[NCLUG] Re: Spam Help

[Matt Rosing]

Bob wrote:
 > This is mostly from somewhat more knowledgeable users but not quite a
 > skilled hacker yet, right?  I never see this from the clueless newbie
 > crowd.  They all use a mailserver run by a larger organization such as
 > Yahoo, Hotmail, Gmail, or corporate entity.  So the truly clueless
 > ones are okay.

Maybe it's something else. There were a dozen or so people and they
ranged from clueless to half way between clueless and dangerous. (Of
course, I'm only a bit better than dangerous.)  I looked at the mail
headers and they came directly from their homes. It could be they have
a friend that helped them out. A few work at small companies and I'm
guessing things weren't set up correctly. 

 > By the time that you have received the mail it is really too late and
 > very problematic.  If you can't reject at smtp time then it is just a
 > bad situation.

Here's where I prove I'm dangerous: Does spamassasin sit too far down
the pipe to reject it at smtp time? I use Postfix and I'm not sure how
spamassasin fit in. I assume the configurations you're talking about
should be in postfix?

 > I can't disagree there.  But I don't think it does them favors to work
 > around their problem.  Instead it would be better for all involved if
 > it just did not work for them at all until they had a hostile Internet
 > compatible configuration.

I agree, but it became my problem because nobody else complained.

 > For what it is worth I also use greylisting.  But then there are a
 > different set of misconfigured mail servers that 1) Drop mail upon a
 > greylisting.  Those would lose mail in normal operation anyway.  And
 > those that 2) produce DSNs which confuse the sending user and create
 > backscatter spam.  And that 3) retry at a very slow rate causing
 > excessive mail delays.  I still use it anyway.  (shrug)

I see the delays but haven't seen the dropped mail. Well, I guess I
wouldn't know! But nobody complains like they used to :)

 > Concerning blocking dynamic IP blocks: I have yet to run into anyone
 > who didn't fall into the hacker wannabe category trying to send me
 > email that couldn't.  And that is only at the rate of once every few
 > of years.  In fact it may have been five years or more since the last
 > time I ran into this issue.  My family and friends all use mail relays
 > on static ip addresses.  Most importantly I can't think of any
 > business associations that would ever fall into trouble here.

I must be special.

 > Many ISPs now block outgoing smtp port 25 from their internal networks
 > as part of their virus spam control policy.  The environment has
 > changed in recent years.  I think there are much less of these users
 > on dynamic IP blocks being even partially successful sending mail
 > these days.  (I would enjoy reading counter examples.)

Could be. I pulled out spamassasin and put in grey listing a little
over a year ago. 

 > Try setting "warn_if_reject" for DUL clients and then taking a survey
 > of the mail logs later to see if it would have rejected anything that
 > you didn't want it to reject.  That would be safe.

Thanks for the good idea.