[vox-tech] Anyone running a mail server on a dynamic IP?

Brian Lavender brian at brie.com
Tue Jun 22 12:09:15 PDT 2004 

On Tue, Jun 22, 2004 at 04:19:03AM -0700, Rod Roark wrote:
> On Tuesday 22 June 2004 12:06 am, Brian Lavender wrote:
> > On Wed, Jun 16, 2004 at 10:15:18PM -0700, Rod Roark wrote:
> > > Seems like most of the spam that I (and thus LUGOD) are not
> > > successfully filtering out these days is from dynamic IPs -
> > > dialup, cable modem, and dynamic DSL.
> > > 
> > > So I'm wondering if it's reasonable to refuse mail from
> > > servers that connect directly from a dynamic IP.  Is anyone
> > > here running such a server?  And if you are, are you finding
> > > that many sites are refusing your mail?
> > > 
> > > Please reply off-list unless you think that what you have to
> > > say is of general interest.  Also if you're not sure if your
> > > IP is considered dynamic, you can check it at
> > > "http://www.dnsbl.us.sorbs.net/cgi-bin/lookup?IP=".
> > 
> > Well, consider this. You have a valid send who is sending you email from
> > a dynamic IP. You would want to receive that email, right?!!
> > 
> > The answer lies in SpamAssassin. I believe it scores on this blacklist.
> > SpamAssassin has been 100% effective with over 300+ spams in the last
> > 24+ hours!
> 
> 100% is astounding.  My experience with SA was nothing like
> that.  But it has a huge number of options; how do you have
> it configured?  What about false positives?  Any idea how
> many unique spam sources are represented in those 300
> messages?

I pipe'ed my known good messages into a whitelist tool, plus the
Bayesian filtering is helping a lot. The RAZOR check and other
blacklist, RFC, open relays lists have helped as well. I know some of
this stuff requires that you have dependent PERL modules installed to
work. Admittingly, I just put this latest implementation into place this
last weekend. But, yes, no false positives thus far. 

Also, here's a script that will add whitelist entries for people you
send mail to. This is a great idea I want to implement, because as you 
say, false positives are a concern and this is a good way to
automatically get people on a whitelist.

http://www.estey.com/scripts/auto-whitelist.pl.txt

Here's a spam scoring from my current installation of SpamAssassin. You
can see it already has your dynamic IP listing. But I think the Bayes
scoring working really well at the moment. I think it has to do with the
fact that I am on a lot of mailing lists, so it has a lot of ham to
base its analysis.


Content analysis details:   (13.8 points, 4.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.1 HTML_MESSAGE           BODY: HTML included in message
 5.4 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 0.9 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 0.1 HTML_50_60             BODY: Message is 50% to 60% HTML
 0.1 BIZ_TLD                URI: Contains a URL in the BIZ top-level domain
 0.5 FORGED_HOTMAIL_RCVD    Forged hotmail.com 'Received:' header found
 0.7 RCVD_IN_DSBL           RBL: Received via a relay in list.dsbl.org
                            [<http://dsbl.org/listing?ip=218.135.214.75>]
 1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
              [Blocked - see <http://www.spamcop.net/bl.shtml?218.135.214.75>]
 2.6 RCVD_IN_DYNABLOCK      RBL: Sent directly from dynamic IP address
                            [218.135.214.75 listed in dnsbl.sorbs.net]
 0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
                            [218.135.214.75 listed in dnsbl.sorbs.net]
 1.1 MIME_HTML_ONLY_MULTI   Multipart message only has text/html MIME parts
 0.7 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay


> 
> > The next question is, do you want to process this email? I 
> > don't. That's why I have been testing SA-Exim. If it gets flagrant
> > spam from an IP, it can put in a temporary reject. Or, it can put in a
> > permanent reject. Or....  if it's really bad spam, you can teergrub it.
> > Or, say I do have a sender who does use mail server on a dynamic IP. I
> > can whitelist him and get his email.
> > 
> > I am doing a talk on integrating SpamAssassin at the SMTP layer. The
> > implementation is SA-Exim. http://www.saclug.org/
> 
> Well I use Postfix.  I believe the rough equivalent with
> that would be something like amavisd-new which runs
> SpamAssassin "internally", using the "before queue content
> filter" which Postfix introduced with release 2.1.  I don't
> know anyone who has tried this combination yet.

Well, does Postfix do the following?!!! This mail was rejected at the
SMTP layer.  This way, the sender doesn't think he sent it. If the mail
had been accepted, it would have returned a code 500. If I had tried to
bounce this spam, it would have gone to some unknow domain "gandalf".

bash-2.05$ telnet pptp.brie.com 25
Trying 158.222.124.74...
Connected to pptp.brie.com.
Escape character is '^]'.
220 pptp ESMTP Exim 4.34 Tue, 22 Jun 2004 04:44:44 -0700
mail from: merlin at gandalf
250 OK
rcpt to: brian at pptp.brie.com
250 Accepted
data
354 Enter message, ending with "." on a line by itself
From: merlin at gandalf
To: merlin at gandalf
Subject: $$$ Make Money Fast $$$ !!!

viagra 100% GARANTEE AMAZING FULL REFUND
This is not spam
.
451 Please try again later




brian
-- 
Brian Lavender
http://www.brie.com/brian/

More information about the vox-tech mailing list