Spam Blocking Engine for OpenBSD

mkeke writes "In a post over at OpenBSD Journal, Theo states that he has written a spam blocker that works with pf and Spews. It looks darn cool :)"

550? 450?

[Habbie]

I assume he means a 450 reply, not a 550? 550 won't make the message stay in the queue, 450 will.

Re:550? 450?

[edgarde]

450 says there's still a mailbox there. 550 says not found. Here's a list of SMTP codes.

Incidentally, the code actually has a command line option to choose between 450 and 550.

Spews = /m\

[joeszilagyi]

Why even bother with Spews? Why not Spamcop, who doesn't block half the planet?

Re:Spews = /m\

[Just+Some+Guy]

Your company was paying that ISP. Thus it was also supporting spam.

I understand the principle involved, and admit a fair bit of sympathy for that point of view. However, for some of us, switching ISPs isn't a luxury we have. I live in a small Midwest town. My options are:

• DSL/wireless via the local dominant ISP
• DSL via MSN
• Cable modem
• Dialup via one of those "unlimited access for only $6.95!!!!" companies

Out of that list, the first option is the only one viable for hosting servers, since the rest either block service ports, have onerous TOS contracts, or just aren't serious connections.

Say that I discover that the local ISP (which has probably a 98% market share here) has some customers with open relays. What do I do? Buy a T1 and contract with Qwest, or get out of online business altogether?

In practicality, I don't have the option to switch, regardless of my ISPs policies.

Fortunately, the provider is run by a great set of people, and employees several real system administrators, so I don't really have to worry about this hypothetical problem. That's a Good Thing, because I'm pretty well stuck where I am.

Re:difference

[bconway]

SpamAssassin is nothing more than an advanced filter. This stops the spam before it gets to you and fills up the offending mail servers disk space with it.

Spews is NOT the right way to filter e-mail.

[Sturm]

Spews is EVIL. Plain and simple. They block IPs based soley on the fact your upstream provider hosts or has hosted in the past, someone the SPEWS "admins" (and I use that term losely) believe to be spammers. It is impossible to get off their list and if you are a customer of C&W you probably have IP space being blacklisted by them. Blocking large blocks of class Cs, just because someone happens to share IP space with an alleged spammer is the WRONG way to filter spam.
Please take a look at http://www.antispews.org for more information before using SPEWS.

Re:Spews is NOT the right way to filter e-mail.

[jamie]

"Spews is EVIL... Please take a look at http://www.antispews.org"

Thanks for the link. I'll confirm that Spews is not the way to go. Well, it depends on whether your goal is to block spam for your users, or just to piss people off.

If you're a network admin and you want to block spam for your users, try something else.

If you just want to piss people off, Spews is great. My personal mail server (very kindly hosted for me for free on a friend's network) was put on Spews' blacklist. My server has never in its lifetime sent a single spam, of course. But Spews had found four (count 'em) examples of spammer websites (not spam-sending machines) on the IP blocks owned by the people who my friend bought access from, twice removed. Because of these four claimed spam websites, Spews put FOUR CLASS A's on their list.

That's right -- a quarter-million IP numbers were blocked because they didn't like the policies at four IP numbers.

Wait, did I say four? When I checked up on them, two had already moved to other providers, one I couldn't find, and only one was still there. So my server, and a quarter-million others, were being blocked because the Spews people disagreed with one solitary website. Hosted by a company that I have no relationship with.

It goes without saying that attempts to get my server whitelisted failed.

And I do question the value of their blocking my mail server. Like I said, I was being hosted for free just because I have helpful friends... my moving to another network actually saved them money!

Somehow, I think most net administrators, if they knew that Spews' purpose was political and not technological, would be less likely to use it. There are plenty of other blacklists out there. What are the good ones that don't hijack your networks to apply political pressure?

big difference: not just rejecting mail

[agshekeloh]

It doesn't reject messages. It defers them forever, telling the open relay to "try again later."

This tool is a weapon against open relays. The goal is to fill up the open relay's hard drives by deferring the incoming mail, rather than just rejecting the messages.

