logic like this, besides the 
content filter that is? Or is that the best spot to implement such 
logic, gathering data from a queue file rather then being parameters 
passed to a function? If we use the content filter then we've already 
wasted the bandwidth....

acli@ada.dhs.org wrote:
> In article <4020F71F.5030606@iplink.net>, alvin
> <alvin@iplink.net> wrote:
> 
> 
>>His idea is to report a temproary failure on the first time
>>a new server connects to send mail to a given user. The idea
>>being that a spammer will drop the message and just go on to
>>the next victim but a real mailer will try again in a couple
>>of minutes. Then once this connection:user pair is blessed the
>>rest of the messages can be taken without any further waiting.
> 
> 
> This might work to some extent, but likely not as well as
> expected because the assumption is not on solid ground.
> 
> Some spammers use a strange tactic that if they encounter a
> failure (even 5xx ones), they will change the HELO name and hope
> that we simply blocked one HELO name. They even do this quickly
> in succession for a large number of times. Fortunately this
> seems rare.
> 
> The other is that if the spam do not come directly from the
> spammer (e.g., if the mail went through a .forward or similar,
> or sent through an insecure real mailer, etc.), the other side
> (likely a real mailer) will continue retrying anyway. (For me,
> most of the spams blocked at home with a 4xx fall into this
> category.)
> 
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi

References:
- A potential way to cut down on spam.
  - From: alvin <alvin@iplink.net>
- Re: A potential way to cut down on spam.
  - From: acli@ada.dhs.org

Prev by Date: Re: A potential way to cut down on spam.
Next by Date: Slowing down smtpserver (was: Re: A potential way to cut down on spam.)
Prev by thread: Re: A potential way to cut down on spam.
Next by thread: Re: A potential way to cut down on spam.
Index(es):
- Date
- Thread