On Sun, 26 Nov 2006 16:09:57 +0000
Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> wrote:
> You seem to be like an anti-SPAM expert, so I have a little
> question/problem that maybe you can help me with. I put a BoxTrapper
> on one of my boxes, where SpamAssassin managed to keep the
> BoxTrapper's activity very low. Recently, however, many messages have
> been getting through. At first I thought it was because the "from"
> field contained my domain (deliberately so). I looked at a small
> sample to reinforce this assumption. I then created some filters, but
> it turns out that only about 20% of the messages can penetrate owing
> to this particular trick. This means that the remainder have got some
> automated mechanism that verifies the identity of the sender with
> BoxTrapper... or perhaps it fools Apache's BoxTrapper somehow. What
> can I do to handle this?
boxtrapper (although i've never used it) looks like a typical challenge
response system to ask the user to verify their email address before
permitting mail though. i think i got one of these the first time i
mailed you way back..
so i have to assume that your whole domain is on the white list. that's
all that can be said about it. the boxtrapper is looking at the mail
from: envelope header, if it matches the list then it's passed.
you might want to configure another process that blocks some ip's from
using your domain? i don't know how far the configuration of boxtrapper
can go.
spammers do make a lot of attempts to circumvent filters, or even bounce
mail to one. in some cases the rcpt to could be "root@xxxxxxxxxxx" and
the mail from as "roy@xxxxxxxxxxx" in the hope that the mail bounces to
you. there is very little to do in this case, other than to setup a
special rule that mail to your domain has to originate outside ones /24.
of course this is very limited and useful for just instances where one
has no users other than their self.
> Last week I received an E-mail from a stranger who said that the ISP
> can prevent (forged headers-saturated) messages from being sent with
> my domain inserted. I'm not sure it can help in this circumstance.
> Have the spammers just cracked SpamAssassin with their GIF's and beat
> BoxTrapper with some new trick that they increasingly get up and out
> of their sleeves? The volume is increasing all the time and I'm
> getting worried...
>
> Thanks for listening...
there are things that look into the .gif file image, it's awefully
complex and adds a huge CPU hit to the mail delivery process. if one has
a few thousand domains to look after then it's quite a burden, so i
steer myself clear of this.
http://wiki.apache.org/spamassassin/FuzzyOcrPlugin
personally... all methods of spam prevention hurt the receiver apart
from the tmda/and *some* grey listing.
* greylisting
hurts the receiver because the process that's receiving the mail
consumes memory for a longer duration than just accepting the mail and
dropping. i used to implement a perl based greylist, until i saw it
occupied a huge amount of system ram when there were 50-ish processes
running.
* challenge response
how many legitimate people respond to the challenge? how many responses
go to the wrong people?
* rbl
large isps get listed now and then, that's a problem for me when my
friend's isp gets listed
* bayes
requires some cpu/disk and training
* ocr
requires a lot of cpu, and in fuzzy's case, it's perl based, which
itself requires a 5meg footprint.
if you are interested in configuring bogofilter i have a page at
www.s5h.net/qmail/bogofilter.html one of the great things about is the
.qmail (dot-qmail) file where commands can run during the local delivery
process, allowing one to perform their own specific checks on headers.
spam is very very painful for the recipient. sometimes i think it might
be worth employing one of those nigerians who send 419 spam to check my
mailbox for me and remove my spam.
--
Regards, Ed :: http://s5h.net/qf
just another python person
Mr. T bling is actually chocolate wrapped in gold and silver tin.
|
|
