You don't even need additional 2nd-level domains to do this, just add a 3rd-level domain for this purpose.
For instance, suppose my normal address is me@mydomain.com, but when I give out my address on websites, I use something like
amazon@replies.mydomain.com. In your DNS, just set up an MX record for the subdomain. If you use sendmail, it's easy to add a mailertable entry on the final delivery server like this:
replies.mydomain.com local:myreplymailbox
Make sure replies.mydomain.com also appears in/etc/sendmail.cw, or whatever you call your file of local host names.
As a Linux consultant who works largely with mostly-Windows organizations, I find it especially difficult to find good discussions of cross-platform issues.
For instance, I'd like to get the copy of SquirrelMail I'm running on a Linux server to use the LDAP functionality of my client's MS Active Directory server. Unfortunately, as in all LDAP-related things I've tried, it's definitely not just a matter of pointing the client at the server. And, even though I can find stuff at Microsoft on things like their AD LDAP schemas, it would take me hours to learn enough about all of this to even begin trying to get it to work. All this just so we can have the directory of email addresses in AD available in SquirrelMail!
Any suggestions for good places to look on *nix+Windows cross-platform issues?
I thought SPF looked at the envelope From (i.e., the address in the Return-Path header), not the From: header in the message text. In your example the forwarded message would be coming From alumni.your.edu and would presumably be sent from one of your.edu's SPF-registered servers. Having SPF rely on the easily-forgeable From: header wouldn't make much sense.
Don't read this as an endorsement of SPF. I'm still trying to think through all the implications of such a system. But I don't think this line of criticism applies.
Many of the spams I see these days use throwaway domains or IP addresses in their URLs, so blocking by domain name seems pretty ineffective. Moreover many of the "websites" to which these spams point are actually compromised machines with proxies that refer traffic to the real site. Given that such compromised machines now surely number in the tens or hundreds of thousands, it wouldn't take much effort to construct messages that use the IP address of a randomly selected proxy in each message's embedded URLs.
Another good point. Perhaps in the future, if SPF on IP isn't enough, we could move to have mail servers automatically sign all mail that comes out of them. Check the signature with the ISP. It would be resource intensive. But if SPF doesn't do what we hope based on IP we might need to do that.
Why aren't we moving in this direction now? Why not put a public key in the TXT record for each server rather than the SPF entry? Then have servers encrypt and sign every outbound message.
Regardless of any of these technical solutions, I believe the only long-term solution is to use the "Deep Throat" approach -- Follow the Money! Prosecute the people handling the transactions end of spam. For example, one instance of a common spam I receive for (presumably) pirated software originated somewhere in Eastern Europe, was pushed through a dsl subscriber in the Netherlands, and pointed me to a web server in Brazil. However the SSL server handling transactions was in Washington, DC. Going after them makes more sense to me that trying to track down where the spam originates.
Re:You know... things just don't amaze me.
on
Message in a Battle
·
· Score: 1
I believe they also used motion capture to animate the characters in the PS2 games. In FFX-2, for instance, Yuna's and Rikku's dancing seems much more naturalistic than the characters' usual body motions. Rikku even keeps time with the background music when the heroines are trying to calibrate the towers in the Thunder Plains.
When I watched FF:TSW I wondered whether human actors felt threatened. With CGI technology in its relative infancy, I can easily imagine a future where most "movies" (whatever that will come to mean) dispense with some, or even all, human actors to reduce costs.
It *was* claimed that it offers me the ability to copy the software from disk media into memory, but that was explicitly ruled not copyright infringement. Therefore, the 'contract' offers me nothing I don't already posess under copyright law.
Correct me if I'm wrong, but aren't you copying from the installation media onto the hard disk drive? Under almost any interpretation of copyright, that's making a "fixed [copy] in [a] tangible medium of expression." (17 USC 102).
Random-access memory doesn't qualify because the copy is not fixed.
If you have closed-subscription lists, why bother scanning their traffic with SpamAssassin? I do scan inbound listserver postings for viruses with MailScanner (which happens to include an SA scan in my implementation), but scanning the outbound redistributed messages seems inefficient and redundant.
I've found the best approach is to split off the scanning to a separate server. That way, I can use a highly-secure proxy server for inbound traffic on the public mail server. Inbound messages are routed to the scanning server which is also where the listserver software resides. The inbound postings are scanned and passed to majordomo, which ships the remailings back to the public server for delivery. This way I only scan each posting once when it arrives.
