Re: [exim] Please help me get more spam!

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Please help me get more spam!
Dave Pooser wrote:

>>The world of mailadmins seems to be dividing on a sharp line:
>>
>>- Those who take a perverse delight in how much spam they can take on-board,
>>scrutinize, score, tag accurately, add headers to, divert to quarantine, bask
>>in
>>the statistics of it all.
>>
>>IOW - "play with their food".
>
>
> What can I say? I learned from my cats. :^)
>
>
>>- Those who canot be bothered to muck about with such garbage, and simply
>>block it with near-zero resource load on the grounds that an *extremely high*
>>percentage of it emanates from senders that *must* try to hide for as long as
>>possible, ergo do NOT comply with DNS or smtp RFC's.
>
>
> The problem with a simplistic blocking scheme is always false positives.
> When you deal with large numbers of small-to-tiny businesses, you're going
> to have legitimate mail with bad rDNS; when you deal with large numbers of
> poorly-administered Exchange servers you're going to receive legitimate mail
> that's not RFC-compliant. That's why SpamAssassin has become such a success;
> it lets you make a decision based on more complete information. It gets
> "nuance."


When we fail to insist on the 'basics' - having at least an 'A' record - we are
guilty as-Hell of *helping* perpetuate zombies.

Ergo, those are not 'legitimate' messages at all. Just foolish, lazy, or
indifferent folks counting on us to be the same.

Picure this:

- The national snail-mail service that accepts for sorting and delivery, not
only the prpperly-documented container off the latest train, truck, or flight
from neighboring country "Z" national post office, but - with no further ado, a
truckload of recycled paper.

- The restuarant that takes into its kitchen, not only food from known and
trusted suppliers who have stood national health inspection - but a truckload of
*garbage*, then attempts to sort that so as not to "overly" risk poisoning its
diners. After all, there may still be a decent ham sandwich in there...

'nuance'?

>
> Sure, I could weed out a lot of bad email by more aggressive blacklisting,
> by rejecting based on RDNS and poorly formed HELOs and then manually
> whitelisting exceptions as they come up. But that's hassle for my customers
> and more work for me. I run a small corporate mail server; I have cycles to
> burn. I'll let the computer do more work. A SpamAssassin-based reject after
> DATA takes more processing power than a DNS-based reject after RCPT TO, but
> as long as the message gets rejected it isn't wasting my time or my users'
> time. (Unlike my previous MTA which had already accepted a message by the
> time SA saw it, which led to my earlier quarantine issues and the like.)
>
>
>>Lack of *any* DNS entry, or use of a known-dynamic IP *cannot* be a 'false'
>>positive - only a nuisance to the occasional user who feels they *must*
>>communicate with the fool - hopefully ignorant, not malicious - who is doing
>>that.
>
>
> The "occasional user" may be my boss; the "fool" may be a client who
> generates $500k/yr in business.


*easily* worth the 'whitelist entry. Which is a small fraction of the work of
sorting the *bad* stuff.

These days the '80/20 rule' here is more like '90/10' bad/good.

> I'm not out to punish incompetent mail
> admins, I'm out to receive ham and block spam.
>
>


I too, could give a Taxatwoshits about 'punishment'. I just want them 'not here'.

But apply the same liberalism/carelessness/ganymede complex to where you take
your meals - or the take-out lunch you might bring back for said boss from a
rolling food-cart that wasn't even on your street yesterday - and the problem
will solve itself.

Eventually, you will have to either take the chance, or spend so much time
trying to make sure the food is safe that you will starve before you can eat.

Simpler to eat at places with a good reputation. A 'fixed address' at least.

;-)

>>I am supremely disinterested in running SA any more than absolutely necessary,
>>i.e. - on the roughly 10-12% of offered traffic that has passed all simpler
>>tests and *seems to be* legitimate.
>
>
> Obviously, YMMV; if I were using Exim in an ISP environment or trying to run
> my mail server on a P3-800MHz with 256MB RAM I'd have a different take. But
> in my environment, a huge strength of Exim is the fact that I can make the
> accept/reject decision at any point in the process so I can block tons of
> spam without resorting to draconian measures up front.


You can even more easily pass all arrivals and leave the filtering to - for
example - an MUA's Bayesian + user-built filter rules.

We've all started there - WTH, I have "minority country" <tld> accounts for
corporate use that do not even *attract* spam. None. Zero. For years.

But the longer we all elect to take it on-board and play with it, the longer it
clogs the global bandwidth, and the honest folk among the lazy/ignorant will
have no incentive to *ever* clean up their act.

We, too have CPU cycles to burn (redundant Core-Duo 3 GHz, 4 GB RAM) - and HDD
space as well. Terabytes of it.

Bandwidth to waste, and the time and patience to suffer the 'free range rude'
are in shorter supply.

Has no one noticed that the overall problem is worsening, not improving??

Techniques adequate when spam was 20%, 40%, 60% need a touch of 'basic
draconian' when it is 80% and more.

- one can ignore HELO lookup mismatch, (abused prefixs)

- one can tolerate HELO that is not a hostname at all

- one can ignore lack of a PTR record

- but an arriving IP with *zero* DNS resolution is going to need an executive
over ride and whitelisting here.

- so, too originating on dynamic IP.

I'm no pioneer - several major ISP's are taking similar action.

Finally!

Bill