[BALUG-Admin] spam/UCE

Thu Sep 21 04:19:22 PDT 2017

So,

The the exim4 + eximconfig configuration is pretty darn good about
blocking spam ... but it's not quite 100%.

And ... bad bots, etc., have already started to pick up the
@temp.balug.org list posting addresses - no surprise there,
and I'm sure they'll likewise also pick up @lists.balug.org -
and/or already have those addresses from earlier.

So ... fortunately has been quite low volume :-) ... but there has
been some spam/UCE making it through exim4 + eximconfig to the
list posting addresses (and then held for moderation as "post" from
non-member).  Have reviewed those, and ... heck no, haven't added 'em
to Mailman's automatic rejection (that would be relatively uselessly
"too late" (post-SMTP)) ... but did make some selective additions
in the exim4 + eximconfig configuration.

Most notably, the wee bit 'o spam/UCE that had made it through to list
posting addresses, seemed to fit roughly in 2 general categories (at
least from that seen thus far):

Unsolicited Commercial Email (UCE) spam - from senders/businesses that
might otherwise be/seem quite legitimate, but are sending email that's
very much unsolicited, not confirmed opt-in, typically in violation of
relevant regulations, etc. regarding anti-spam ... but they're sending
anyway (they ought be hit by a clue-by-four).  And also not a
"Joe job" - someone/something impersonating an otherwise legitmate
sender (spoofed).  So ... for the few of those (I think about two thus
far), I added their domains to be blocked by exim4 + eximconfig as spam.

And the others ... sufficiently well constructed to make it past the
spam filters, but most likely fly-by-night spam operations - e.g. buy
up some cheap or ultra-cheap domain, set up some DNS/email infrastructure,
and ... start spamming.  Not much to be done about those ... except,
where they're yet another crud TLD I'd not already so added, added the
TLD for explicit greylisting (e.g. TLD bid).  That doesn't necessarily stop
spam from those, but ends up thwarting a quite large percentage of them -
while also letting through any (theoretical) legitimate email - without
too much additional burden/delay on sender  (e.g. one would think .xzy is
utter cr*p, ... but I know of one person that legitimately has and
uses such a domain ... perhaps not at all for email, but ... at least
hypothetically).  So ... all those "crud" domains ... (and spammy
country code TLDs, etc.), generally inclined to treat 'em with additional
scrutiny (notably also adding greylisting), but not absolutely outright
block/reject 'em.  Also, might not / probably wouldn't be a good idea,
but could also add additional layer of requiring callouts on those too ...
but that could be a bad thing - even for such highly suspect domains -
so not even seriously considering it at this time.

I might also do some blanket adding of "crud" TLDs for additional
checks (notably greylisting).  So far I've based it upon what
eximconfig gave as default starting point, plus some adjustments
notably for those I've never seen send a legitimate email but I see
(notably elsewhere) sending plenty of spam (enough for me to recall
and groan about thinking of the TLD, without even looking over
spam collection details/stats).

Oh, random bit - I did see a very small percentage of list subscriber
addresses that do callouts (as evidenced in the logs).

And also, mailman has pretty good logs ... I don't have to worry too
much about "oh, I just deleted all those spam emails ... what if I wanted
to add some more anti-spam measure at SMTP time for them?" ... not an
issue - can find most relevant bits about those held for moderation
of post attempt from non-member in the mailman logs - at least for some
reasonable period.