I've found the easiest way to implement SpamAssassin is to invoke it through MailScanner. MailScanner uses third-party virus scanners and can optionally invoke SpamAssassin as well. With the free ClamAV antivirus product, you can build a powerful open source mail scanner. Even without a virus scanner, MailScanner detects and quarantines executable attachments and other dangerous content which represent the most common types of mail-borne viruses and worms.
RedHat installs the daemonized version of SA as well as the SA Perl scripts. Using the daemon, the easiest implementation is to invoke SA in/etc/procmailrc on the mail delivery host; for mail gateways running sendmail, you need to use the milter interface. I've found the MailScanner+SpamAssassin approach much easier to configure than either of these methods, and you get virus scanning to boot!
I suspect if the reviewer had compared SA 2.60+ to the commercial products, rather than the older 2.44 version used in the review, SA would have shown better results.
I'd agree with the reviewer that one of the things SA lacks is an easy method for users to interact directly with the program. (Part of the issue has to do with security; SA runs as root. As I read the review, I wondered how the other products allow users to interact directly with the scanners without sacrificing security.)
It's not easy to maintain per-user Bayesian filtering, for instance, but I generally recommend having the mail client, e.g., Mozilla, handle these tasks.
I noticed that there is no mention in this Q&A either of other browser technologies nor of Berkeley's various contributions to open source. Why isn't at least one of these questions, why did the UofC decide to patent this technology rather than donating it to the public domain? Let me see if I can guess the answer...
Am I the only one who noted that not once in this interview is the name Microsoft spoken? This despite a long discussion of Slammer and its effects. Evidently either the interviewer was given some ground rules about what kinds of topics were off-limits (e.g., "what types of operating systems are most vulnerable") or lacked the smarts to ask some pertinent questions. Given his position at Symantec, I'd guess there were some content restrictions in place.
While I'm not surprised to see no reviews of filters for OS's other than Windows and MacOS, I am a bit surprised that there was only one free filter reviewed. Is it really the case that none of the dozens of open source filters has been ported to windows?
And why not Mozilla? Outlook Express and Apple Mail are included.
Isn't part of consumer "protection" protecting consumers from having to spend money when they don't need to?
Forty years from now, rumors will be going around... about how Bill Gates's brain has been preserved and there's a $4 billion cash account willed to the team that can successfully transplant his brain into a genetically cloned and grown body.
I understand Ted Williams's head and body have recently been separated as the initial step in the process. Samples of his DNA have also been taken just in case the frozen parts don't last until Bill needs them.
The Direct Broadcast Satellite Service, despite its name, is not regulated as a "broadcaster" but as a private, fixed service. DBS is considered a direct, point-to-point connection between the satellite and each enduser, not a free-for-all broadcast service like regular VHF/UHF television or AM/FM radio. (Indeed I believe it's regulated not by the FCC's media branch which governs broadcasting, but by its wireless branch which covers all sorts of things like fixed microwave, etc.)
In the early days of satellite-delivered cable TV, many people bought backyard satellite dishes (those 5-20m diameter ones) and intercepted the transmissions of programming to cable operators. My understanding is that this remains legal today, but only if the signal is not encrypted. The same holds true for DBS signals; you can intercept the encrypted signal, but decrypting it without the authority of the sender is illegal.
Any system that enables you to produce an officially-certified receipt indicating for whom you've voted opens up the system to fraud. Vote buyers, for instance, would be able to confirm that the votes they purchased had indeed been cast for the correct candidate. Receipts that display actual voting preferences undermine the concept of a secret ballot; we might as well all just raise our hands.
As a result we can only provide paper receipts that indicate whether you voted. I don't know how well these receipts would answer people's desire for a parallel paper trail that could be audited.
What's to stop Google from putting a bunch of computers in an office somewhere in China and having them traverse the network? It's not like they have to have their IPs reverse resolve to some googlebot domain name.
I realize that the Chinese government has a lot of control over foreigners' activities, but this just doesn't seem that hard a problem. You could put them all behind somebody's firewall, or put them in a bunch of different locations.
Does anyone know about connectivity between Hong Kong and the mainland? Can mainland Chinese surf sites in Hong Kong?
