Re: [exim] Use spamGuard with Exim

On Wed, 11 May 2005 torsten@??? wrote:

> - we also provide e-mail services to 3rd parties whos networks we don't
> control.

An MTA service or an MSA service?

> Of course we give all that recommendations you mentioned (not saving
> passwords, keeping anti-virus software up-to-date, you name it) but we can
> do hardly anything more than recomment this. We cannot enforce this.
> That's the problem.

You can build it into the contracts/terms of service of your arrangement
with these entities. Violation may lead to termination of service.

> You're right. But here I am concerned mostly with the amount of spam that
> gets send over accounts that I am responsible for. If a worm infects
> 100.000 PCs, two dozends of them being logged into our system, if we limit
> the amount of emails that can be sent our share of the problem is very
> limited.

It might already be limited - by the spammer only sending one or two an
hour per (compromised?) machine. Would spamguard detect that?

If spamguard is doing its check according to sending email address only,
then what is to stop the spammer using different addresses for each mail
sent (as commonly happens anyway)? Won't these get through? (I only have
your word for what spamguard does). Surely IP address would be a
significant factor in this case (which is why I mentioned it originally)?
Or does your authenticated service ensure that the email as sent always
appears to come from the address associated with the authenticated entity?

If it really is "spam" you are trying to detect, why are you against the
use of tools like SpamAssassin that detect spam? (For some definition of
"spam" anyway; conTent not conSent and all that). You do then have the
problem of what to do about it when you have detected that it is, or may
be, spam.

Maybe a tool that is more flexible than (apparently) spamguard is needed,
that allows the administrator to set thresholds according to different
criteria rather than just sender addresses; e.g, rate per sending IP; spam
rating (according to SA); perhaps adjustable on a per-user or per-IP basis.

> > The slower they do it, and to fewer recipients,
> > for each machine, the less likely it is you'll spot them. Meanwhile,
> adjusting thresholds to try to catch them means inconveniencing more
> people as you approach the sorts of numbers and frequencies that typical
> email users use.
>
> I'd love to save people the burden to lock their doors when they leave
> because it brings all that hassle with looking keys, etc. Unforunately we
> haven't managed to create a world where this is possible.

Sorry, I don't see the relevance of that analogy.

> The issue ist just that today it's too easy. You create an account which
> takes 2-3 minutes and you have a free ride on our server. This is what we
> need to at least significantly limit.

Perhaps you should re-consider your business model then, if it is this
easy for your service to be abused! Maybe there should be some cursory
checks on who is using your service, and more contractual strictness about
the expectations you have of your users.

> On the other hand if we allow them some dozends of emails before their
> account gets closed this will be a bad effort / spam ratio for them. Those
> people think along the lines of 100.000 emails in a single campaign.

But not necessarily all from one machine.

Anyway, this is getting off-topic for exim-users now.

I'm not really convinced that you're trying to solve the correct problem
here, but without more detail about your service (which may necessarily be
sensitive), there's not much more I can say about it. I hope you find
something useful in the archives in the meantime (oh, I see you didn't.
Ho hum).

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK