[vox-tech] spam current events

Peter Jay Salzman p at dirac.org
Thu Aug 31 16:32:50 PDT 2006 

On Thu 31 Aug 06,  2:47 PM, Rod Roark <rod at sunsetsystems.com> said:
> On Thursday 31 August 2006 13:51, Peter Jay Salzman wrote:
> > i'm getting hammered with email containing text designed to trick bayesian
> > filters....
> 
> I think content filtering is almost a waste of time.  As you see, 
> spammers can always design content that gets past the filters.  What
> else are you doing to combat spam?
 
I'm using a multi-tiered approach.  You'd be surprised at the most effective
(for me) anti-spam measures.




   # By default, smtpd_client_restrictions is applied at the RCPT TO command.
   # To have the restriction take effect ASAP, do this (may cause unexpected
   # results with poorly impolemented client software):
   #
   smtpd_delay_reject = yes

   # Require the HELO (or EHLO) command, and disable VRFY. 
   #
   smtpd_helo_required = yes
   disable_vrfy_command = yes

   body_checks = pcre:/etc/postfix/checks_body

   # This restricts what clients this system accepts SMTP connections from.
   # ORDER IMPORTANT!!!
   # 
   smtpd_client_restrictions =
      check_client_access hash:/etc/postfix/whitelist
*     reject_invalid_hostname,
*     reject_non_fqdn_hostname,
*     reject_non_fqdn_sender,
*     reject_non_fqdn_recipient,
*     reject_unknown_sender_domain,
*     reject_unknown_recipient_domain,
      permit_mynetworks,
      reject_unauth_destination,
      check_helo_access hash:/etc/postfix/checks_helo,
      reject_rbl_client bl.spamcop.net,
      reject_rbl_client list.dsbl.org,
      reject_rbl_client relays.ordb.org,
      reject_rbl_client cbl.abuseat.org
      reject_rbl_client sbl.spamhaus.org,
      reject_rbl_client opm.blitzed.org,
      reject_rbl_client dul.dnsbl.sorbs.net,
      permit

   header_checks = regexp:/etc/postfix/checks_header

   smtpd_data_restrictions =
      reject_unauth_pipelining,
      permit



You'd be shocked at the effectiveness of rejecting email that says it comes
from "dirac.org" or email that doesn't have a valid fqdn sender.

The rules prefixed by '*' are _extremely_ effective.  Also, this catches
most viruses (you most likely use the same thing):


   /^TVqQAAMAAAAEAAAA\/\/8AALg/  REJECT
      win32 executable attachments are not accepted here.  

   /^(Wk|TV)..............\/\//  REJECT
      DOS executable attachments are not accepted.

   /^UEsDBAoAA/                  REJECT
      Zip file attachments are not accepted; use bzip2 (.bz2) or gzip
      (.gz) instead.


and lastly, these are HIGHLY effective too:


   dirac.org      REJECT You are not in dirac.org (1).  Go away, spammer. 
   www.dirac.org  REJECT You are not in dirac.org (2).  Go away, spammer.
   mail.dirac.org REJECT You are not in dirac.org (3).  Go away, spammer.
   localhost      REJECT You are not my localhost (4).  Go away, spammer.
   192.168.0.1    REJECT You are not in dirac.org (5).  Go away, spammer.


I also use this to filter out bogus virus messages.  This really saves me a
lot of stress when the new MS virus du jour comes out.  It goes into
"checks_header"

   http://www.t29.dk/header_check_notes.php

I also drop companies that I did business with and who *relentlessly*
spammed me afterwards after repeated pleas for them to stop.  Two companies
that come to mind are:

   vermontteddybear.com
   cdrom2go.com

They get REJECTed for persistently spamming me.

Then of course, I use a number of RBLs that you see above.

All this stuff is done at the MTA level, so no delivery is attempted.  If a
spam does get through, and this is *exceedingly* rare, it has to contend
with bogofilter, spamassassin, and procmail, in that order.

I can, literally, go months before spam reaches my inbox.  I've totally
forgotten what it was like to even get spam, which is why the "image001.gif"
thing was so distressing.  I forgot what spam was like.

If you're interested, I can compile a more comprehensive list including all
the nitty gritty details of my various Postfix files, procmail filters, etc.

Pete

ps- BTW, I confirmed that this is indeed some kind of MS virus, but there
doesn't seem to be a whole lot known about it currently.  At least, nothing
I read after a quick Googling.


-- 
The Buddha, the Godhead, resides quite as comfortably in the circuits of a
digital computer or the gears of a cycle transmission as he does at the
top of a mountain or in the petals of a flower.  To think otherwise is to
demean the Buddha, which is to demean oneself.   -- Robert M. Pirsig

Peter Jay Salzman, email: p at dirac.org web: http://www.dirac.org/p    
PGP Fingerprint: B9F1 6CF3 47C4 7CD8 D33E  70A9 A3B9 1945 67EA 951D

More information about the vox-tech mailing list