I can't speak to the storage tanks issue, but as to child support, the state^H^H^H^H^HCommonwealth has become fairly aggressive in enforcing support payments from delinquent parents. See
this page for more details.
I use a similar strategy to filter out spam, though I don't require all sending servers to match the SMTP MAIL FROM: header. Instead I apply these rules to a limited number of domains which are commonly forged by spammers like aol.com, msn.com, excite.com, yahoo.com, etc. In cases where the MAIL FROM claims the message is sent from joe323529@msn.com, but it doesn't come from an MX host in the msn.com domain, I reject it. This avoids the problem described by some other posters who forge their From headers for a good reason.
By the way, I use the old, but reliable, secure smtpd daemon from Obtuse. Among other security features, it has an excellent rule-based language to filter messages during the SMTP exchange.
Most of the (smaller) health care providers I've spoken with on this issue are more concerned about communications between providers and patients. Do you expect every possible e-mail service provider to adopt this system? Perhaps you can convince some of the big players like Hotmail or AOL, but I can't see this being adopted by ISPs everywhere.
While I'd agree that a large chunk of health communications are between providers (e.g., a general practitioner and a medical specialist), in the future more and more patients are going to want to communicate with their doctors via e-mail. Any solution that requires either the patients or their ISPs to install a new messaging protocol won't go far, IMHO.
I'm surprised that no one appears to have commented on what is perhaps the most remarkable item in the NYT piece: Last week, AT&T Comcast, which is to receive about $38 a month from America Online for every high-speed AOL customer served by its cable lines, seemed to have gotten the better part of the deal.
I guess!
Where is this money to come from? Is the cable operator supposed to charge, say, $49/month for AOL Broadband, keep $38, and pass through $11? Since ATT Broadband already pockets some $39-49 per month (depending on how it's packaged with cable tv and digital telephony) for my cable internet service, where is the incentive for the cable operator? And, what happens when competition from other providers (DSL, MSN BB, 802.11ab, etc.) drives down the price of broadband? Will AOL's margins be squeezed? The cable operators will be loathe to give back any of that $38. So where will all that money come from to finance these new, exclusive high-quality content services that AOL/TW will supposedly be supplying?
Remember, too, that current cable television services are based on precisely the reverse business model -- cable operators pay the programming services, not the other way around. The article itself points out that ESPN collects about $2 per subscriber per month. Fees collected for premium services like HBO are typically split 50-50 between the local operator and the service provider. So the article's claim that this is just AOL/TW playing the traditional cable game isn't true to the facts, either.
So where does AOL think all this money is coming from? Advertising revenues? E-commerce transactions? Not bloody likely!
My mail server, supporting a small number of domains, uses a variety of tools to block spams including quering the various online databases like relays.osirusoft.com and friends. However I also wrote a simple set of rules that, for a selected list of widely exploited domains, requires that the sending server be in the domain from which the mail is allegedly sent. So, for instance, a message claiming to be from "joe921852@hotmail.com" is only allowed if it originated on a server in the hotmail.com domain.
Remarkably this simple solution has cut our inbound spam enormously. Last week we blocked about 4,000 messages and allowed 10,000. Probably another good chunk of the remaining messages are spams, too.
I was curious to see whether there was any discernible hiccup in Internet service as a result of the feared revival of Code Red. A quick trip to Matrix.net's average performance page suggests not. A quick glance at the graph for the past twenty-four hours shows a dip early this morning, but once you look further down at the weekly or monthly graphs, you see that today's blip is not much larger than ones seen at the end of July when the worm was supposedly sleeping.
What I find more remarkable is the poor performance of the root name servers. They drop something like 20% of all the packets they receive from the testing servers!
Server-based solutions to content filtering
on
Clever Girl Bess
·
· Score: 1
Some years back a few people kicked around the idea of establishing an Internet standard for content monitoring that relied on filtering servers around the Net. Conforming Web browsers would include the ability to subscribe to one or more of these servers to determine which URLs to block. People could then choose servers from organizations whose filtering policies mirrored their belief systems. So if I'd like to block my child's access to sites that depict naked women in bondage, I might subscribe to a server hosted by something like Planned Parenthood, knowing that they wouldn't block access to information on breast cancer research just because it includes the word "breast".
