Topic: Spam filtering

[MSmith]

Seems like the boards are kind of quiet on this subject ... anything new and exciting in this area?  Has anyone succeeded in getting TMDA or another challenge/response system implemented in SME 7 or 8?

[cactus]

Seems like the boards are kind of quiet on this subject ... anything new and exciting in this area?  Has anyone succeeded in getting TMDA or another challenge/response system implemented in SME 7 or 8?

IMHO a challenge response system is a bad thing, I prefer a little SPAM over having people having to send a second mail to get their mail delivered.
In my situation DNSBL and Bayes filtering works very good, I receive very little unsolicited or SPAM mail.
DNSBL seems to block the most SPAM in my case as around 50% of mail delivered to my server is prevented by that, compared to other plugins like clamav, spamassassin, check_earlytalker and the like preventing about 15% of SPAM in my e-mail.

You can also implement RHSBL, but I do not use that anymore.

[MSmith]

Your opinion on challenge/response is noted, Cactus, but I didn't ask if it was a bad thing, I asked if anyone had done it.  My SME machine is rejecting 95% or better of spam emails, with DNSBL stopping the bulk of them.

So, anybody have any new techniques or variations on old techniques to add?

[CharlieBrady]

Your opinion on challenge/response is noted, Cactus, but I didn't ask if it was a bad thing, I asked if anyone had done it.

Gordon Rowell once had an e-smith-qconfirm contrib. However the backscatter generated was so bad that we unpublished the contrib as best he could.

Challenge/response systems are irresponsible. They transfer the burden of your spam onto the innocent forged "senders" of your spam. I agree with Cactus - don't go there.

[MSmith]

So it would seem that the actual *answers* to the questions I actually *asked* are "No" and "No."  Spam volumes overall may be down, but I'm getting hammered by hundreds per day that *are* getting through, despite DNSBL and RHSBL blocking and SpamAssassin filtering cranked down so it tags at 8 and rejects at 5.  (Yes, thousands more are blocked before my Inbox sees them.)

I haven't implemented Bayesian filtering with LearnAsHam and LearnAsSpam yet but that will probably be next. 

[piran]

...I'm getting hammered by hundreds per day that *are* getting through,
despite DNSBL and RHSBL blocking and SpamAssassin filtering cranked
down so it tags at 8 and rejects at 5.

WAS: "implement earlytalker filtering"
NOW: "adjust existing earlytalker filtering timeout"

[set up the template if not done already]
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0

[edit template]
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
nano -w 10check_earlytalker
edit contents to show "check_earlytalker wait 50"
Ctrl-X exit/save etc

[restart template]
signal-event email-update

Probably get most if not all of them... job done.

PostEdit: as requested

[CharlieBrady]

implement earlytalker filtering

I believe that earlytalker filtering is enabled by default. If it is not working correctly (or as well as you expect), you should open a bug report.

[piran]

I believe that earlytalker filtering is enabled by default.

I didn't say enable it. I said implement it and followed that
advice by the change I recommended. How does your
input above help the OP?

If it is not working correctly (or as well as you expect), you should open a bug report.

I didn't say it was working incorrectly or in any way
not to expectation or actually needed adjusting in
normal circumstances. If I ever did find anything
otherwise I would open a bug report without any
hesitation. I haven't so I won't file a bug report
as it would be a waste of time for you and I.
How does your input above help the OP?

[Stefano]

I didn't say enable it. I said implement it and followed that
advice by the change I recommended.

I think your suggestion is wrong.. earlytalker is enabled and implemented by default AFAIK, so there's no need to implement it again

How does your input above help the OP?

sincerely I don't understand this attitude, but maybe it's a problem of mine..

[piran]

...moment I was typing it up.

[piran]

...before my Inbox sees them

The criminals who seem to have taken over Rustock's mantle
appear to be using MTAs under their Command & Control
configured for a 40sec (roughly) timeout on the SMTP
greetings banner. Rustock in its time seemed to favour
20sec MTAs. I don't know why or how it's just what I
observed from the myriad of rubbish they sent my way.
The current lot seem prepared to accept up to 40sec of
delay (before timing out and attempting to blurt their
spam load). Setting the earlytalker timer, by the
template above, to a setting of 50sec would be quite
sufficient to address the matter. Some assumptions
made of course. If it does not help then simply delete
the template, restart email and try another way.