Yes, you can do this with other blacklists as well, but nobody seems to be actually doing that.

It thougt it was spam though

[neurostar]

...doesn't block half the planet?

I thought half the email on the planet was spam though!

:)

SPEWS is necessary & effective at hurting spam

[Charles+Dodgeson]

Time and again we see case after case of some provider that

1. Let some customers spam
2. ignored abuse complaints
3. did nothing while when that particular spammer's IP was listed.
4. Only took action against a spammer when the SPEWS listing expanded to include non-spamming customers
5. Whinged that SPEWS was unfair and not the right way to do things

Every day SPEWS proves itself necessary and effective at getting otherwise unwilling providers to remove their spammers. Note that SPEWS uses an escalation process. The provider has to ignore complaints for a while to have the IP range expanded to include non-spammers

If you can suggest something that is half as effective at raising the cost for spammers as SPEWS, please suggest it. SPEWS forces providers to decide whether they want to host exclusively spammers or host exclusively non-spammers.

But if your goal is merely to filter spam (making life easier for the spammers) then you are right. SPEWS is not the way to do that.

Re:difference

[grub]

Can anyone explain why you wouldn't just use SpamAssassin?

Once the spam is in your system then your bandwidth, disk space and other resources have already been consumed by the spammer. This prevents the spam from ever coming into your network and put the burden of the load back on the spammer's shoulders.

Damn fine work.

Re:SPEWS is necessary & effective at hurting s

[jamie]

"If you can suggest something that is half as effective at raising the cost for spammers as SPEWS, please suggest it. SPEWS forces providers to decide whether they want to host exclusively spammers or host exclusively non-spammers."

First of all, I don't think most network administrators -- or their bosses -- know what they're getting into when they use Spews to police their network. If you are an admin who signs your company up for it, be prepared to have this conversation:

Boss: Hey, can you check to see if there's some kind of network trouble. I haven't gotten a reply email from a client in three days.

You: (after checking) Ah, that mail server is spam-friendly, we reject their mail.

Boss: (confused) They're not a spammer, they're our best client.

You: No, but they buy bandwidth from someone who buys bandwidth from someone who...

Boss: What?

You: We're using SPEWS, which is the most effective tool at stopping spam around the world! It forces providers to decide whether...

Boss: I don't give a damn, you work for me, not people around the world. Your job is to make the email work, not be a do-gooder. You may have cost this company a contract. Now get the damn mail working and tell me how many times you bounced my client's mail so I can decide whether you still have a job.

And -- you think Spews is effective? After being put on their list I had a grand total of one person unable to receive my mail. I have a dozen other people using my server to send and receive mail to hundreds of people, and according to my logs, among all of us, the sum total of people who couldn't get our email was two. That's the most pitiful boycott I've ever seen.

Interesting, but here's an extra twist

[wowbagger]

I won't go into the validitiy of using SPEWS as a blocklist - there are good arguments pro and con there.

But here's a twist to the basic idea:

Given the the email sender is in $BLOCKLIST, have the filter daemon give the 450 response

v... e... r... y... ... s... l... o... w... l... y...

Combine a teergrube with the 450 response to fill up both their mail spool AND their socket connection table.

(For those who don't know, a teergrube (tarbaby) is a mail server that response slowly to a spammer, the better to tie up his connections).

Now, not only will the open relay's mail queue fill, but it will run out of (file descriptors|sockets) and choke on that too!

Re:SPEWS is necessary & effective at hurting s

[binner1]

At my last job, that is exactly the conversation I had. My boss said: We get too much spam here, do whatever it takes to stop it. I said: Sure, I'll have qmail do some rbl polling before accepting mail. Worked great for about a month...cut roughly 50% of the spam that network received. Then, boss says: Why can't I get email from ebay seller X? I say: Oh he's rbl'd...we don't take mail from there. He says: Ok, turn off the rbl.

After that, I turned on my own bayesian filtering and said F the rest of the network/users.

-Ben