There are some obvious problems with this approach, of course. How would people find out which servers are available? Would browser makers be pressured into making certain, presumably stringent, servers the default? How could parents keep their kids from overriding the browser's defaults? Etc. Yet, given how well this approach fits with the fundamentally decentralized structure of the Internet, I'm surprised the idea didn't go further. Perhaps those of you suggesting an open-source filter might think about developing for this alternative instead.
All my mail servers use the
Obtuse smtpd proxy to listen on port 25. The proxy runs as an unprivileged user (usually uucp) in a secure chroot jail. A daemon process collects mail from the secure directory and hands it to sendmail for delivery. The Obtuse proxy has a number of other nice features like a rules to prohibit relaying, block spammers, etc. It can also use the RBL and ORBS for more robust spam blocking if you like.
Slashdot Mirror
You don't even need additional 2nd-level domains to do this, just add a 3rd-level domain for this purpose.
For instance, suppose my normal address is me@mydomain.com, but when I give out my address on websites, I use something like amazon@replies.mydomain.com. In your DNS, just set up an MX record for the subdomain. If you use sendmail, it's easy to add a mailertable entry on the final delivery server like this:
replies.mydomain.com local:myreplymailbox
Make sure replies.mydomain.com also appears in /etc/sendmail.cw, or whatever you call your file of local host names.
As a Linux consultant who works largely with mostly-Windows organizations, I find it especially difficult to find good discussions of cross-platform issues.
For instance, I'd like to get the copy of SquirrelMail I'm running on a Linux server to use the LDAP functionality of my client's MS Active Directory server. Unfortunately, as in all LDAP-related things I've tried, it's definitely not just a matter of pointing the client at the server. And, even though I can find stuff at Microsoft on things like their AD LDAP schemas, it would take me hours to learn enough about all of this to even begin trying to get it to work. All this just so we can have the directory of email addresses in AD available in SquirrelMail!
Any suggestions for good places to look on *nix+Windows cross-platform issues?
I thought SPF looked at the envelope From (i.e., the address in the Return-Path header), not the From: header in the message text. In your example the forwarded message would be coming From alumni.your.edu and would presumably be sent from one of your.edu's SPF-registered servers. Having SPF rely on the easily-forgeable From: header wouldn't make much sense.
Don't read this as an endorsement of SPF. I'm still trying to think through all the implications of such a system. But I don't think this line of criticism applies.
Many of the spams I see these days use throwaway domains or IP addresses in their URLs, so blocking by domain name seems pretty ineffective. Moreover many of the "websites" to which these spams point are actually compromised machines with proxies that refer traffic to the real site. Given that such compromised machines now surely number in the tens or hundreds of thousands, it wouldn't take much effort to construct messages that use the IP address of a randomly selected proxy in each message's embedded URLs.
Why aren't we moving in this direction now? Why not put a public key in the TXT record for each server rather than the SPF entry? Then have servers encrypt and sign every outbound message.
Regardless of any of these technical solutions, I believe the only long-term solution is to use the "Deep Throat" approach -- Follow the Money! Prosecute the people handling the transactions end of spam. For example, one instance of a common spam I receive for (presumably) pirated software originated somewhere in Eastern Europe, was pushed through a dsl subscriber in the Netherlands, and pointed me to a web server in Brazil. However the SSL server handling transactions was in Washington, DC. Going after them makes more sense to me that trying to track down where the spam originates.
I believe they also used motion capture to animate the characters in the PS2 games. In FFX-2, for instance, Yuna's and Rikku's dancing seems much more naturalistic than the characters' usual body motions. Rikku even keeps time with the background music when the heroines are trying to calibrate the towers in the Thunder Plains.
When I watched FF:TSW I wondered whether human actors felt threatened. With CGI technology in its relative infancy, I can easily imagine a future where most "movies" (whatever that will come to mean) dispense with some, or even all, human actors to reduce costs.
Correct me if I'm wrong, but aren't you copying from the installation media onto the hard disk drive? Under almost any interpretation of copyright, that's making a "fixed [copy] in [a] tangible medium of expression." (17 USC 102).
Random-access memory doesn't qualify because the copy is not fixed.
If you have closed-subscription lists, why bother scanning their traffic with SpamAssassin? I do scan inbound listserver postings for viruses with MailScanner (which happens to include an SA scan in my implementation), but scanning the outbound redistributed messages seems inefficient and redundant.
