The Spam Thread

T

The_Unbeliever

Honorary Master
Joined
Apr 19, 2005
Messages
103,193
Reaction score
10,233
Location
Nkaaaaandla
All spam-related topics, issues and discussions here will be welcome.

Thanks.


--------------------------

I'm using the dspam spam filtering modified for Smoothwall. Basically, my Smoothwall now acts as a proxy mail server, scanning incoming mails for spam and viruses before forwarding these to the Exchange server.

Things which I've noticed so far :

The spammers keep on changing the headers, the "from" email adresses, and some even go further to re-arrange the contents.

Most of these, the dspam filter picks up, but there is a percentage (18%) which manages to slip through.

At this stage I'm considering the use of RBL, and have already added two such services to my Exchange server, but there is no visible improvement.

Let's hear it from you guys...

Regards

TU
 
SPAMMERS die!

Now that that is off my chest....

I set up a mail server yesterday, and already it is receiving spam. Assume the domain is IHateSpammers.co.za, I am getting spoofed mail from
[email protected] - some spambot has already identified the server as having mail software and is spoofing addresses - within 12 hours of the server being up?

bloody spammers.

We currently use IS Hosted Exchange - and that thing is p1ssing me off.
90% of all night-time-mails are SPAM, but the IS spam filter marks legitimate mails as SPAM and leaves SPAM mails unmarked - whats up with that?
 
Moederloos - I'm also having the same issue here... blerrie spammers... :mad:

Glad to hear that I'm not the only one having that issue with spoofed domain names... :mad:

Also, most of the mails that comes in at night is spam. I dunno why IS would mark legit mail as spam and passes spam unmolested through... must be their filter that's not setup correctly.

Which raises another point : Under South African law, should an insurance company sends you an revised schedule and the such by email, then it is also legal and binding upon you... but how come should you never receive said email because some misconfigured spam filter marked it as spam and chucked it away? :confused:

Gah...
 
Last edited:
Oh yes, before I forget : here is a link to get you started on harassing spambots... :D

I'm working on adding this functionality to our web pages... :D
 
There is a trend here - everyone seems to be complaining of spoofed and forged from addresses...
Yet no one seems to mention the new internet standard for verifying from addresses: SPF is a extension of SMTP and DNS that allows the verification of from addresses within email and can be a very effective defence against this sort of spam (as well as phishing, virus infections, etc)
 
Do yourself a favour and implement greylisting and RBL blacklists. Spam used to be constant pain, I tried Bayesian nets, rule based filters and cloudmark hashing, none were really effective. Of the 1900 or so spams each day about 30 would usually get through, with greylisting that number dropped to about 2 spams sneaking past every 2 weeks. 30mins seems to be the magic delay for the blacklists to catch up with spamming hosts.

I built my own greylisting with python into Exim, but I am sure any of the freely available implementations would work just as well. Only reason I built my own was because I thought it would be fun to see where all the spams are coming from via GeoIP and real-time colour coded SVG world map - USA,China, Korea, France, Peru are this weeks winners.
 
Hey Guys,

I have noted the same lately - my mailbox used to br sorted, now I have at least 20-30 message a day that slip past the current anti-* filters. When looking at the source of messages, it would seem that they have changed some wicked things in there.

A while ago I (well, my mate found the website :) ) found a company in South Africa that does mail filtering. IIRC they would receive the mail on your behalf, scan,filter bla bla bla and then forward to you. Offending mail would be held in a queue and got be released or something like that via a web interface. It was a pretty web interface that much I remember :)

The main point was that they would pay *you* for any spam that was let thru - they had some wicked rules on that filter....just can't remember them now.

Anyways, if you guys would like I can try and contact him and see if the project is still alive etc.

Laterz !

I tried the website now and it seems to have gone. I still have the author's email address. If you guys like I could contact him

The_Unbeliever said:
All spam-related topics, issues and discussions here will be welcome.

Thanks.


--------------------------

I'm using the dspam spam filtering modified for Smoothwall. Basically, my Smoothwall now acts as a proxy mail server, scanning incoming mails for spam and viruses before forwarding these to the Exchange server.

Things which I've noticed so far :

The spammers keep on changing the headers, the "from" email adresses, and some even go further to re-arrange the contents.

Most of these, the dspam filter picks up, but there is a percentage (18%) which manages to slip through.

At this stage I'm considering the use of RBL, and have already added two such services to my Exchange server, but there is no visible improvement.

Let's hear it from you guys...

Regards

TU
Click to expand...
 
pookfuzz said:
Do yourself a favour and implement greylisting and RBL blacklists. Spam used to be constant pain, I tried Bayesian nets, rule based filters and cloudmark hashing, none were really effective. Of the 1900 or so spams each day about 30 would usually get through, with greylisting that number dropped to about 2 spams sneaking past every 2 weeks. 30mins seems to be the magic delay for the blacklists to catch up with spamming hosts.

I built my own greylisting with python into Exim, but I am sure any of the freely available implementations would work just as well. Only reason I built my own was because I thought it would be fun to see where all the spams are coming from via GeoIP and real-time colour coded SVG world map - USA,China, Korea, France, Peru are this weeks winners.
Click to expand...
Greylisting sounds good... will have a shufti to see whether smoothwall and mfilter will support this...

thanks for the feedback.
 
