[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Linux - viruses etc

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Linux - viruses etc
From: Simon Avery <digdilem@xxxxxxxxx>
Date: Wed, 6 Feb 2013 22:23:22 +0000
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=XbW33+N4SU2Mp8dziq7hiSKWdRSkoptq83kmA0rEVMw=; b=tRmVSToE0LhzolrdsdHTnG65raljG5gzqY3s5l3E2OB5oaSvXS2z36sYqr/VJ1HNHR TyeGBVHnLedr7eqyueuFJ2PxKPhITUwbko94/FkToivbEfppc6QhdkdACrRgJ+pDFWWK JsUdDpH88dzDqDidZ8OV0dc3q1mt+kgWLq+zdoVmN2kBnamwjs1BB6IO3+UQvtCFoOBw weTb2lBmu/xn+58Je9I6OM/MagYMnMFJem0aAaunTFe+k/xaPSYd0/NLbLKRTeVvNamN +UDJ7Lo9Rv4tHpDKjKxWbmQP2V+lIdd6oUyXpvGIj6dsY1HNJ5Vc0AKzyhfnk4XIXAvl AfqA==

> I used to do that - then gave up.

Tut, no staying power, you youngsters. :)

> Up-front is NoListing.

Do you find this useful? When I researched it, much ratware was only
sending to the secondary MX on the logic that it was likely to be less
well defended.

> Next is an RBL check. Sadly I feel that total blocking based on the various
> RBL lists out there is not a good thing to do these days, so if an incoming
> connection fails the RBLs I check against, then it's plan B.

I score based on RBLs as part of a fairly comprehensive set of rules.
I disagree on some RBL policies, but there are enough around to allow
me to avoid those.

> Plan B is Greylisting.

I've done that too, then discarded it. The delay it added was
frustrating and eventually unacceptable. Some wouldn't retry for 5-30
minutes, by which time you've forgotten why you asked for that
password reset was resent and moved onto something else. I like fast
email.

> Mimedefang just flags the message as 'spammy' at that point, then it's up to
> my MUA to filter the message into the spam folder. I don't use my MUA's own
> filters, but I use procmail. This also filters messages from mailing lists,
> etc. into their own folder rather than cluttering up my inbox.

Not used mimedefang. I found procmail too much effort to maintain over time.

I don't currently use bayesian or train ham/spam. I found it nearly
always ended up being overly paranoid and flagging everything as spam.

I toyed with tarpitting for over a year too, but eventually decided
that it made sod all difference in the grand scheme of things.

> I offer this to my customers but without the hard-coded filters. Incredibly,
> some of my customers actually want email from some of the people who break
> all my own rules of sense and sensibility. Their loss.

Heh. I had somebody last week tell me their contact (at a college) had
said their email to us was being bounced. I checked and I'd added them
several years ago because they were sending "Info newsletters" at too
high a frequency and ignored our request to stop. That request came
from the same person who was asking now why they weren't getting mail
from them. :)

> Spam is manageable, but it needn't be a chore.

Don't misunderstand me, I don't spend much time on it now. Perhaps
five minutes a month changing scores based on what slips through. At
some perverse level I have some strange enjoyment about tweaking,
nudging and gradually improving - then learning what the new angles of
attack are being used and why.

It's also interesting to hear how other people tackle it - and great
that there's diversity. If we all blocked in the same way it would
make it very easy.

Sometimes it's laughable how badly written some of these ratware tools
are, - for example, this little bit in exim rejects hundreds of spam
mails a day;

      deny
      message     = Serious MIME defect detected ($demime_reason)
      demime      = *
      condition   = ${if >{$demime_errorlevel}{1}{1}{0}}

So many ratware tools use broken mime encoders. The *only* time this
fails on genuine email is when Eset, the anti-virus people, send me
our keyfile when I renew our contract - because their mailer sucks
too!

Then, when I'm done laughing at how poor the tools are, and how poor
they've been for years and years, I get sad because they don't *need*
to be clever to make money or defraud people, or trick them into
running malicious software. They are getting better, slowly, as Rob
says - but most people are trusting and believe what they read if it's
not too blatant.

Email is very old technology  - it's the shining example of something
basic that has been poked and prodded and pushed into shapes it's
really not suited for. It's inefficient, hogs bandwidth and is misused
by almost everyone who uses it. But despite decades of bodges,
kludges, mistreatment and waste, it works and is so well supported
that it'll be around for years - and so will the problems that go with
it.  After all, what's the alternative?

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] Linux - viruses etc
- From: Rob Beard
Follow-up: Re: [LUG] Linux - viruses etc
- From: Kelly Jones
Follow-up: Re: [LUG] Linux - viruses etc
- From: Gordon Henderson

References:
- [LUG] Linux - viruses etc
  - From: Neil Winchurst
- Re: [LUG] Linux - viruses etc
  - From: raymond.knowles@xxxxxxxxxxxxx
- Re: [LUG] Linux - viruses etc
  - From: Simon Avery
- Re: [LUG] Linux - viruses etc
  - From: Gordon Henderson

Prev by Date: Re: [LUG] Linux - viruses etc
Next by Date: [LUG] An observation on wordpress and scripted attacks
Previous by thread: Re: [LUG] Linux - viruses etc
Next by thread: Re: [LUG] Linux - viruses etc
Index(es):
- Date
- Thread