I've found the best approach is to split off the scanning to a separate server. That way, I can use a highly-secure proxy server for inbound traffic on the public mail server. Inbound messages are routed to the scanning server which is also where the listserver software resides. The inbound postings are scanned and passed to majordomo, which ships the remailings back to the public server for delivery. This way I only scan each posting once when it arrives.
I've found the easiest way to implement SpamAssassin is to invoke it through MailScanner. MailScanner uses third-party virus scanners and can optionally invoke SpamAssassin as well. With the free ClamAV antivirus product, you can build a powerful open source mail scanner. Even without a virus scanner, MailScanner detects and quarantines executable attachments and other dangerous content which represent the most common types of mail-borne viruses and worms.
RedHat installs the daemonized version of SA as well as the SA Perl scripts. Using the daemon, the easiest implementation is to invoke SA in /etc/procmailrc on the mail delivery host; for mail gateways running sendmail, you need to use the milter interface. I've found the MailScanner+SpamAssassin approach much easier to configure than either of these methods, and you get virus scanning to boot!
I suspect if the reviewer had compared SA 2.60+ to the commercial products, rather than the older 2.44 version used in the review, SA would have shown better results.
I'd agree with the reviewer that one of the things SA lacks is an easy method for users to interact directly with the program. (Part of the issue has to do with security; SA runs as root. As I read the review, I wondered how the other products allow users to interact directly with the scanners without sacrificing security.) It's not easy to maintain per-user Bayesian filtering, for instance, but I generally recommend having the mail client, e.g., Mozilla, handle these tasks.
I noticed that there is no mention in this Q&A either of other browser technologies nor of Berkeley's various contributions to open source. Why isn't at least one of these questions, why did the UofC decide to patent this technology rather than donating it to the public domain? Let me see if I can guess the answer...
Am I the only one who noted that not once in this interview is the name Microsoft spoken? This despite a long discussion of Slammer and its effects. Evidently either the interviewer was given some ground rules about what kinds of topics were off-limits (e.g., "what types of operating systems are most vulnerable") or lacked the smarts to ask some pertinent questions. Given his position at Symantec, I'd guess there were some content restrictions in place.
Paul Vixie stated on bind9-workers that the ISC coding staff is working on changes to bind to fix this as we speak. See his comment here.
While I'm not surprised to see no reviews of filters for OS's other than Windows and MacOS, I am a bit surprised that there was only one free filter reviewed. Is it really the case that none of the dozens of open source filters has been ported to windows?
And why not Mozilla? Outlook Express and Apple Mail are included.
Isn't part of consumer "protection" protecting consumers from having to spend money when they don't need to?
Forty years from now, rumors will be going around ... about how Bill Gates's brain has been preserved and there's a $4 billion cash account willed to the team that can successfully transplant his brain into a genetically cloned and grown body.
I understand Ted Williams's head and body have recently been separated as the initial step in the process. Samples of his DNA have also been taken just in case the frozen parts don't last until Bill needs them.
The Direct Broadcast Satellite Service, despite its name, is not regulated as a "broadcaster" but as a private, fixed service. DBS is considered a direct, point-to-point connection between the satellite and each enduser, not a free-for-all broadcast service like regular VHF/UHF television or AM/FM radio. (Indeed I believe it's regulated not by the FCC's media branch which governs broadcasting, but by its wireless branch which covers all sorts of things like fixed microwave, etc.)
In the early days of satellite-delivered cable TV, many people bought backyard satellite dishes (those 5-20m diameter ones) and intercepted the transmissions of programming to cable operators. My understanding is that this remains legal today, but only if the signal is not encrypted. The same holds true for DBS signals; you can intercept the encrypted signal, but decrypting it without the authority of the sender is illegal.
Any system that enables you to produce an officially-certified receipt indicating for whom you've voted opens up the system to fraud. Vote buyers, for instance, would be able to confirm that the votes they purchased had indeed been cast for the correct candidate. Receipts that display actual voting preferences undermine the concept of a secret ballot; we might as well all just raise our hands.
As a result we can only provide paper receipts that indicate whether you voted. I don't know how well these receipts would answer people's desire for a parallel paper trail that could be audited.
What's to stop Google from putting a bunch of computers in an office somewhere in China and having them traverse the network? It's not like they have to have their IPs reverse resolve to some googlebot domain name.
