CBP: Spam and Virus Handling (was Re: [clug] [AUSCERT ALERT -
Email worm W32.Beagle.A/Win32.Bagle.A])
Martin Schwenke
martin at meltin.net
Mon Jan 19 23:25:01 GMT 2004
>>>>> "Alex" == Alex Satrapa <grail at goldweb.com.au> writes:
Alex> One great technique I read about was only accepting email
Alex> from addresses on your whitelist - a variant of the "block
Alex> everything except the stuff you want or need" rule. People
Alex> can add themselves to the whitelist by subscribing to it
Alex> through a web page [...]
I do the following:
1. Whitelist.
I whitelist not only the individual addresses of people I expect to
receive email from, but also certain domains that I don't receive
any SPAM (or viruses) from. I also whitelist various mailing lists
- they should be doing their own SPAM filtering (and I tend to get
digests, so the SPAM doesn't clutter up my INBOX).
For the whitelisting, and as a harness from everything else, I use
TMDA <http://tmda.net/>. I have it setup so that any addresses I
send email to are added to an automatic whitelist.
2. SpamAssassin.
Anything not whitelisted (and smaller than a particular size) is
run throught SpamAssassin (via spamc/spamd, which is much more
efficient that running spamassassin each time). I use the package
from Debian unstable, with this configuration:
required_hits 3
skip_rbl_checks 1
Therefore, anything with a score > 3 gets saved to a folder for
later analysis. I also get an overnight summary (From:, To:,
Subject:) of new SPAM, but I don't check this anymore and should
turn it off.
On "my" mail server, I block various IP ranges (via my own RBL) and
certain sender addresses (via a Postfix map). I updated this every
couple of weeks by running some summary scripts over the SPAM I've
caught. I believe this has caused a drop in SPAM - I'll have a
better idea after a few months.
3. Hold.
I've configured TMDA to hold all other messages. I'm sent a
summary of held messages overnight. If I see a message I want to
release, I click on a mailto: link, send a message, the held
message is delivered and the sender is automatically whitelisted.
All other held mail expires after a while.
The amount of held mail has been growing along with the amount of
SPAM. It used to be 3-5 messages per day, but has been up around
15-20. However, the nice thing is that I only see it, in the
summary, once a day.
Even so, I'm interested in ways of reducing the amount of held
mail, which is almost always SPAM. Options include:
- Analysing held message to see if I can lower the SpamAssassin
threshold. Currently I don't ask SpamAssassin to log anything or
insert extra headers - I just ask spamc if the score is higher
than the threshold.
It looks like I might be able to "safely" use a threshold of 2.
- Use other SPAM filtering techniques. I tried DCC
<http://www.rhyolite.com/anti-spam/dcc/>, but it only identifed
25% of my held messages as SPAM (and about 65% of my SPAM as
SPAM).
One of the features of TMDA is that it can be configured to ask
non-whitelisted senders to confirm (by replying to a generatd
message), causing their held message to be delivered. Personally I
consider this a little too intrusive, and the possibility of
"spamming" innocent people who's address has been used by spammers is
a little too real...
Either way, apart from SPAM in mailing list digests, I only see a
summary of SPAM once a day. My INBOX sees no SPAM sent directly to
any of my addresses...
... and certain (new) senders may experience up to a 24 hour delay in
getting a reply to their message, since I might not receive it
straight away... but email isn't that reliable anyway... :-)
peace & happiness,
martin
More information about the linux
mailing list