CBP: Spam and Virus Handling (was Re: [clug] [AUSCERT ALERT - Email worm W32.Beagle.A/Win32.Bagle.A])

Martin Schwenke martin at meltin.net
Mon Jan 19 23:25:01 GMT 2004 

>>>>> "Alex" == Alex Satrapa <grail at goldweb.com.au> writes:

    Alex> One great technique I read about was only accepting email
    Alex> from addresses on your whitelist - a variant of the "block
    Alex> everything except the stuff you want or need" rule. People
    Alex> can add themselves to the whitelist by subscribing to it
    Alex> through a web page [...]

I do the following:

1. Whitelist.

   I whitelist not only the individual addresses of people I expect to
   receive email from, but also certain domains that I don't receive
   any SPAM (or viruses) from.  I also whitelist various mailing lists
   - they should be doing their own SPAM filtering (and I tend to get
   digests, so the SPAM doesn't clutter up my INBOX).

   For the whitelisting, and as a harness from everything else, I use
   TMDA <http://tmda.net/>.  I have it setup so that any addresses I
   send email to are added to an automatic whitelist.

2. SpamAssassin.

   Anything not whitelisted (and smaller than a particular size) is
   run throught SpamAssassin (via spamc/spamd, which is much more
   efficient that running spamassassin each time).  I use the package
   from Debian unstable, with this configuration:

     required_hits 3
     skip_rbl_checks 1

   Therefore, anything with a score > 3 gets saved to a folder for
   later analysis.  I also get an overnight summary (From:, To:,
   Subject:) of new SPAM, but I don't check this anymore and should
   turn it off.

   On "my" mail server, I block various IP ranges (via my own RBL) and
   certain sender addresses (via a Postfix map).  I updated this every
   couple of weeks by running some summary scripts over the SPAM I've
   caught.  I believe this has caused a drop in SPAM - I'll have a
   better idea after a few months.

3. Hold.

   I've configured TMDA to hold all other messages.  I'm sent a
   summary of held messages overnight.  If I see a message I want to
   release, I click on a mailto: link, send a message, the held
   message is delivered and the sender is automatically whitelisted.
   All other held mail expires after a while.

   The amount of held mail has been growing along with the amount of
   SPAM.  It used to be 3-5 messages per day, but has been up around
   15-20.  However, the nice thing is that I only see it, in the
   summary, once a day.

   Even so, I'm interested in ways of reducing the amount of held
   mail, which is almost always SPAM.  Options include:

   - Analysing held message to see if I can lower the SpamAssassin
     threshold.  Currently I don't ask SpamAssassin to log anything or
     insert extra headers - I just ask spamc if the score is higher
     than the threshold.

     It looks like I might be able to "safely" use a threshold of 2.

   - Use other SPAM filtering techniques.  I tried DCC
     <http://www.rhyolite.com/anti-spam/dcc/>, but it only identifed
     25% of my held messages as SPAM (and about 65% of my SPAM as
     SPAM).

One of the features of TMDA is that it can be configured to ask
non-whitelisted senders to confirm (by replying to a generatd
message), causing their held message to be delivered.  Personally I
consider this a little too intrusive, and the possibility of
"spamming" innocent people who's address has been used by spammers is
a little too real...

Either way, apart from SPAM in mailing list digests, I only see a
summary of SPAM once a day.  My INBOX sees no SPAM sent directly to
any of my addresses...

... and certain (new) senders may experience up to a 24 hour delay in
getting a reply to their message, since I might not receive it
straight away...  but email isn't that reliable anyway...  :-)

peace & happiness,
martin

More information about the linux mailing list