[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Spam detection & rejection

From: John Summerfied <debian herakles homelinux org>
To: "Red Hat Enterprise Linux 4 (Nahant) Discussion List" <nahant-list redhat com>
Subject: Spam detection & rejection
Date: Wed, 13 Jul 2005 11:02:08 +0800

This Q isn't specific to Nahant, but otoh there are probably a few thoughtful souls here with useful thoughts and opinions on the topic, and the volume of email isn't so great as to cause those thoughtful ones to skip over lots of stuff.

I see two main ways "chicken bone" spammers garner email addresses: 1. Scan usenet, web sites and email lists (how many are subscribed here to harvest email addresses?) and collect addresses that way. 2. Enumerate likely addresses such as {bob,paul,john,susan,suzanne} example com

The first is susceptible to harvesting some spambait addresses such as those in my sig.

The second one can spot my manually pursuing logs (or better, logwatch summaries) for bounces.

So far, most attention I've seen for blocking spam has centred on black lists, some free some not. Maintaining these lists necessarily involves some delay while reports are evaluated and updates created. Then there are ideas such as grey-listing, teergrubbing (spelling?), sender-id and such.

I have a new idea I'd like to bounce off the forementioned Thoughtful Ones.

On a Debian box or two that I maintain I use a packages called pop-before-smtp which is basically a configurable Piece o Perl that peruses mail logs looking foe POP an IMAP logins. When it finds one it address an entry to a hash (which it expires half an hour or so later). I have configured postfix to use this hash to help decide whether sites external to ours (eg staff at home or roaming th world) can send mail through our servers.

It seems to me that this same technique can be used to detect attempts to send email to non-existent accounts (we don't have susan or suzanne) or which fail spamassassin tests and block the source for a day or so.

I particularly do not want to hear from anyone who emails 1aaaaaaa computerdatasafe com au - one try and two days in the sin bin seems fine to me, and I don't see a good reason to treat anyone who emails john example com any better; I have several email addresses at various domains and none of them is john so anyone trying that's clearly fishing.

Thoughts anyone? In particular, is this a Bad Idea? Can the idea be improved?

--

Cheers
John

-- spambait
1aaaaaaa computerdatasafe com au  Z1aaaaaaa computerdatasafe com au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

Follow-Ups:
- Re: Spam detection & rejection
  - From: Jussi Silvennoinen
- Re: Spam detection & rejection
  - From: William Anderson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]