[vox-tech] postgrey is dangerous?

Brian Lavender brian at brie.com
Mon Jun 30 12:44:45 PDT 2008 

On Sun, Jun 29, 2008 at 04:17:38PM -0700, Tony Cratz wrote:
> Larry Ozeran wrote:
> > Hi,
> > 
> > I have used a web host based in North Carolina for many years. I recently upgraded from a shared server to a dedicated server and I was hoping to be able to install some SPAM fighting tools. The SPAM software they provide is limited to white listing and black listing and I am now receiving huge volumes of it. I am a part time programmer, not familiar with networks or email servers, but I am tired of huge volumes of SPAM. I reviewed various sites and felt that installing postgrey might give me substantial SPAM reduction with minimal challenges. When I asked my host about installing it, I was told:
> > "After further investigation I was able to verify that the request was denied.
> > It was specified that this software would be unsafe to run on the server environments run within our network.
> > This is per our Systems Administrators."
> > 
> > After going around with them twice, I don't have what I feel is an adequate answer. Any thoughts on why someone might think that postgrey is "unsafe"? Better yet, any strategies for countering this thinking?
> > 
> >  = = system info - yes the versions are old, but that's not my host's excuse for the denial and they can be updated now that I am on a dedicated server
> > Operating System:  	Redhat Linux Kernel Version: 	2.4.26
> > Apache/PHP Version: 	Apache/1.3.34 (Unix) filter/1.0 PHP/4.4.4
> > Perl Version: 	v5.6.0
> > MySQL Version: 	3.23.33
> > Send Mail Version: 	8.12.10
> > 
> > Thanks for any suggestions or clarifications.
> 
> 
> 	I did a could of quick searches and found a couple of things.
> 	There was a security DoS (Denial of Service) issue in the 2006
> 	time frame using Postgray 1.21. On Debian systems there was a
> 	patch which fixed the problem (I did not see any patch for
> 	Red Hat).
> 
> 	The current version of Postgrey is 1.31 with a timestamp of
> 	9/2007.
> 
> 	With the above it would be a good chance the DoS issue has
> 	been solved.
> 
> 	Now lets quickly take a look at how Postgrey works. If the
> 	message the SMTP server receive is the first connection of
> 	a message it is TEMPFAIL rejected (meaning it must be attempted
> 	to send again before the message is accepted).
> 
> 	Now one might ask why do this? At one time some of the spammers
> 	would only attempt to send a message once and if they received
> 	a TEMPFAIL they would drop the message, thus reducing the
> 	amount of SPAM a site might received from a spammer.
> 
> 	PLEASE NOTE: This was before the use of zombie networks. Now
> 	they have the zombies send the message and they don't care if
> 	the zombies have a TEMPFAIL as the message is not sitting on
> 	the spammer machine but maybe on the zombie system but more
> 	likely it is setting on the ISP of the witless user of the
> 	zombie system.
> 
> 	So the bottom line is, using Postgrey now is just a waste of
> 	computer resources and time. As fir it currently being a
> 	security issue, I can't find anything to suggest this is
> 	still true. But your ISP may be using it as an excuse to
> 	not waste their time setting it up, or they may not be using
> 	Postfix (which is required for Postgrey). They could be using
> 	Sendmail, Qmail or Exim.
> 
> 	Is there better solutions? I know a lot of people are using
> 	mimedefang + SpamAssassin + ClamAV to reduce the amount of
> 	SPAM and viruses. Can you stop all SPAM using these methods?
> 	NO. Can you reduce the SPAM yes. Are there other things which
> 	can be done also? Yes you can use DNS blacklist such as
> 	Spamhaus and SpamCop. Again these only help to reduce the
> 	SPAM.
> 
> 
> 	The only way to possible stop SPAM is to rewrite all of the
> 	RFC dealing with mail and require each clients to certify who
> 	they are so the true path can not be hidden and the spammers
> 	could be trace. Note: This really would not fully solve the
> 	problem but would allow the message to be traced back to the
> 	zombie system a lot faster. But zombie networks could still be
> 	used. It would just require a new one to be set-up which would
> 	take time. I also make note of a news article from last year
> 	(sorry I don't have the link any more) where a System installer
> 	who worked out of the US setting up systems for the customers
> 	of the company he worked for (kind of like the Geek Squad of
> 	Best Buy) where he installed the software to turn the systems
> 	into zombie servers.

I am using sa-exim which supports greylisting. I also received about 500
spams where the spammer used guestbooks and e-card sites, feedback
forms, and whatever they could post to to send me the spam. I am willing
to be they used Google to harvest the sites with these services, put
together some bots to activate the guestbooks, e-cards, feedback form
sites that send replies to the client using the page, and then activated
them all at once. I still have the spams, so I can harvest the IPs of
the relaying servers and perhaps just block their servers. 

One way to completely block SPAM is to use TLS / SSL and allow only
authenticated mail servers to relay into your mail server. 

brian
-- 
Brian Lavender
http://www.brie.com/brian/

More information about the vox-tech mailing list