I'm currently testing a special beta implementation (non-official release) of greylisting for Smoothwall - this is incorporated into the dspam filter, and so far I've had only two spammy mails out of 200 mails, which is a huge improvement.

As soon as it is officially released, I will spread the word.

Greylisting seems to be working wonders - but only if the spammers does not use open relays to send spam.

Regards

Libs
 
pookfuzz said:
Do yourself a favour and implement greylisting and RBL blacklists. Spam used to be constant pain,
Click to expand...

Beware of RBL on its own - it blocks too many valid mails.

On my mailserver I'm using the following checks:

Sender must accept mail (trashes about 20% of all incoming)
Greylisting (trashes another 60% of all incoming)
Spamassassin (trashes about another 10%)

Around 90% of all mail reporting to my server is spam...

Of the stuff remaining, more than 95% is valid mail.

Tightening things more is expensive (cost and time) as well as increases the risk of blocking legal mail (false positives)
 
um HELLO PEOPLE....

greylisting, RBL, etc all seem to work but why the hell is no one in SA bothering with SPF???
SPF is a whitelisting system that works to combat email address forgery and spoofing. It has already been successfully implemented on 20% of the worlds mail systems including AOL, Hotmail and Gmail...

So whats your excuse??
 
And I don't want to implement it on my mail server... yet.

But times may change, and I'm evaluating it at present.

Graylisting works fine, tho... have to check out tomorrow morning what's happened or not...
 
ambo said:
um HELLO PEOPLE....

greylisting, RBL, etc all seem to work but why the hell is no one in SA bothering with SPF???
SPF is a whitelisting system that works to combat email address forgery and spoofing. It has already been successfully implemented on 20% of the worlds mail systems including AOL, Hotmail and Gmail...

So whats your excuse??
Click to expand...

Because SPF prevents forgery. It does not prevent SPAM.
Because it hijacks DNS record types.
Store and Forward nature of email is violated.
RFC1123 RFC974 RFC2821

My feeling is that SPF imposes rather sever limits on the way a mail system may or may not function, if you are going to do things so arse about face you may as well just do it properly and rewrite the SMTP standard.

Just because 20% of the people out there use it does not mean it is good, or even better than alternative approaches, more than 90% of desktop machines run Windows, do you suggest I also use it simply because everyone else is?
 
ambo said:
um HELLO PEOPLE....

greylisting, RBL, etc all seem to work but why the hell is no one in SA bothering with SPF???
SPF is a whitelisting system that works to combat email address forgery and spoofing. It has already been successfully implemented on 20% of the worlds mail systems including AOL, Hotmail and Gmail...

So whats your excuse??
Click to expand...

It does not seem very practical.

I'm dealing with a bunch of consultants hooking into the client's networks wherever they go. The send mail under the envelope of [email protected] from wherever they are. It will be a nightmare to maintain such an SPF record.

SPF can only work where one can control exactly the SMTP servers users may use to send mail. But it will not work in most roving environments.

Most probably SMTP needs to be replaced - but who will dare doing it. The amount of software available is tremendous, and many systems can't run without it.
 
@ kaspaas and pookfuzz

Thanks for clearing that up - it will also be impractical to us as well since most of our people frequently goes overseas or work off-site.

Also because it violates several RFC's (RFC1123 RFC974 RFC2821 according to Pookfuzz) I am now not willing to give it a go, but rather implement a working solution which enhances the present system...

After all, if 100% of the world's email servers uses the SMTP protocol, it'll be a nightmare (and also impractical) to try and enforce another standard, unless it can run in parallel with SMTP until such time that SMTP can be safely phased out.

I'm glad to report that, since implementing the greylisting feature on our firewall, my users are receiving 0% spam. There's about 1% who manages to slip through the greylisting, but the dspam filter catches these last few buggers, and quarantine them. :D :D

So, at present, I'm a happy admin, my users is happy, and all seems well.

Though it's too early to say definitely about the effectiveness of the graylisting system, (it's been running for 2 days now) I will report back next week (after the weekend).

Regards

Unbeliever
 
Um, you guys have your heads up your asses you know that?

All SPF does is sits there on your DNS server, whenever a mail gets sent with [email protected], the mail server checks dumbasses.com to see if the mail is indeed from who it says it is, then attaches a header on the email telling whatever filter you use what it thinks you should do.

Then you're able to act accordingly. On a soft fail, you can still let the mail through, a hard fail means you can outright delete the mail cause it failed the check definately

But yea, nobody is forcing you to use it. All I know is it works in cutting down on the assholes who sends mail pretending to be from my own domains and spread virusses like that
 
AcidRaZor said:
Um, you guys have your heads up your asses you know that?
Click to expand...
DITTO
kaspaas said:
I'm dealing with a bunch of consultants hooking into the client's networks wherever they go
Click to expand...
Yes - its called SMTP AUTH most local hosting companies have it available already on their systems and there is only one very old version of Outlook Express that does not support it IIRC
The_Unbeliever said:
Also because it violates several RFC's
Click to expand...
Thats funny cause SPF is RFC4408 - don't see how IETF would approve a new RFC if they did not feel that was completely valid and did not comply with any important RFC's that were still used...
 
Now how about a workstation (or workstations) which gets compromised and starts sending out spam on an SPF-enabled network?

Just asking... ;)
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X