Mailing List SIMS@mail.stalker.com Message #14259
From: Global Homes Webmaster <webmaster@globalhomes.com>
Subject: Re: Spam and account problems
Date: Tue, 10 Feb 2004 14:36:46 -0800
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Mailsmith 2.1.1 (Blindsider)
On 2/10/04 at 11:20, Clement Ross wrote:

> On Tue, 2004-02-10 at 12:18, Alex Wellerstein wrote:
> > So, in my Router I have the entry kx100.NET = error, however
> > messages from them are STILL being added to my queue (and
> > overloading it to the point of crashing -- I had 15,000 spam
> > messages sitting in my queue, despite telling SIMS to delete all
> > bad messages IMMEDIATELY). Arrggg. What's up with that? What's up
> > with my queue overflowing?

In addition to 'kx100.NET = error' router entry, you also need to enable
'Verify Return-paths' in the SMTP service settings.

> I think (somebody pls correct me if I'm wrong) that your router entry
> will only stop the spam that has that kind of From address:
> somebody@kx100.net.

Close, but not quite. SIMS only looks at a message's Return-path address
(i.e. the envelope sender) for the 'Verify Return-paths' feature. The
envelope sender is not necessarily the same as the 'From' header address.
In fact, it is very often not the same in spam messages. Note that routing
an address or domain to 'error' will also prevent you from sending messages
to that address or domain.

> That used to be somewhat effective to counter spam but is now pretty
> useless as spammers use a random array of valid domains in the From
> field.

It's not entirely useless quite yet, but you need to make sure that what
you're routing to error is what's in the Return-path addresses of the spam
you're trying to block and that it looks like something that is likely to
be repeated by the spammer. IOW, if it looks like it was selected randomly
or it's a domain from which you might receive legitimate mail (yahoo.com,
msn.com, hotmail.com, etc.), then it's probably better to not route it to
error. On the other hand, if the domain of the Return-path also shows up in
a URL in the message body, it's a good candidate for routing to error.
Also, I've got a section in my router that routes to error tld's of
countries from which I don't expect my users to be getting legit mail. They
look like:

*.cn = error ; Nobody here gets mail from China
*.kr = error ; Nobody here gets mail from Korea

My logs show a non-trivial number of rejections from routing country tld's
to error.

> The only way you will slow down the spam is by religiously updating your
> local blacklist and by using well known DNSRBLs. I would strongly
> suggest dul.dnsbl.sorbs.net that blocks dialup/cable/adsl IPs and as
> many countries from blackholes.us as you think you and your clients can
> tolerate.

The amount of spam getting through my defenses decreased dramatically when
I added dul.dnsbl.sorbs.net to my RBL server list. Unfortunately, I started
to get some reports of false positives from my users so I removed it and
the false positives seem to have gone away (at least I haven't gotten any
reports since removing dul.dnsbl.sorbs.net). I couldn't get anyone to send
me any relevant bounce messages or even enough information to find rejected
messages in my logs, though, so I'm still a little skeptical that SORBS was
really to blame.

When it comes to adding 'as many' country lists as you can, remember that
each RBL server in your list adds a possible DNS look-up to every SMTP
connection that your SIMS server sees. At one point I went a little nuts
with country blacklists. SIMS started filling its available SMTP channels
with connections that were waiting for RBL look-ups to complete, resulting
in a noticeable performance hit. I ended up looking over my logs and
removing a few country blacklists that were responsible for only a handful
of rejections and server performance went back to a more acceptable level.
--
                   Christopher Bort | cbort@globalhomes.com
            Webmaster, Global Homes | webmaster@globalhomes.com
                      <http://www.globalhomes.com/>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster