[NCLUG] Re: Spam Help

Bob Proulx bob at proulx.com
Wed Dec 3 12:11:26 MST 2008


Matt Rosing wrote:
> >That address is in a dynamic address block.  It is listed in SORBS in
> >the dul.dnsbl.sorbs.net list.  I might as well start the zillion long
> >post discussion by saying that there is no reason to accept anonymous
> >mail from hosts on dynamic addresses.  
> 
> Here, let me help you out ;)

:-)

> I used to use spam assassin and there was always a tradeoff between
> getting rid of enough spam and losing important email.

It is important to reject mail at smtp time if at all possible.  Then
the sender will get the delivery failure notification (without
creating backscatter spam yourself with a bounce message to a received
forged spam).  Then you shouldn't "lose" mail.  The sender will know
it was not delivered.  It is the same as if they mailed to a
non-existent email address.

> I have no idea why but there are people, typically at home, that
> send email directly from their machine and not through an

This is mostly from somewhat more knowledgeable users but not quite a
skilled hacker yet, right?  I never see this from the clueless newbie
crowd.  They all use a mailserver run by a larger organization such as
Yahoo, Hotmail, Gmail, or corporate entity.  So the truly clueless
ones are okay.

Instead it is the hacker that sets up their mail server on a cable
modem connected host and tries to send mail.  This falls into the
category of knows enough to be dangerous.  They shouldn't be doing
this on a dynamic IP but do anyway ignoring the problems.

> authenticated server (I assume this is what you call anonymous) and

Yes.  Mail not from your own network and not authenticated
(e.g. through SASL) could be coming from anyone.  (Of course this is
the same as the postal service physical mail too.)

> my spam filter would drop their email.

By the time that you have received the mail it is really too late and
very problematic.  If you can't reject at smtp time then it is just a
bad situation.

> I would tell these people how to fix their setup and they'd look at
> me funny because they had no idea what I was talking about.

I can't disagree there.  But I don't think it does them favors to work
around their problem.  Instead it would be better for all involved if
it just did not work for them at all until they had a hostile Internet
compatible configuration.

> What I've finally settled on is just grey listing. I get a dozen
> spam messages a day, which is tolerable, and I don't lose anybody's
> email.

For what it is worth I also use greylisting.  But then there are a
different set of misconfigured mail servers that 1) Drop mail upon a
greylisting.  Those would lose mail in normal operation anyway.  And
those that 2) produce DSNs which confuse the sending user and create
backscatter spam.  And that 3) retry at a very slow rate causing
excessive mail delays.  I still use it anyway.  (shrug)

> If you have a setup where you get less spam and don't drop real email
> then I'm jealous. I suspect it requires training the senders to
> configure their machines correctly. If not, I'm open to suggestions.

Concerning blocking dynamic IP blocks: I have yet to run into anyone
who didn't fall into the hacker wannabe category trying to send me
email that couldn't.  And that is only at the rate of once every few
of years.  In fact it may have been five years or more since the last
time I ran into this issue.  My family and friends all use mail relays
on static ip addresses.  Most importantly I can't think of any
business associations that would ever fall into trouble here.

Many ISPs now block outgoing smtp port 25 from their internal networks
as part of their virus spam control policy.  The environment has
changed in recent years.  I think there are much less of these users
on dynamic IP blocks being even partially successful sending mail
these days.  (I would enjoy reading counter examples.)

Try setting "warn_if_reject" for DUL clients and then taking a survey
of the mail logs later to see if it would have rejected anything that
you didn't want it to reject.  That would be safe.

Bob



More information about the NCLUG mailing list