Postgrey experiment at VGER

Postgrey experiment at VGER

[Matti Aarnio]

Hello,

  I am running an experiment with Postgrey to delay (for 300 seconds
minimum) incoming emails.   If the clients don't retry after this
delay, then the messages don't usually get in.

The "postgrey" in question is the very same thing that exists for
the Postfix MTA with various automatic whitelistings of repeatedly
successfull senders, etc.

I do already see spammers smart enough to retry addresses from
the zombie machine, but that share is now below 10% of all emails.
My prediction for next 200 days is that most spammers get the clue,
but it gives us perhaps 3 months of less leaked junk.

  /Matti Aarnio -- one of  <postmaster at vger.kernel.org>

Re: Postgrey experiment at VGER

[Dumitru Ciobarcianu]

On Wed, 2006-12-13 at 01:50 +0200, Matti Aarnio wrote:
> I do already see spammers smart enough to retry addresses from
> the zombie machine, but that share is now below 10% of all emails.
> My prediction for next 200 days is that most spammers get the clue,
> but it gives us perhaps 3 months of less leaked junk.

IMHO this is only an step in an "arms race".
What you will do in three months, remove this check because it will
prove useless since the spammers will also retry ? If yes, why install
it in the first place ? 


-- 
Cioby

Opinions expressed do not belong to any company.
I'm not sure they belong to me either.

Re: Postgrey experiment at VGER

[Trond Myklebust]

On Wed, 2006-12-13 at 11:25 +0200, Dumitru Ciobarcianu wrote:
> On Wed, 2006-12-13 at 01:50 +0200, Matti Aarnio wrote:
> > I do already see spammers smart enough to retry addresses from
> > the zombie machine, but that share is now below 10% of all emails.
> > My prediction for next 200 days is that most spammers get the clue,
> > but it gives us perhaps 3 months of less leaked junk.
> 
> IMHO this is only an step in an "arms race".
> What you will do in three months, remove this check because it will
> prove useless since the spammers will also retry ? If yes, why install
> it in the first place ? 

Why ever do anything? You're going to die eventually anyway...

Trond

Re: Postgrey experiment at VGER

[Al Boldi]

Trond Myklebust wrote:
> On Wed, 2006-12-13 at 11:25 +0200, Dumitru Ciobarcianu wrote:
> > On Wed, 2006-12-13 at 01:50 +0200, Matti Aarnio wrote:
> > > I do already see spammers smart enough to retry addresses from
> > > the zombie machine, but that share is now below 10% of all emails.
> > > My prediction for next 200 days is that most spammers get the clue,
> > > but it gives us perhaps 3 months of less leaked junk.

Great!

> > IMHO this is only an step in an "arms race".
> > What you will do in three months, remove this check because it will
> > prove useless since the spammers will also retry ? If yes, why install
> > it in the first place ?
>
> Why ever do anything? You're going to die eventually anyway...

Right!  The problem here is that it may do more harm than good.

May I suggest a smarter way to filter these spammers, by just whitelisting 
email addresses of valid posters, after sending a confirmation for the first 
post.  Now if these spammers get smart, and start using personal email 
addresses, I would certainly expect some real action by abused email address 
owners.


Thanks!

--
Al

Re: Postgrey experiment at VGER

[Gene Heskett]

On Wednesday 13 December 2006 09:11, Al Boldi wrote:
>Trond Myklebust wrote:
>> On Wed, 2006-12-13 at 11:25 +0200, Dumitru Ciobarcianu wrote:
>> > On Wed, 2006-12-13 at 01:50 +0200, Matti Aarnio wrote:
>> > > I do already see spammers smart enough to retry addresses from
>> > > the zombie machine, but that share is now below 10% of all emails.
>> > > My prediction for next 200 days is that most spammers get the
>> > > clue, but it gives us perhaps 3 months of less leaked junk.
>
>Great!
>
>> > IMHO this is only an step in an "arms race".
>> > What you will do in three months, remove this check because it will
>> > prove useless since the spammers will also retry ? If yes, why
>> > install it in the first place ?
>>
>> Why ever do anything? You're going to die eventually anyway...
>
Some of sooner than others, since we're well on the way anyway. :)

>Right!  The problem here is that it may do more harm than good.
>
>May I suggest a smarter way to filter these spammers, by just
> whitelisting email addresses of valid posters, after sending a
> confirmation for the first post.  Now if these spammers get smart, and
> start using personal email addresses, I would certainly expect some
> real action by abused email address owners.

This one I second wholeheartedly.  Because its entirely possible that my 
isp's server will not retry, but will probably spend the next 3 days 
emailing me failure notices every 3 hours or so.  They also have their 
own blacklist for incoming that I've had to bitch about, at length 
because the only way to get around it is to change my email address to a 
special one they maintain.   Theres only one fly in that solution that 
makes the soup unpalatable, I can't send using that address in my headers 
as its an unknown user error to their outgoing.verizon.net servers .  I'm 
on vz, go figure.

My first reply since, so this is a test of sorts.

