[CLUE-Tech] Stopping freakin' spam on the mailman lists

charlie oriez coriez at oriez.org
Tue Jul 23 20:41:42 MDT 2002 

On Sunday 23 June 2002 17:36, Jeffery C. Cann wrote:
> Arrgh.
>
> For some reason, pipermail (the program that archives our mailman lists)
> does not hide poster's email addresses.
>
> Given the sheer number of clue-tech email messages no on google, I have
> noticed an increase of in number of attempted postings to the list.  None
> reach the list because the bots haven't figured out how to subscribe and
> then spam automatically.  However, as one of the list adminstrators, I am
> annoyed because each attempt by a spam bot to post to the list results in a
> message for me to authorize the non-subscriber's post.
>
> So, I am crying 'uncle' and asking for some advice on what software we need
> to set up to reduce the amount of spam that is pushed to our email lists. 
> We are running sendmail, btw.
>

Jeff -

I'm part of the team that runs sendmail on a linux system for the Rocky 
Mountain Chapter of the Sierra Club.  We run about 60 or 70 lists plus 
forward mail for our activists using our alias file.  

We've configured sendmail v8.9.3 to query the osirusoft suite of blacklists.  
As a result, our lists get virtually no spam attempts of this nature that 
come to human attention (other than my weekly look at the reject logs).  
We've also gotten a very low amount of false positives on our rejected mail.  
We implemented osirusoft using the FEATURES capability of the sendmail config 
file.

Osirusoft queries spamcop, spews, and about a dozen other common blacklists 
and returns a code which sendmail uses to either set a warning header or 
bounce the mail.  We bounce.  I should note that most of the origination 
points of spam rejected by our server are listed on an average of 13-14 of 
these dnsbls.

One downside - anyone on Verio runs the risk of being unable to post to the 
list.  This is because Verio has a track record of refusing to cancel 
spammers in a timely fashion (eg - postmastergeneral, itbuyers.net, etc), and 
large areas of their net space has been declared persona non grata by SPEWS.  
Personally, I dont have a problem with that - anyone choosing to do business 
with verio is choosing sides, and choosing the wrong side, in the spam wars.  
You need to be aware of that though.  

I don't believe the exposure to be great - I monitor my own reject logs for 
anything that might be called a false positive.   I have not bounced any CLUE 
list traffic in a long time, and the one time I did it proved to be a coding 
error on my part in a procmail filter (I was blocking a /16 when I intended 
to block a /24) rather than SPEWS being overly aggressive.

http://relays.osirusoft.com

Another option you have is to refuse mail from any site where rdns is not 
properly configured.  Most spam these days comes through open relays or open 
proxies.  Once the spam hits and gets reported, the open relay or open proxy 
gets onto the appropriate dnsbl in the osirusoft suite and gets blocked by 
users.  The interesting thing is that most administrators who leave security 
holes open on their system also can't figure out how to get rdns configured 
correctly, so refusing traffic from systems without rdns configured seems to 
stop additional spam from new sources even before it gets reported to the 
blacklist maintainers.  You can probably get implementation directions from 
the anti-spam fanatics :-) on news.admin.net-abuse.email

third option - there are challenge/response systems out there.  somedec.com 
over in Aurora is using one, though I dont remember the name.  Most spam 
arrives with forged from/reply-to headers (big surprise, right?).  When you 
get mail from an unknown source, your system autoreplies asking for a live 
person to respond.  Once they respond, they're whitelisted in your db unless 
you say otherwise.   This challenge mail sent to a forged address will bounce 
so you'll never see the original spam.

These different methods can be used together without problems.


-- 
Charles Oriez     coriez at oriez.org
39  34' 34.4"N / 105 00' 06.3"W
**
Si Hoc Legere Scis Nimium Eruditionis Habes

More information about the clue-tech mailing list