Re: [tlug] state of the art spam filtering

[Attila Kinali <attila@example.com>]

Moin,

On Wed, 17 Mar 2010 01:30:00 +0100
Francois Cartegnie <fcartegnie@example.com> wrote:

> 
> > > * Reject senders with reverse subdomain containing blacklisted works (ex:
> > > *dyn*.foo.com, *dsl*.foo.com, *ppp*.foo.com, ...)
> > 
> > No it doesn't. What about the genuine people sending from a subdomain
> > like that? They might be 99% spammers, 1% genuine, but this is still
> > throwing away real email.
> 
> Who sends mail from a dynamic/dialup/customer ip today ? 

I do. And quite a few of my (nerdy) friends do.

> Every dyn ip can send 
> mail through the isp's servers. Customers outgoing port 25 is even blocked by 
> ISP today.
 
Yes, that's why more and more worms/troyans use the setting of outlook
to send mails, so they can go over the ISPs MTA, which makes it legitimate
for quite a lot of MXs

> As you're mentioning, that's 99% chance of being crap. But I never saw the 
> remaining 1%.
> If it's legitimate, they'll have to manage to get their server on a regular 
> subdomain, with a regular reverse. (a dyn IP is not a stable MX for receiving 
> replies !)

Judging from the logs of the MPlayer/FFmpeg mailinglist server, that's about
30% of mail. Most of which are by the developers themself. So if i'd block
dyn IP users, i'd block the people who are the most legitimate users of
the mailinglist.


> Now, remembering that RBLs exists, you'll have the risk of receiving a 
> blacklisted IP, and won't have any authority to request a delisting.

That's the reason why most people consider RBLs a broken as designed
solution. It breaks a previously working and legitimate use of the internet.
 
> > > * Mails to non-exiting accounts goes to blackhole. Never bounce anything.
> > 
> > So, how do users discover they mis-typed an address? Won't they just
> > assume fcartenie@example.com is ignoring them deliberately?
> 
> If you have a single MTA that can check of the account before accepting the 
> mail, this is not a problem. 

It is possible with multiple MXs too. At least postfix can do that.
And it's highly recommended too.

> If you're a relay or your MTA can't check before accepting, you'll end up 
> bouncing the message... Once a spammer notice this, he'll use it to spread his 
> content using your own server.
> http://www.backscatterer.org/?target=backscatter
> 
> As long as the sender can't be certified (domainkeys,dkim), there's no clean 
> way to fight bounce spam today: Reject or Drop. Don't bounce.

I very much doubt this. Though sender authetification (something working,
not domainkeys or dkim or any other of these patchy solve-one-single-symptom
solutions) might be the best solution.

			Attila Kinali

-- 
If you want to walk fast, walk alone.
If you want to walk far, walk together.
		-- African proverb