[vox-tech] The Great Spam Investigation

Ryan vox-tech@lists.lugod.org
Sun, 25 Apr 2004 17:02:23 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 25 April 2004 09:24 am, p-at-dirac.org (Peter Jay Salzman) |lugod=
|=20
wrote:
> Raw Data
> =3D=3D=3D=3D=3D=3D=3D=3D
>
> I) SMTP Conversation Dropped Before Spam Gets Delivered
>
> 	A) HELO rejected
>
> 		1. Sender claimed he was "dirac.org" or "localhost":        51
> 		2. RBL: bl.spamcop.net:                                    179
> 		3. RBL: list.dsbl.org:                                      20
> 		4. RBL: relays.ordb.org:                                     0
> 		5. RBL: cbl.abuseat.org:                                     7
> 		6. RBL: sbl.spamhaus.org:                                    0
> 		7. RBL: opm.blitzed.org:                                     0
> 		4. RBL: dul.dnsbl.sorbs.net:                                 3

Pete, I reccomend you replace cbl.abuseat.org,  opm.blitzed.org,=20
sbl.spamhaus.org with sbl-xbl.spamhaus.org.

sbl-xbl.spamhaus.org includes all hosts from those three RBLs.

See http://www.spamhaus.org/xbl/index.lasso

> Spams will include bounce messages due to viruses forging their headers to
> make it look like their from dirac.org, as well as the uhhh.... "helpful"
> messages I get from hosts that tell me that "my" email was not delivered
> because it contained a virus.  I consider the idiotic administrators of
> these systems to be another source of unwanted email, and therefore, not
> much different from UCE.  Honestly, this is a DOS waiting to happen.=20
> Sheesh.

I feel your pain, these annoy me as well. The virus scanner (qmail-scanner =
+=20
clamav) we run on our mail gateway at work is configured (by default, even)=
=20
only to send a notification to the sender when the message is blocked becau=
se=20
of a policy signature (mostly checks for broken headers).

The delimma here is that virus scanners _DO_ get false positives, and havin=
g=20
your mail fall into a black hole kinda sucks. The best way to do solve this=
=20
probelm is have the virus scanner check the message before the destination=
=20
MTA tells the source MTA that the message was accepted. If it's a virus,=20
reject it during the SMTP conversation. Though I feel this is the best=20
solution, it does still have a problem. Some sites use MTAs that do relay t=
he=20
destination MTA's reason for rejeting the message to the user, so you get=
=20
people wondering why mail bounced.

Any mail that an MTA isn't going to deliver should be bounced by rejecting =
it=20
during the SMTP conversation.

(now i have to set up the virus scanner at work to do this)

> Total emails sent to dirac.org:               386
>
> 	Total spams sent to dirac.org:             367
>
> 		Total spams caught                      355
>
> 			Total spam caught by Postfix:        347
> 				Total spam caught by RBL:         209
> 			Total spam caught by Bogofilter:       7
> 			Total spam caught by procmail:         1
>
> 		Total spams uncaught                     12
>
> 	Total "real" email delivered:               19
>
>
>
>
> Email that is spam:                     95%
> Email that is not spam:                  5%
>
> Spam caught before delivered to MTA:    95%
> Spam caught before delivered to inbox:  97%
> Spam delivered to my inbox:              3%    <-- what I care about
>
> Spam caught by RBLs:                    57%    <-- nice!
> Spam claiming it came from "me":        15%
> Spam with improper SMTP envelope:       18%
> Spam giving non-existant domain
> 	in SMTP envelope:                     2%    <-- dumbest of the dumb
>
>
>
> Conclusions
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> First, I knew that I had a high spam to email ratio, but I was shocked
> to see that my spam to ham ratio was 20 to 1.

I see around 80% spam across the domains we filter mail for at work.

> Second, I'm quite pleased with the results.  Postfix along with RBLs
> shot down most of the crud.  Only a very small trickle passed through.
> I'm convinced more than ever that Postfix + RBL is the way to go for
> spam control.  This is more preferable than relying on spam assassin,
> bogofilter and procmail as a first line of defense, since they sap up
> more system resources.

Yeah, RBLs smite a supprisingly large amount of spam.

> As a last note, I'm nearly certain that if I had spam assassin installed =
on
> dirac.org, my total spam delivered count would've been truly, truly zero.

SpamAssassin isn't perfect. It misses stuff once in a while, though custom=
=20
rules can help. I've seen some spam sneak past spamassassin with less then=
=20
one point, (though bayesian filtering is turned off) though this not=20
common...

- --=20
PGP/GPG Fingerprint: 3B30 C6BE B1C6 9526 7A90  34E7 11DF 44F3 7217 7BC7
On pgp.mit.edu, import with `gpg --keyserver pgp.mit.edu --recv-key 72177BC=
7`
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAjFGREd9E83IXe8cRAiO3AKCi+Ulrl0CBOYjYrQXefad6BvCQeQCgkdg8
v16lf3AWUyrMx0Z3wTtmXl4=3D
=3DY/e4
-----END PGP SIGNATURE-----