[vox-tech] spam current events

Ryan cjg5ehir02 at sneakemail.com
Sat Sep 2 10:31:21 PDT 2006 

On Thursday 31 August 2006 04:32 pm, p-at-dirac.org \(Peter Jay Salzman\) 
|lugod| wrote:
> On Thu 31 Aug 06,  2:47 PM, Rod Roark <rod at sunsetsystems.com> said:
> > On Thursday 31 August 2006 13:51, Peter Jay Salzman wrote:
> > > i'm getting hammered with email containing text designed to trick
> > > bayesian filters....
> >
> > I think content filtering is almost a waste of time.  As you see,
> > spammers can always design content that gets past the filters.  What
> > else are you doing to combat spam?
>
> I'm using a multi-tiered approach.  You'd be surprised at the most
> effective (for me) anti-spam measures.
>
>
>
>
>    # By default, smtpd_client_restrictions is applied at the RCPT TO
> command. # To have the restriction take effect ASAP, do this (may cause
> unexpected # results with poorly impolemented client software):
>    #
>    smtpd_delay_reject = yes

I've seen people say that a multiline greet also confuses some spamware.

>       reject_rbl_client cbl.abuseat.org
>       reject_rbl_client sbl.spamhaus.org,

You outh to replace these two with sbl-xbl.spamhaus.org, which imports CBL.

> You'd be shocked at the effectiveness of rejecting email that says it comes
> from "dirac.org" or email that doesn't have a valid fqdn sender.
>
> The rules prefixed by '*' are _extremely_ effective.  Also, this catches
> most viruses (you most likely use the same thing):
>
>
>    /^TVqQAAMAAAAEAAAA\/\/8AALg/  REJECT
>       win32 executable attachments are not accepted here.
>
>    /^(Wk|TV)..............\/\//  REJECT
>       DOS executable attachments are not accepted.
>
>    /^UEsDBAoAA/                  REJECT
>       Zip file attachments are not accepted; use bzip2 (.bz2) or gzip
>       (.gz) instead.
>
>
> and lastly, these are HIGHLY effective too:
>
>
>    dirac.org      REJECT You are not in dirac.org (1).  Go away, spammer.
>    www.dirac.org  REJECT You are not in dirac.org (2).  Go away, spammer.
>    mail.dirac.org REJECT You are not in dirac.org (3).  Go away, spammer.
>    localhost      REJECT You are not my localhost (4).  Go away, spammer.
>    192.168.0.1    REJECT You are not in dirac.org (5).  Go away, spammer.

Yeah, I get boat loads of spammers claiming to be my servers in helo too.

> I also use this to filter out bogus virus messages.  This really saves me a
> lot of stress when the new MS virus du jour comes out.  It goes into
> "checks_header"
>
>    http://www.t29.dk/header_check_notes.php
>
> I also drop companies that I did business with and who *relentlessly*
> spammed me afterwards after repeated pleas for them to stop.  Two companies
> that come to mind are:
>
>    vermontteddybear.com
>    cdrom2go.com
>
> They get REJECTed for persistently spamming me.

I use sneakemail for dealing with companies on the internet.  It has the nice 
effect of allowing me to track who's whoring out my address.  Setting up a 
catch-all address scheme can similarly be used, but I'd rather just not have 
to deal with the email after I decide to deactivate an address.

> All this stuff is done at the MTA level, so no delivery is attempted.  If a
> spam does get through, and this is *exceedingly* rare, it has to contend
> with bogofilter, spamassassin, and procmail, in that order.
>
> I can, literally, go months before spam reaches my inbox.  I've totally
> forgotten what it was like to even get spam, which is why the
> "image001.gif" thing was so distressing.  I forgot what spam was like.
>
> If you're interested, I can compile a more comprehensive list including all
> the nitty gritty details of my various Postfix files, procmail filters,

Take a look at the imageinfo spamassassin plugin and the SARE rulesets. 
People have reported good results with these.

-- 
Ryan Castellucci - http://ryanc.org/
GPG Key: http://ryanc.org/files/publickey.asc

More information about the vox-tech mailing list