I realize that the Chinese government has a lot of control over foreigners' activities, but this just doesn't seem that hard a problem. You could put them all behind somebody's firewall, or put them in a bunch of different locations.
Does anyone know about connectivity between Hong Kong and the mainland? Can mainland Chinese surf sites in Hong Kong?
I can't speak to the storage tanks issue, but as to child support, the state^H^H^H^H^HCommonwealth has become fairly aggressive in enforcing support payments from delinquent parents. See this page for more details.
By the way, I use the old, but reliable, secure smtpd daemon from Obtuse. Among other security features, it has an excellent rule-based language to filter messages during the SMTP exchange.
Most of the (smaller) health care providers I've spoken with on this issue are more concerned about communications between providers and patients. Do you expect every possible e-mail service provider to adopt this system? Perhaps you can convince some of the big players like Hotmail or AOL, but I can't see this being adopted by ISPs everywhere.
While I'd agree that a large chunk of health communications are between providers (e.g., a general practitioner and a medical specialist), in the future more and more patients are going to want to communicate with their doctors via e-mail. Any solution that requires either the patients or their ISPs to install a new messaging protocol won't go far, IMHO.
I'm surprised that no one appears to have commented on what is perhaps the most remarkable item in the NYT piece:
Last week, AT&T Comcast, which is to receive about $38 a month from America Online for every high-speed AOL customer served by its cable lines, seemed to have gotten the better part of the deal.
I guess!
Where is this money to come from? Is the cable operator supposed to charge, say, $49/month for AOL Broadband, keep $38, and pass through $11? Since ATT Broadband already pockets some $39-49 per month (depending on how it's packaged with cable tv and digital telephony) for my cable internet service, where is the incentive for the cable operator? And, what happens when competition from other providers (DSL, MSN BB, 802.11ab, etc.) drives down the price of broadband? Will AOL's margins be squeezed? The cable operators will be loathe to give back any of that $38. So where will all that money come from to finance these new, exclusive high-quality content services that AOL/TW will supposedly be supplying?
Remember, too, that current cable television services are based on precisely the reverse business model -- cable operators pay the programming services, not the other way around. The article itself points out that ESPN collects about $2 per subscriber per month. Fees collected for premium services like HBO are typically split 50-50 between the local operator and the service provider. So the article's claim that this is just AOL/TW playing the traditional cable game isn't true to the facts, either.
So where does AOL think all this money is coming from? Advertising revenues? E-commerce transactions? Not bloody likely!
My mail server, supporting a small number of domains, uses a variety of tools to block spams including quering the various online databases like relays.osirusoft.com and friends. However I also wrote a simple set of rules that, for a selected list of widely exploited domains, requires that the sending server be in the domain from which the mail is allegedly sent. So, for instance, a message claiming to be from "joe921852@hotmail.com" is only allowed if it originated on a server in the hotmail.com domain.
Remarkably this simple solution has cut our inbound spam enormously. Last week we blocked about 4,000 messages and allowed 10,000. Probably another good chunk of the remaining messages are spams, too.
I was curious to see whether there was any discernible hiccup in Internet service as a result of the feared revival of Code Red. A quick trip to Matrix.net's average performance page suggests not. A quick glance at the graph for the past twenty-four hours shows a dip early this morning, but once you look further down at the weekly or monthly graphs, you see that today's blip is not much larger than ones seen at the end of July when the worm was supposedly sleeping.
What I find more remarkable is the poor performance of the root name servers. They drop something like 20% of all the packets they receive from the testing servers!
There are some obvious problems with this approach, of course. How would people find out which servers are available? Would browser makers be pressured into making certain, presumably stringent, servers the default? How could parents keep their kids from overriding the browser's defaults? Etc. Yet, given how well this approach fits with the fundamentally decentralized structure of the Internet, I'm surprised the idea didn't go further. Perhaps those of you suggesting an open-source filter might think about developing for this alternative instead.
All my mail servers use the Obtuse smtpd proxy to listen on port 25. The proxy runs as an unprivileged user (usually uucp) in a secure chroot jail. A daemon process collects mail from the secure directory and hands it to sendmail for delivery. The Obtuse proxy has a number of other nice features like a rules to prohibit relaying, block spammers, etc. It can also use the RBL and ORBS for more robust spam blocking if you like.