Slashdot Mirror
Spam Blocking Engine for OpenBSD
mkeke writes "In a post over at OpenBSD Journal, Theo states that he has written a spam blocker that works with pf and Spews.
It looks darn cool :)"
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
This is just a lightweight SMTP server which takes over anyone who is SPEWS listed and rejects them. A decent server like Postfix + amavisd & SpamAssassin will already do this with little overhead.
More reinvention of the wheel, I fear.
Conversion Rate Optimisation French / English consultant
The author states that it's for OpenBSD. Any clue if he plans to port it to other flavors of Unix, such as Solaris, HP-UX, Linux, IRIX, etc? This sounds like a useful honeypot tool, I would be curious to see how well it works in actual production (translation -- I'd like some stats).
Be excellent to each other. And... PARTY ON, DUDES!
Perhaps because SpamCop is overzealous to the point of stupidity?
See, for instance:
Quite frankly, Julian Haight comports himself like a True Asshole. Admittedly, Theo can be rather terse himself, but he generally doesn't cause innocent third parties distress while attempting to achieve his goals.
I agree with you in principle. But in practice, this seems to be the ONLY way to get the attention of upstream IP providers. C&W seems to consistently ignore valid/documented spam complaints. Maybe when enough of their customers can't get email delivered they will take some notice?
the only way we are going to convince them to clean up their act is to waste _their_ disk space, their time, and their network bandwidth more than they waste ours.
To me, this seems exactly the right strategy, although how well it works in practice will be interesting to watch.
To me, this is about as hypocritical a strategy I can imagine. If something is wrong, it's wrong.
What if the headers are totally faked? Does that mean you fill up innocent people's mail servers?
Wouldn't that constitute a DOS attack and be illegal (immoral at the least ) in either case?
I hate spam as much ( more ) then the other guy.. but if you stoop to their level you are no better.
---- Booth was a patriot ----
Can anyone explain why you wouldn't just use SpamAssassin?
Once the spam is in your system then your bandwidth, disk space and other resources have already been consumed by the spammer. This prevents the spam from ever coming into your network and put the burden of the load back on the spammer's shoulders.
Damn fine work.
Trolling is a art,
The theory behind SPEWS approach is at least interesting, but why don't the maintainers validate it? The SPEWS maintainers have the data available from their spam traps. If SPEWS is wonderful (with whatever number of asterixes) then the presence of a particular IP address in the database should have a high positive-predictive value. IOW, for any given IP in the database, what is the probability that it truly represents a source or supporter of spam over time? How about data instead of zeal?
Thanks for the link. I'll confirm that Spews is not the way to go. Well, it depends on whether your goal is to block spam for your users, or just to piss people off.
If you're a network admin and you want to block spam for your users, try something else.
If you just want to piss people off, Spews is great. My personal mail server (very kindly hosted for me for free on a friend's network) was put on Spews' blacklist. My server has never in its lifetime sent a single spam, of course. But Spews had found four (count 'em) examples of spammer websites (not spam-sending machines) on the IP blocks owned by the people who my friend bought access from, twice removed. Because of these four claimed spam websites, Spews put FOUR CLASS A's on their list.
That's right -- a quarter-million IP numbers were blocked because they didn't like the policies at four IP numbers.
Wait, did I say four? When I checked up on them, two had already moved to other providers, one I couldn't find, and only one was still there. So my server, and a quarter-million others, were being blocked because the Spews people disagreed with one solitary website. Hosted by a company that I have no relationship with.
It goes without saying that attempts to get my server whitelisted failed.
And I do question the value of their blocking my mail server. Like I said, I was being hosted for free just because I have helpful friends... my moving to another network actually saved them money!
Somehow, I think most net administrators, if they knew that Spews' purpose was political and not technological, would be less likely to use it. There are plenty of other blacklists out there. What are the good ones that don't hijack your networks to apply political pressure?
Using spews is going to cause third-party distress.
Some people take their .sig way too seriously
My product CanIt can tempfail mail also. However, it can be dangerous, because you tend to get a big increase in SMTP connection attempts. If you can tempfail early (as Theo's scheme does), it's not so bad.
Our stats, however, show that most spam does not come from open relays any more. With the advent of cheap broadband, I'd say a lot of spam comes directly from DSL or cable-modem machines. Some comes from Web servers with broken formail scripts, and some from legitimate non-open relays that are abused by subscribers. Only the minority comes from open relays nowadays.
Also, this new spam program retaliates and the law is very nasty about vigilantism and retaliation,
;-)
The law has nothing to say over this. I'm at total liberty to block access to my site for whoever i want to block. If i block others in the process then that is their problem solely and not that of the lawmakers. Basicly you're stating that just because i have an email address i am not allowed to decide who may and who may not send me email.
The retaliation you're mentioning is just a message that is being sent back to the spammer who as a result has alot of errormessages in his mailbox, if they used a valid email address that is.
WHEN BAYESIAN TECHNIQUES ARE USED AT THE ISP END hint hint...
Now there's a statement i can live with..
Works great for me, thank you DJB! Here's a summary of the spamhouses I've blocked (with a 553 error code) over the past few hours. These never even touch spamassassin.
1 57-- formulatedmail.com1 28-3.stanfordintl.co m- 1 .61-1 1.22-mail.dmx4.comm 2 .15-. 176-mtsbp512.email-deliveries.net 5 .162-0 .206.207.206-200-206-207-206.terra.com.br. 115.56-mail16.justforyou-mail.comp assionup.com. com
64.70.22.99-outbound1.lamailer.com
209.236.32.
