Return-Path: X-Original-To: apmail-spamassassin-users-archive@www.apache.org Delivered-To: apmail-spamassassin-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 04CD78B48 for ; Sat, 20 Aug 2011 19:55:43 +0000 (UTC) Received: (qmail 99605 invoked by uid 500); 20 Aug 2011 19:55:40 -0000 Delivered-To: apmail-spamassassin-users-archive@spamassassin.apache.org Received: (qmail 99563 invoked by uid 500); 20 Aug 2011 19:55:39 -0000 Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 99556 invoked by uid 99); 20 Aug 2011 19:55:38 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 20 Aug 2011 19:55:38 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [194.126.158.26] (HELO mail.state-of-mind.de) (194.126.158.26) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 20 Aug 2011 19:55:31 +0000 Received: from localhost (localhost [127.0.0.1]) by mail.state-of-mind.de (Postfix) with ESMTP id 332278041D for ; Sat, 20 Aug 2011 21:55:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=state-of-mind.de; h=in-reply-to:content-transfer-encoding:content-disposition :content-type:content-type:mime-version:references:message-id :subject:subject:from:from:date:date:received:received; s= mail201012; t=1313870110; x=1315684510; bh=+c+8cTNl6SJ5hKcDtrd5X MSX2gataAHEnRanc+7rEe0=; b=lhQf7ld5/nQZEWuzeJIc3Ke5et0aFnkjHYUS+ 84EHVxrGUF2kXWykN7/OrNKs4qO4HW0OpTPRH4JTPfTB8wqlqfn+tKo+gRd19oy3 RIs4p1yLRr5+TXmY8KDztzcDu5WWCyyKr7eOdyoRmkhbO41b/AqZqwejH9abpLvy LMtFR0= X-Virus-Scanned: Debian amavisd-new at mail.state-of-mind.de Received: from mail.state-of-mind.de ([127.0.0.1]) by localhost (mail.state-of-mind.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wzknq5Pafd73 for ; Sat, 20 Aug 2011 21:55:10 +0200 (CEST) Received: from state-of-mind.de (178-27-13-51-dynip.superkabel.de [178.27.13.51]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) (Authenticated sender: p@state-of-mind.de) by mail.state-of-mind.de (Postfix) with ESMTPSA for ; Sat, 20 Aug 2011 21:55:10 +0200 (CEST) Date: Sat, 20 Aug 2011 21:55:08 +0200 From: Patrick Ben Koetter To: users@spamassassin.apache.org Subject: Re: Theories on blocking OUTGOING spam Message-ID: <20110820195508.GB2211@state-of-mind.de> References: <4E4AE8F8.4060500@junkemailfilter.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4E4AE8F8.4060500@junkemailfilter.com> X-Virus-Checked: Checked by ClamAV on apache.org * Marc Perkel : > Just sharing some ideas on blocking outbound spam. Maybe these ideas > will make it to the big freemail companies because most of the spam > that manages to get through my filters comes from AOL, Gmail, Yahoo, > and Hotmail. > > I've found outbound spam filtering to be very different than inbound > filtering. And I've been reasonably successful in stopping spam that ACK # Throwing in an advocatus diaboli in the next lines. Basically I do agree # with most what you say > I'm filtering for other people's outgoing servers. Here's the core > of how I do it. > > First - spammers never send spam slowly. So if the account is > sending email slowly then I don't have to look at it. So it just > passes. Spammers will adopt to that. Imagine they infect the complete network and all infected machines do a distributed spam attack each sending only a few to keep beneath the threshold but over all sending a lot. I wouldn't rely on that - at least in the long run. > When email is coming fast from an account I start tracking the > number of bad recipients and if the number of bad recipients is high > it's probably spam. Or its bulk mail with bad addresses ... > I also have restrictions on valid domains the from has to match, I > look for URIBLs, high SA scores, etc. > > Just curious what others do to detect outgoing spam. - We keep lists of valid senders. Others are not allowed to send unless we can verify (sender verification) them immediately. - We require humans to use submission instead of smtp - We run pretty tight policies on web hosting machines and standalone (null mailer) servers Generally we look at the SMTP session only and avoid inspecting anything at content level for several reasons: - German laws forbid looking at content without local senders consent. That holds true even (!) if the mail system is at risk because the spam load gets close to DOSing the machine or if your machines start to get blacklisted. I am not sure if judges will actually sentence someone if they claimed system risk the reason why they inspected the content, but there is no precedent yet and I'd rather not spend my money finding out ... - Looking at content is computationally expensive When we look at the SMTP session we MUST NOT log anything that leads back to the real person or lets us track the person down. If we log we use hashes to destroy a trackable connection. We tend to think the client sends spam if - the client sends an abnormal number of messages within a timeframe - the clients sends to a wide variety of recipients We put message in quarantine and notify the sender. The sender may release the messages - a self-service a spambot can't do itself. > I use Exim for the MTA because it has the power to do the tricks I > need done. We use Postfix. It gets the job done too. p@rick -- state of mind () http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht München Partnerschaftsregister PR 563