>
>Thanks!
>
>--
>Al
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-kernel"
> in the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at  http://www.tux.org/lkml/

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

Re: Postgrey experiment at VGER

[Giacomo A. Catenazzi]

Al Boldi wrote:
> Trond Myklebust wrote:
>> On Wed, 2006-12-13 at 11:25 +0200, Dumitru Ciobarcianu wrote:
>>> On Wed, 2006-12-13 at 01:50 +0200, Matti Aarnio wrote:
>>>> I do already see spammers smart enough to retry addresses from
>>>> the zombie machine, but that share is now below 10% of all emails.
>>>> My prediction for next 200 days is that most spammers get the clue,
>>>> but it gives us perhaps 3 months of less leaked junk.
> 
> Great!
> 
>>> IMHO this is only an step in an "arms race".
>>> What you will do in three months, remove this check because it will
>>> prove useless since the spammers will also retry ? If yes, why install
>>> it in the first place ?
>> Why ever do anything? You're going to die eventually anyway...
> 
> Right!  The problem here is that it may do more harm than good.
> 
> May I suggest a smarter way to filter these spammers, by just whitelisting 
> email addresses of valid posters, after sending a confirmation for the first 
> post.  Now if these spammers get smart, and start using personal email 
> addresses, I would certainly expect some real action by abused email address 
> owners.

So a challange to the kernel hackers: build a mail filtering/proxy 
system, a' la BSD.
I don't remember the specification and features, but IIRC the
netfilter is not enough to do the graylisting (but pf was).
Someone has some hints what kernel can do in the fight against
spam?

ciao
	cate

Re: Postgrey experiment at VGER

[Horst H. von Brand]

Giacomo A. Catenazzi <cate@cateee.net> wrote:

[...]

> So a challange to the kernel hackers: build a mail filtering/proxy
> system, a' la BSD.

Has no reason to be in-kernel. Email is a complex subject in and by itself,
don't mix it in here.

> I don't remember the specification and features, but IIRC the
> netfilter is not enough to do the graylisting

Nodz.

>                                               (but pf was).

Mind boggles... 
[Hint: Think a bit what greylisting involves!]

> Someone has some hints what kernel can do in the fight against
> spam?

Nothing whatsoever, directly?
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                    Fono: +56 32 2654431
Universidad Tecnica Federico Santa Maria             +56 32 2654239
Casilla 110-V, Valparaiso, Chile               Fax:  +56 32 2797513

Re: Postgrey experiment at VGER

[Thomas Davis]

Dumitru Ciobarcianu wrote:
> On Wed, 2006-12-13 at 01:50 +0200, Matti Aarnio wrote:
>> I do already see spammers smart enough to retry addresses from
>> the zombie machine, but that share is now below 10% of all emails.
>> My prediction for next 200 days is that most spammers get the clue,
>> but it gives us perhaps 3 months of less leaked junk.
> 
> IMHO this is only an step in an "arms race".
> What you will do in three months, remove this check because it will
> prove useless since the spammers will also retry ? If yes, why install
> it in the first place ? 
> 
> 

spammers are already re-trying; but they give up after 10 minutes. 
As the delay time increases, the chances of getting on a blacklist 
increase, which makes it easier to identify a machine as a spamming bot.

I normally let my greyfilters run at 30 minutes deny, and 72hrs of 
lease time on a IP/To/From tuplet.  This setting seams to be pretty 
effective in dropping spam; at one point, upto 10k spam vs. a couple 
hundred ham messages.

thomsa

Re: Postgrey experiment at VGER

[David Rees]

On 12/13/06, Giacomo A. Catenazzi <cate@cateee.net> wrote:
> So a challange to the kernel hackers: build a mail filtering/proxy
> system, a' la BSD.
> I don't remember the specification and features, but IIRC the
> netfilter is not enough to do the graylisting (but pf was).
> Someone has some hints what kernel can do in the fight against
> spam?

I've gone through a number of anti-spam measures over the years. I
started with SpamAssassin, then bogofilter, greylisting, various RBLs
and most recently DSPAM.

SpamAssassin an bogofilter used to work pretty well, but over time
they let more and more spam through so I stopped using them.

Greylisting used to work very well, but recently more and more
spammers are retrying not to mention I kept on running across broken
mail servers that either wouldn't retry or would take forever to
retry. My users would also complain that email was broken when a
message would take hours to deliver instead of being delivered almost
immediately. They found it better to get spam than to occasionally
miss email or have to wait for email.

RBLs work pretty well as long as you choose the right ones that aren't
too aggressive with their lists. sbl-xbl.spamhaus.org is pretty
reliable and I have found it good at not blocking legitimate sources
of email.

DSPAM's learning ability seems to be very good (better than SA and
bogofilter) once trained and the web interface for training mail makes
it a snap to do (you can also do it via command line). It's also
flexible enough that it's easy to plug it into just about any mail
server configuration out there.

-Dave

Re: Postgrey experiment at VGER

[Rick]

In article <20061212235056.GP10054@mea-ext.zmailer.org>,
Matti Aarnio  <matti.aarnio@zmailer.org> wrote:

>  I am running an experiment with Postgrey to delay (for 300 seconds
>minimum) incoming emails.   If the clients don't retry after this
>delay, then the messages don't usually get in.

So far it is working very well.  Usually I have quite a few spams
to delete from my archives during the day. Today I've had zero.

--
http://www.spinics.net/lists/kernel/

Re: Postgrey experiment at VGER

[Folkert van Heusden]

>May I suggest a smarter way to filter these spammers, by just whitelisting 
>email addresses of valid posters, after sending a confirmation for the 
>first post.  Now if these spammers get smart, and start using personal 
>email addresses, I would certainly expect some real action by abused email 
>address owners.

Spammers will fake the from-address, possibly using the address of a
spam-trap for the from-field. Your challenge will then be sent to the
spam-trap, causing vger to be blacklisted.


Folkert van Heusden

-- 
Temperature outside:    8.562500, temperature livingroom: 21.4
----------------------------------------------------------------------
Phone: +31-6-41278122, PGP-key: 1F28D8AE, www.vanheusden.com