216.19.164.127-127.opti9.com
65.126.119.178
64.201.128.3-netblock-64-201-
66.216.111.187-mail213.rm23.com
63.96.237.154
216.109.73.35-om40.yourmailsoure.com
211.90.19
204.73.107.103-
209.189.49.102-
209.123.1
216.19.163.204-204.sbase30.co
63.70.105.139-ntls1.digitalriver.com
66.197.16
209.47.251.15-smtp5.rapid-e.net
209.236.57
202.103.64.43-
66.216.116.78-mail153.myfunsleuth.com
65.107.19
209.213.210.18-mailer18.labeldaily.com
20
66.216
64.119.213.95-
66.216.107.233-mail233.dealdelivery
I want to delete my account but Slashdot doesn't allow it.
As a sysadmin for an ISP I can assure you that this is absolutely the case. There is no human contact at Spews, the entire system is automated. Which means that when their system is alerted to a "spammer" within a particular class C, that entire class C is quickly blocked by thousands of misinformed SAs who don't understand that they are in the process going to block legitimate emails that the people within their network have every right to receive.
A hosting provider should be responsible for the domains they host. But there is rarely anything a provider can do to pre-emptively stop a spammer. Just recently, my company signed up a new company for Co-Location. Within a week, this company sent out a huge spam mailing. The moment we saw spam complaints come in we called the company and demanded proof that their mailing list consisted solely of opt-in addresses. They had no proof and their contract was immediately terminated for violating our Acceptable Use Policy. However, at this point our entire class C (housing our main mail server for hundreds of websites and ten times that many individual email clients) was listed in SPEWS database. Apparently this company had, in the past, under a different name, been blacklisted as a spammer. We were now added to the list of their hosting providers and could not, despite our best effort, contact a single human at SPEWS to explain our situation. As a result, for over 3 weeks, thousands of mail servers were rejecting our clients' mail as coming from a spam-server.
I ask you, how does that make the internet a better place?
Spam is a waste of bandwidth, of time, and it's insanely annoying, as a sysadmin I realize that as much as anybody (except maybe Alan Ralsky). But SPEWS is a horrible "solution" to the problem. Too many misinformed sysadmins use SPEWS at the expense of those who use their network.
My Sig is Sauer.
I won't go into the validitiy of using SPEWS as a blocklist - there are good arguments pro and con there.
... s... l... o... w... l... y...
But here's a twist to the basic idea:
Given the the email sender is in $BLOCKLIST, have the filter daemon give the 450 response
v... e... r... y...
Combine a teergrube with the 450 response to fill up both their mail spool AND their socket connection table.
(For those who don't know, a teergrube (tarbaby) is a mail server that response slowly to a spammer, the better to tie up his connections).
Now, not only will the open relay's mail queue fill, but it will run out of (file descriptors|sockets) and choke on that too!
www.eFax.com are spammers
At my last job, that is exactly the conversation I had. My boss said: We get too much spam here, do whatever it takes to stop it. I said: Sure, I'll have qmail do some rbl polling before accepting mail. Worked great for about a month...cut roughly 50% of the spam that network received. Then, boss says: Why can't I get email from ebay seller X? I say: Oh he's rbl'd...we don't take mail from there. He says: Ok, turn off the rbl.
After that, I turned on my own bayesian filtering and said F the rest of the network/users.
-Ben
I don't see how it's wrong to send it back to the open relay. They are saying, "Here, have this," and you are just replying, "Not right now, thanks." That's perfectly valid use of SMTP codes. It's not like you launch an attack every time you get email from these relays, you're just telling them you don't want it right now. The idea is just to take the pain of SPAM away from the user and give it to the ones responsible (to some extent) for it. The open relays caused it, they should deal with it.
SPEWS is not a list of open mail relays. SPEWS (Spam Prevention Early Warning System) is a list of "spam sources." Some of those spam sources may be open relays. Some of 'em may be open proxies. Some of 'em may be spammers themselves (e.g.: Topica).
Regarding those that have found yourselves SPEWSed, yet are not, themselves, spammers: I'm sorry you've found yourselves in that situation. But, you see, kinder, gentler methods have been tried for years and have not solved the problem. It only continued to grow worse. And whether you like it or not: SPEWS works. I've never, in all the years I've been battling spam, ever seen ISPs boot spammers off their networks like I have since their netblocks started getting SPEWSed. You blame SPEWS for your problems but the truth of the matter is this: you've chosen to use an irresponsible ISP for your connectivity. If your ISP had been responsive to spam complaints, their netspace wouldn't have gotten SPEWSed.
Note: my personal net space was SPEWSed once. For a short while. But my ISP is a good one. They addressed the problem promptly and got their space delisted.
This is mainly intended to prevent open ( poorly configured) email servers from being used as relays by spammers. The open server's disk space being gobbled up by causing them to spool the relayed email will certainly get the admins attention. This will shift the problem away from servers that recieve the email and onto the open relay which lets the spammers spam us with no easy way to trace the mail. The problem with tracing the email is that the poorly configured relay server is maintained by someone that usually ignores the emails asking them to close their smtp setup or to please examine their logs and let us know who was using them as a relay.
I think your sympathy is misplaced due to a lack of understanding of what allows the spammers to keep sending us all of those wonderful offers. If they don't have access to open relays, then they either have to keep moving their spamming servers when accounts are terminated or buy bandwidth off the backbones directly from qwest, AT&T, worldcom, etc... Either way, the spammers costs go up.
Do you feel bad for the people you hear about in the news that get charged with maintaining a dwelling for criminal purposes when they leave an empty house to be over run with drug users? Same principle is involved here.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
the point is to punish open relays, not to block spam. the mail has to be retried for days, wasting network bandwidth and space.
if a signifigant number of people were to employ this, open relays would become crushed and filled with their own load.