@debian.org and Spam (#3) — alioth

Par MadCoder, Monday 3 April 2006 à 13:05 :: Debian

Following my recent posts about SPAM in our wonderful project, Raphaël Hertzog asked me to improve alioth mail configuration to use my suggestions. Thanks to him, the improvements I've suggested are now all in place, since roughly 12 hours.

Alioth Exim's configuration had a couple of problems, and was in a not very satisfying shape. Here is the list of the improvements I've suggested, and that now are in place (hopefuly for our best comfort) :

no check was done on the HELO/EHLO, we now at least verify one was given^[1];
greylisting has now been made conditionnal: on bad HELO, or blacklisted hosts, we apply greylisting (the method I was talking about previously) ;
greylisting was applied after the mail was sent (in reply of the DATA command) which is a pure nonsense, because it loads us for nothing. We now check it at RCPT TO time, sparing time, bandwidth and load.

Moreover greylisting has been made more efficient: before, we only greylisted on the pair (sender_ip, sender_domain) which is suboptimal: spammers always forge sender addresses from the same domains (aol, hotmail, …). So in half an hour, aol.com, hotmail.com, … were whitelisted, and spammers could just get through, unannoyed. Whereas occasionnal senders on not very widespread domains were always caught. Now, greylisting uses the full sender_address, which is the mildest way to do greylisting. The hard way would be to use the usual triplet (sender-ip, sender-address, recipient-address), but given the fact that alioth does not delivers to that many recipients, not taking it into consideration is a good compromise to avoid a too huge database, with almost the same results.

I hope to be able to deliver some nice curves based on alioth's traffic in about 10 days, to see if that worked as expected.

Thanks again to Raphaël that made it possible.

for those who are interested, the exim4.conf snipplet to do conditionnal greylisting is :

create a new ACL, defining what you do want to greylist:

    # acl that tell if we will greylist or not
    acl_greylist:
        # Check if EHLO greeting is resolvable
        deny
            !verify = helo

        # Deny if the host is blacklisted
        deny
            log_message = match $dnslist_domain
            dnslists = cbl.abuseat.org : dul.dnsbl.sorbs.net : dynablock.njabl.org

        # Deny if the sender address can't be verified
        deny
            !verify = sender/callout=30s,connect=5s,defer_ok

        accept

just add that snipplet just before your greylisting rule:

        accept
            acl = acl_greylist

Notes

[1] I really think we sould also check that the helo line is either an IP or a FQDN, but that can come later

Commentaires

1. Le Monday 3 April 2006 à 22:02, par Steinar H. Gunderson :: site

Greylisting on DATA is not "pure nonsense", and it does not really induce more load unless you are very bandwidth-constrained. The problem with greylisting on RCPT is that unless you are very careful with whitelisting, you'll end up blocking other people's callouts to you, making for circular dependencies and your own outgoing e-mail being delayed.

2. Le Monday 3 April 2006 à 22:19, par MadCoder :: site

I'm not sure I follow your point. outgoing mail is not subject to greylisting, so I fail to see what you are trying to say.

3. Le Tuesday 4 April 2006 à 00:41, par Falco :: site

Hi,

I think i understand what Steinar means.
Well, i observe circular dependencies, sometimes, with incoming mail (i use reject_unverified_recipient on my personal domain) (and, on the senders domain, assume there's a greylist). It only causes a delay due to the greylisting of the sender, but that's all, no need to worry, no blocking. Even if you have two sites using address verification, there will be no blocking case, since the second level of verification will be always accepted (To: postmaster@domain).

Now, think what about outgoing mail. If our recipient uses address verification, he will probe our site (until the RCPT TO phase only) and we will answer with a 4xx temp error, always. I don't know what the behaviour of, let's say, Postfix address verification scheme, in the case of a 4xx, is. But this may lead to a blocking case!

With a site which rejects mails only after DATA, Postfix address verification will be useless. (always "deliverable")

What i was thinking a couple of days ago is about temporary errors 4xx at the differents stages of the SMTP transaction :
- EHLO, MAIL FROM : not allowed because you have to accept every mail sent to postmaster or abuse (see www.rfc-ignorant.org/poli... ).
- RCPT TO, it's the "classic" greylisting, used by postfix/postgrey or by sendmail/milter-greylist, AFAIK.
- reply a temporary error at the end of the DATA command may be *very* efficient if you can scan the body of the mail (thought an smtp proxy for example) without having accepted it firstly. (250 OK)
Think about what we could be able to do with our bayesian filter (bogofilter) which could reply a temporary error to a probably-spam mail.
E.g., AOL (and maybe yahoo, and maybe other ones) replies a perm error (5xx) at the end of the DATA command due to URL filter : try sending a mail containing http(://)jyhi9.nevairposs.com to AOL, you'll get
"554-: (RLY:BD) postmaster.info.aol.com/e... just as the end of the DATA command.
If we could use our bayesian filter through our different sessions of Postfix (and the other filters like clamav) which could behave like an efficient SMTP proxy, then we would reply just at the end of DATA command, regarding the bogosity of the mail.... imagine :D

4. Le Tuesday 4 April 2006 à 08:13, par MadCoder :: site

Are you speaking of people that checks back to you if some address that sends them mail is real one ?

well, if yes, then, too bad for em'.

As of content filtering answer before the end of DATA, it's doable, I'm just not sure it's a good idea, since it adds a big load on the server: it *has* to do the check immediately, keeping him from accepting new mails.

Whereas delayed antispam let him accept mails at a big rate, and then deal with content filtering when he has the sufficient time and ressources to do so.

What would be neat would be an adaptative scheme, that do AV-AS checks before DATA when the machine is not loaded. but I'm not sure on how to achieve that.

Mon	Tue	Wed	Thu	Fri	Sat	Sun
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30

@debian.org and Spam (#3) — alioth

Notes

Trackbacks

Commentaires

Ajouter un commentaire

Catégories

Langues

Rechercher

Calendrier

Archives

Lectures et Textes

Blogs [fr]

Blogs [en]

Syndication

Post