[BALUG-Admin] spam/UCE

Rick Moen rick@linuxmafia.com
Thu Sep 21 11:29:15 PDT 2017


Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):

> The the exim4 + eximconfig configuration is pretty darn good about
> blocking spam ... but it's not quite 100%.

You can't get very close to 100%.  Doing so would work you as the admin
ragged, probably increase server load a lot (depending on how you did
it), and risk creating a (greater) false positive problem.  One of my
rules for living is 'If you find yourself trying to outwork bots, you're
solving the wrong problem.'

The nice thing about attempting to block particular patterns via Exim4
rulesets in contrast to spamd (SpamAssassin) ones is that they don't
chew up machine resources (RAM, CPU) as much as does the big, slow Perl
daemon that is spamd.  OTOH, SpamAssassin regexes are awfully expressive
and convenient.  As a rough rule of thumb, I try to use Exim4 tricks to 
reject 90+% of the attempted spam/junkmail/malware deliveries, and spamd
to sort out the remainder.  Basically, Exim-level processing does the
heavy lifting.  spamd does cleanup.

> Unsolicited Commercial Email (UCE) spam - from senders/businesses that
> might otherwise be/seem quite legitimate, but are sending email that's
> very much unsolicited, not confirmed opt-in, typically in violation of
> relevant regulations, etc. regarding anti-spam ... but they're sending
> anyway (they ought be hit by a clue-by-four).  And also not a
> "Joe job" - someone/something impersonating an otherwise legitmate
> sender (spoofed).  So ... for the few of those (I think about two thus
> far), I added their domains to be blocked by exim4 + eximconfig as spam.

At some potential cost in false positives, as I'm sure you are aware.

Ideally, those domains' legitimate operators would signal their
legitimate mail sender IPs using SPF or (ugh!) DMARC.  But as we know,
adoption of antiforgery technology will never be 100%, nor 100% correct.

> And the others ... sufficiently well constructed to make it past the
> spam filters, but most likely fly-by-night spam operations - e.g. buy
> up some cheap or ultra-cheap domain, set up some DNS/email infrastructure,
> and ... start spamming.  Not much to be done about those ... except,
> where they're yet another crud TLD I'd not already so added, added the
> TLD for explicit greylisting (e.g. TLD bid).

Excellent idea.

Greylisting works wonders because the spammers' motto is 'We do it
stupidly, but we make it up in volume.'  So, e.g., typically their bots
never follow up on SMTP 45x tempfails.  Why bother?  There's a whole
Internet full of target IPs to move on to.

Most new ICANN-blessed TLDs seem to originate zero legitimate mail, and
are used only for spam.  Somewhere I read a study about that, probably
one I noticed cited on NANOG.  

There's this, for starters:  https://www.spamhaus.org/statistics/tlds/

Just the other day, I got legit mail from a .law domain, from my late
mother's estate and trusts law firm -- but that was a rare exception.
Most of the new ones seem to be so close to 100% junk for SMTP that you
could justifiably add an Exim4 rule hardfailing everything purporting to
come from them, and you could _definitely_ greylist those.

The gentler but higher-cost in RAM/CPU approach would be to create a
spamd rule adding (say) 2.0 to spamicity for all such highly suspect
TLDs.

About callouts:  A few years ago, I mentioned the excellence of the
EximConfig callouts (formerly named callbacks) on Linux Users of
Victoria (Australia) main mailing list, and immediately drew operatic
objection from one guy, who claimed that the existence of callout
sessions in his MTA logs from linuxmafia.com meant that I was 'DoSing'
him, and (IIRC) threatened to list linuxmafia.com on a DNSBL.  I vaguely
recall that one such DNSBL exists. 

I attempted to placate the gentleman by pointing out that Exim4 with the
EximConfig rules doesn't do a callout _every_ time a claimed sender
domain is in arriving mail's envelope headers.  It caches results from 
prior callouts and uses those.  As you can imagine, he did not regard
this as sufficiently pure in approximating his notion of Right and Just
Behaviour, and I was left with attempting to politely agree to disagree
(which of course doesn't always work well on the Internet, either).

Antispam is a difficult topic to discuss on LUG mailing lists, because
it tends to draw perspective-challenged cranks and monomanacs.  Also,
famously, antispam drives many people deeply associated with it more
than a little cranky and perhaps drives them a little around the bend.
I know SMTP operators who've made what they allege to be a measured
decision to use (IIRC) BGP rules to null-route all traffic arriving from
ASNs corresponding to all of China, Korea, and Africa.  Which strikes me
as breathtakingly judgemental, but Views Differ.[tm]

> Oh, random bit - I did see a very small percentage of list subscriber
> addresses that do callouts (as evidenced in the logs).

Yep, it's quietly becoming more common -- quietly because, if you talk
about doing it, even if you mention very infrequent occurrence on
account of using caching, 1/3 of the time there'll be someone who claims
you're a Bad Person who's DoSing everyone.

> And also, mailman has pretty good logs ... I don't have to worry too
> much about "oh, I just deleted all those spam emails ... what if I wanted
> to add some more anti-spam measure at SMTP time for them?" ... not an
> issue - can find most relevant bits about those held for moderation
> of post attempt from non-member in the mailman logs - at least for some
> reasonable period.

Log analysis of the Exim4 and Mailman logfiles is definitely your
friend.




More information about the BALUG-Admin mailing list