Date: Fri, 5 Apr 2002 01:33:25 -0800 From: "Philip J. Koenig" <pjklist@ekahuna.com> To: Questions@FreeBSD.ORG Cc: Greg 'groggy' Lehey <grog@FreeBSD.org> Subject: Re: hub.freebsd.org spam policy Message-ID: <20020405093325048.AAA364@empty1.ekahuna.com@pc02.ekahuna.com> In-Reply-To: <20020405180530.S68310@wantadilla.lemis.com> References: <20020405061920611.AAA347@empty1.ekahuna.com@pc02.ekahuna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5 Apr 2002, at 18:05, Greg 'groggy' Lehey boldly uttered: > On Thursday, 4 April 2002 at 22:19:20 -0800, Philip J. Koenig wrote: > > On 5 Apr 2002, at 15:17, Greg 'groggy' Lehey boldly uttered: > > > > I gave you examples, I provided the reasons, showed you the RFCs, > > talked about specific alternatives - you snipped *everything* that > > supported my position. Sounds to me like your mind was made up > > before you wrote the first word. > > No, it looks like you don't understand the issues. Easy for you to say. So let's hear you define what "the issues" are then. > I saw no convincing (even well-put) arguments, no specific alternatives. Come > up with a plan of how to solve the problem and we'll listen to you. Allow me to refresh your memory. Perhaps it is the lack of attributions which is complicating matters. :-) Phil wrote: > I'm sure you are aware of DNS email blacklists. The problem with many > of these is that their only criteria is whether a host is an "open > relay" or not. The problem is that a host could sit there as an open > relay for 5 years and never send a single spam message. So the > likelihood of "collateral damage" is high. Likewise site-wide filters > that match on things like "make money fast" strings. While you might > get a low percentage of false positives, you will undoubtedly > eventually block legitimate traffic. OK - I am providing some information here on a different methodology (DNS-based blacklists) and why some of these, and certain static filters, are problematic. > So for example there are DNS blacklists which only put a host in their > block list when they have received a copy of spam which has in fact > been relayed through it. This is better. Now I am saying that there are DNS-based blacklists which use stricter criteria which are more desirable. (ie possibly a better alternative to what freebsd.org is using) One example of a DNS blacklist that only lists hosts which have verifiably relayed spam is relays.visi.com. Probably one of the most useful is spamcop, who actually apply intelligent criteria to hosts, ie weighting depending on the amount of traffic they carry. (One of my eternal frustrations about typical "anti-spam zealots" is their absolutist view of the world: they don't care if a single spam traversed Dick & Harry's ISP or a massive AOL server. I say that as long as you don't have evidence the latter is just giving an open door to spammers, cut them a little slack because they do 100,000 times the traffic that Dick & Harry's ISP does) http://spamcop.net/bl.shtml > Better yet are systems like > Brightmail which have probes feeding spam to a bunch of human-beings > that make the decision that it's spam, and then send back rules to the > participating sites to block it while it's being sent out. The > problem with Brightmail is that it is commercial and it costs money. > However there is a public-domain variant that has been put together, I > can get details on this if anyone is interested. Once again, you apparently didn't read my writing. Or you decided you weren't interested in the information I said I was willing to get details on. > Even filters can be used if they are used conservatively -- but > needless to say I don't consider the one that bit me to be > conservative enough. Obviously you feel that there is absolutely nothing that can be improved with the current filtering scheme, or else you might have been at least a tiny bit *curious* about what my thoughts were about what filters I consider OK and which I don't. All ears? So the questions are: A) does freebsd.org use DNS blacklists or not B) if yes to the above, which ones C) does freebsd.org use any measures other than static filtering D) does freebsd.org keep statistics on how often a filter triggers I'm not going to spend hours making suggestions just so someone can sit back and say "oh, we tried that", or "oh, we're already using that". I don't feel like playing that game, please inform us what you're doing now so as not to waste everyone's time. Obviously if a particular filter is not triggering much, and if it's catching a lot of non-spam messages, that filter should be on the top of the list to dump. Therefore obviously I'm interested in the statistics of the one that bit me - ie the @localhost one. Then logically you'd want to do an analysis to ascertain what percentage of the spam messages blocked by that filter would be caught by another filter. As a contrast, I'll tell you a filter I use here that I see virtually no false-positives on: if a message subject header has more than 10- 20 consecutive spaces prior to the end of the line, I consider it spam. (there is virtually no legitimate reason to construct a subject header that way on purpose, but spammers frequently do this so they can hide strings at the end to make the header unique, in an attempt to bypass message-specific filters) From your other message: > :0 > * ^Received: .*hotmail.com \[ > /var/mail/grog > > :0 > * ^From: .*@hotmail.com > /home/grog/Mail/caughtspam Alright, I'm not a procmail expert, but I'm guessing that the order of the rules above matters, and that you are just siphoning off stuff that says the From: address is @hotmail.com but never actually traverses the hotmail.com network, correct? (I sure hope you're not just blocking all of hotmail, that would be crazy.) One other thing bears mention here: rather than bouncing everything that matches the recipe, you are shoving it into a junk folder. This is a good policy for end-users, because inevitably some good messages will get mistakenly filtered by the recipe. But in the case of the filtering done at hub.freebsd.org, THERE IS NO such fallback, because it is bouncing matching messages back to the sender. This makes it even *more* important that these filters don't block legitimate email, because there is no "alternate path". (particularly since the filters are applied to the postmaster@freebsd.org address, which I think is a bad idea and counter to longstanding practice, and even to recommendations in RFC-2821, as I pointed out earlier) -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020405093325048.AAA364>