Subject: spam filtering/false positives
From: Rob Cermak (cermak@sfos.uaf.edu)
Date: Fri May 09 2003 - 15:55:10 AKDT
I'm not sure anything can be done for spam or false positives unless some
stricter standards are put in place for email. Spam just follows the
policy of tax evasion loopholes. Find loophole, abuse it.
For spam filtering here, we are just using the brute force access lists in
sendmail. I've not found a program that is able to take an access list
that does some meaningful comparison between the From: and the relay
machine.
This is our spammers access list at present, it currently blocks 5 to 10%
of mail from known advertisers as well as IPs that are flagrant relays:
http://www.sfos.uaf.edu/tech/spammers.php
Most of the spam we get now is heavily forged mail that is not sent from
a proper computer.
Note the Return-Path and From address are different; spam for sure.
Unfortunately, this went to an aurora account first and was forwarded to
a valid ims account and we have to accept mail from aurora. Even though
the mail is from yahoo.com, again a DSL or modem address is being used
for the mail agent: pD9E1EE47.dip.t-dialin.net.
Return-Path: <rachel19720@yahoo.com>
Received: from topcat.ims.uaf.edu (topcat.ims.uaf.edu [137.229.40.240])
by aurora.uaf.edu (8.11.6p2/8.11.6) with ESMTP id h335qKJ26245
for <xxxxxxxxxxx@uaf.edu>; Wed, 2 Apr 2003 20:52:20 -0900 (AKST)
Received: from yahoo.com (pD9E1EE47.dip.t-dialin.net [217.225.238.71])
by topcat.ims.uaf.edu (8.11.6/8.11.6) with SMTP id h335oob06596
for <xxxxxxxxxxxxxxx@ims.uaf.edu>; Wed, 2 Apr 2003 20:50:52 -0900
Message-Id: <200304030550.h335oob06596@topcat.ims.uaf.edu>
From: Laura <laurasin@yahoo.com>
To: <xxxxxxxxxxxxxxxx@ims.uaf.edu>
Subject: 75% Discount On Viagra Today!
Date: Wed, 2 Apr 2003 22:54:39 2003 22:54:39 +0000 EST
Mime-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Mozilla-Status2: 00000000
So, what I'm looking for is a way to check the From: domain and make
sure it only comes from like domains or others that I allow; IE: take
care of ISPs that get bought out by bigger fish.
IE: allow mosquitonet mail from mosquitonet.com and acsalaska.net
mosquitonet.com:mosquitonet.com OK
mosquitonet.com:acsalaska.net OK
...otherwise reject.
This would take care of all the random and bogus yahoo, msn
and hotmail mail floating around (even though there might be
someone out there willing to route/MX yahoo mail...); there is
no rule saying that we can't refuse it unless it comes straight
from the source!
Apr 29 10:15:42 <hjsy8sb681@yahoo.com> CacheFlowServer@[218.246.127.132]
Apr 29 12:23:54 <xx71bl668@yahoo.ca> CacheFlowServer@[218.246.127.132]
Apr 29 14:21:49 <Feelhi@lycos.com> CacheFlowServer@[210.22.108.5]
Apr 29 15:25:38 <c1hunxlem7@earthlink.net> CacheFlowServer@[218.246.127.132]
Apr 29 20:31:02 <ehaazfzolmm@earthlink.net> CacheFlowServer@[202.109.97.239]
Apr 29 23:48:39 <09wh5k4m6@yahoo.com.hk> CacheFlowServer@[218.246.127.132]
Apr 30 01:24:29 <84296umb9@yahoo.com> CacheFlowServer@[203.177.36.203]
Apr 30 02:03:23 <n65lycz0a9mt@loyus.com> CacheFlowServer@[218.246.127.132]
Apr 30 02:37:44 <bfccefk8b@earthlink.net> CacheFlowServer@[202.109.97.239]
Apr 30 16:32:27 <mpxsai9t03@yahoo.com> CacheFlowServer@[218.246.127.132]
May 1 01:58:27 <ydmi497i@yahoo.ca> CacheFlowServer@[218.246.127.132]
May 1 02:09:08 <4a6h718t@yahoo.com> CacheFlowServer@[218.246.127.132]
In this case, we've blocked IP = 218.246.127.132, repeat offender...
I've looked at a few Milters for sendmail. So far, they don't do
anything special. SpamAssasin is again just a pattern matcher. What do
we want to spend CPU time on:
Pattern matching or DNS lookups and verification? DNS is getting pretty
bad too. I won't get started on that topic.
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Fri May 09 2003 - 15:55:13 AKDT