PostEdit: typos

[piran]

I think your suggestion is wrong.. earlytalker is enabled and implemented by default AFAIK, so there's no need to implement it again

I don't understand you, please explain your assertion.
The technique works. Have you tried it? The OP was
asking for technique suggestions new or amended old.

sincerely I don't understand this attitude, but maybe it's a problem of mine..

I agree, occasionally I don't understand this attitude,
maybe we all have a problem of our own.

[Stefano]

I don't understand you, please explain your assertion.
The technique works. Have you tried it? The OP was
asking for technique suggestions new or amended old.

I meant: earlytalker plugin is already installed, configured and enabled by default on each SME installation.. I have it working on each server and I'm sure that I haven't enabled/configured/implemented it..
I suggest OP to modify his DNSBL and RHSBL setup.. mine is working fine with

Code: [Select]

    RBLList=bl.spamcop.net:combined.njabl.org:dnsbl.ahbl.org:list.dsbl.org:multihop.dsbl.org:zen.spamhaus.org
    RHSBL=enabled
    RequireResolvableFromHost=yes
    SBLList=bogusmx.rfc-ignorant.org:multi.surbl.org:black.uribl.com:rhsbl.sorbs.net:bulk.rhs.mailpolice.com:fraud.rhs.mailpolice.com:porn.rhs.mailpolice.com:adult.rhs.mailpolice.com:ex.dnsbl.org


[piran]

I meant: earlytalker plugin is already installed, configured and enabled by default on each SME installation.

Understood. Would you and Charlie prefer that I...
PostEdit "implement earlytalker filtering" to
PostEdit "adjust existing earlytalker filtering timeout"?

The OP was enquiring about new (I read alternative)
techniques to address his incoming spam load.

Your RBL and SBL Lists are interesting. It's been a
very long time since I needed to edit mine and you
use some of which I have no knowledge at all.

[Stefano]

Understood. Would you and Charlie prefer that I...
PostEdit "implement earlytalker filtering" to
PostEdit "adjust existing earlytalker filtering timeout"?

yes, IMHO it would be better..

[piran]

yes, IMHO it would be better..

Now done.

[CharlieBrady]

Understood. Would you and Charlie prefer that I...
PostEdit "implement earlytalker filtering" to
PostEdit "adjust existing earlytalker filtering timeout"?

Yes. And if you think that the earlytalker filter timeout needs to be adjusted to be effective, you should post that in the bug tracker - rather than suggest that one user make a custom change to implement that difference. If you post it in the bug tracker, then perhaps the change can be made so that it will help not one user, but tens of thousands of users.

[CharlieBrady]

I didn't say it was working incorrectly or in any way
not to expectation or actually needed adjusting in
normal circumstances.

Don't you directly contradict these statements in your Comment #10 (where you mention "the criminals who seem to have taken over Rustock's mantle")?

[piran]

Yes.

This has already been done.

[piran]

And if you think that the earlytalker filter timeout needs to be adjusted to be effective, you should post that in the bug tracker...

No, it is not what I think. Please stop articulating what
you feel I think. The increased timeout setting is for
the singular use by the OP to try to address the
problem articulated in his thread. It is not suitable
for everyone or tens of thousands or for inclusion
in the standard product, that would be inappropriate.

[piran]

Don't you directly contradict these statements in your Comment #10 (where you mention "the criminals who seem to have taken over Rustock's mantle")?

I'm sorry Charlie but I don't understand.

[CharlieBrady]

No, it is not what I think. Please stop articulating what you feel I think.

I made no assertion of what you think. Please drop your attitude. And please stop being disingenuous.

The increased timeout setting is for
the singular use by the OP to try to address the
problem articulated in his thread.

What is your evidence that the OP has a problem with inadequate earlytalker timeout setting, and that the same issue does not affect every SME server user?

[piran]

I'm not quoting any more. Read back. You keep saying
what (you feel) I'm thinking. Please stop doing that. I
am entirely sincere and I would reciprocate your request
and ask you to stop being disingenuous. I am attempting
to help the OP.

There is NO 'evidence', please stop this attitude.
I have suggested a course of action for the OP.
I am trying to be helpful to the OP. Please get
off my back unless you can be constructive.
Only you are suggesting that this might be
something affecting everybody else. I'm not.