[vox-tech] postgrey is dangerous?

Tony Cratz cratz at hematite.com
Sun Jun 29 16:17:38 PDT 2008 

Larry Ozeran wrote:
> Hi,
> 
> I have used a web host based in North Carolina for many years. I recently upgraded from a shared server to a dedicated server and I was hoping to be able to install some SPAM fighting tools. The SPAM software they provide is limited to white listing and black listing and I am now receiving huge volumes of it. I am a part time programmer, not familiar with networks or email servers, but I am tired of huge volumes of SPAM. I reviewed various sites and felt that installing postgrey might give me substantial SPAM reduction with minimal challenges. When I asked my host about installing it, I was told:
> "After further investigation I was able to verify that the request was denied.
> It was specified that this software would be unsafe to run on the server environments run within our network.
> This is per our Systems Administrators."
> 
> After going around with them twice, I don't have what I feel is an adequate answer. Any thoughts on why someone might think that postgrey is "unsafe"? Better yet, any strategies for countering this thinking?
> 
>  = = system info - yes the versions are old, but that's not my host's excuse for the denial and they can be updated now that I am on a dedicated server
> Operating System:  	Redhat Linux Kernel Version: 	2.4.26
> Apache/PHP Version: 	Apache/1.3.34 (Unix) filter/1.0 PHP/4.4.4
> Perl Version: 	v5.6.0
> MySQL Version: 	3.23.33
> Send Mail Version: 	8.12.10
> 
> Thanks for any suggestions or clarifications.


	I did a could of quick searches and found a couple of things.
	There was a security DoS (Denial of Service) issue in the 2006
	time frame using Postgray 1.21. On Debian systems there was a
	patch which fixed the problem (I did not see any patch for
	Red Hat).

	The current version of Postgrey is 1.31 with a timestamp of
	9/2007.

	With the above it would be a good chance the DoS issue has
	been solved.

	Now lets quickly take a look at how Postgrey works. If the
	message the SMTP server receive is the first connection of
	a message it is TEMPFAIL rejected (meaning it must be attempted
	to send again before the message is accepted).

	Now one might ask why do this? At one time some of the spammers
	would only attempt to send a message once and if they received
	a TEMPFAIL they would drop the message, thus reducing the
	amount of SPAM a site might received from a spammer.

	PLEASE NOTE: This was before the use of zombie networks. Now
	they have the zombies send the message and they don't care if
	the zombies have a TEMPFAIL as the message is not sitting on
	the spammer machine but maybe on the zombie system but more
	likely it is setting on the ISP of the witless user of the
	zombie system.

	So the bottom line is, using Postgrey now is just a waste of
	computer resources and time. As fir it currently being a
	security issue, I can't find anything to suggest this is
	still true. But your ISP may be using it as an excuse to
	not waste their time setting it up, or they may not be using
	Postfix (which is required for Postgrey). They could be using
	Sendmail, Qmail or Exim.

	Is there better solutions? I know a lot of people are using
	mimedefang + SpamAssassin + ClamAV to reduce the amount of
	SPAM and viruses. Can you stop all SPAM using these methods?
	NO. Can you reduce the SPAM yes. Are there other things which
	can be done also? Yes you can use DNS blacklist such as
	Spamhaus and SpamCop. Again these only help to reduce the
	SPAM.


	The only way to possible stop SPAM is to rewrite all of the
	RFC dealing with mail and require each clients to certify who
	they are so the true path can not be hidden and the spammers
	could be trace. Note: This really would not fully solve the
	problem but would allow the message to be traced back to the
	zombie system a lot faster. But zombie networks could still be
	used. It would just require a new one to be set-up which would
	take time. I also make note of a news article from last year
	(sorry I don't have the link any more) where a System installer
	who worked out of the US setting up systems for the customers
	of the company he worked for (kind of like the Geek Squad of
	Best Buy) where he installed the software to turn the systems
	into zombie servers.

	I hope this gives you some more info.


							Tony

More information about the vox-tech mailing list