Stupid anti-spam testings...

Stupid anti-spam testings...

[Matti Aarnio]

Quite a many of vger's recipients are doing return-path verification
testing for SMTP's MAIL FROM address.

I would not mind that, EXCEPT that those bloody stupid things don't
have any sane caches at all!    VGER is sending 300+ messages per
day to 3500+ recipients of linux-kernel list EVERY DAY, and every
outgoing message is now getting oodles of those probes!

Folks,  when you deploy that kind of testers, DO VERIFY THAT THEY
HAVE SANE CACHES!  A positive result shall be cached for at least
two hours, a negative result shall be cached for at least 30 minutes.

That would send a dozen back-probes towards vger from recipient
system, instead of present 300+ !


/Matti Aarnio -- who considers some cures worse than the original problem...

Re: Stupid anti-spam testings...

[Andreas Dilger]

On Sep 03, 2002  00:50 +0300, Matti Aarnio wrote:
> Quite a many of vger's recipients are doing return-path verification
> testing for SMTP's MAIL FROM address.
> 
> I would not mind that, EXCEPT that those bloody stupid things don't
> have any sane caches at all!    VGER is sending 300+ messages per
> day to 3500+ recipients of linux-kernel list EVERY DAY, and every
> outgoing message is now getting oodles of those probes!
> 
> Folks,  when you deploy that kind of testers, DO VERIFY THAT THEY
> HAVE SANE CACHES!  A positive result shall be cached for at least
> two hours, a negative result shall be cached for at least 30 minutes.

Do you know if this is one of the default checks from spamassassin?
I would imagine that a lot of people (including myself) have it
installed, so it is possible that it (or some other widely-used tool)
now does this sort of check out-of-the-box, and the people who are
installing them have no idea about the kind of load it generates on vger.
I doubt that there are a large number of people who are independently
misconfiguring their mail setup this way

If it is possible to track what tool is causing the problem and fixing
the default setup of that tool at the source, it will probably solve
99% of the problems in one go (after the list knows to which version
they should upgrade).

Cheers, Andreas
--
Andreas Dilger
http://www-mddsp.enel.ucalgary.ca/People/adilger/
http://sourceforge.net/projects/ext2resize/

Re: Stupid anti-spam testings...

[Matti Aarnio]

On Mon, Sep 02, 2002 at 04:28:37PM -0600, Andreas Dilger wrote:
...
> > Folks,  when you deploy that kind of testers, DO VERIFY THAT THEY
> > HAVE SANE CACHES!  A positive result shall be cached for at least
> > two hours, a negative result shall be cached for at least 30 minutes.
> 
> Do you know if this is one of the default checks from spamassassin?

  No idea.  I have seen these coming from Exim 4.10, Exim-something,
  some sendmail milter (whatever that is), etc..

  Apparently the idea (which I have thought of long ago, and rejected
  as incomplete) has caught, and has multiple implementations...

> I would imagine that a lot of people (including myself) have it
> installed, so it is possible that it (or some other widely-used tool)
> now does this sort of check out-of-the-box, and the people who are
> installing them have no idea about the kind of load it generates on vger.
> I doubt that there are a large number of people who are independently
> misconfiguring their mail setup this way

  I can easily reduce the load impact it causes to vger by
  running the smtp server in "accept everything" mode without
  analyzing local addresses for existence.  With a bit more
  work I can throw in local cache..  (which I probably have to do..)

> If it is possible to track what tool is causing the problem and fixing
> the default setup of that tool at the source, it will probably solve
> 99% of the problems in one go (after the list knows to which version
> they should upgrade).

  Raise some noise all around, there are multiple implementations
  of the idea.  Some even with syntactically invalid tester codes
  (spaces put in place where they don't belong in RFC 821/2821);
  "works with sendmail" is NOT synonymous to "is syntactically 
  correct."

  - a mister at blue-labs.org  runs some sendmail-milter which
    does testing with invalid protocol syntax
  - usw-sf-list1.sourceforge.net  use probably their own code
    usw-sf-fw2.sourceforge.net too...  possibly more systems there..
  - quetz.demon.co.uk tests from  Exim 4.10
  - somebody.symons.net tests from Exim 3.35

  Right now something like 5-7 different systems are doing it.
  Try to imagine when all 3500 targets do it...  BRRRRR...
  (Sure, VGER can handle it, no problem, but it is that much
   wasted cycles, and network traffic...)

> Cheers, Andreas
> Andreas Dilger

/Matti Aarnio

Re: Stupid anti-spam testings...

[Davide Libenzi]

On Tue, 3 Sep 2002, Matti Aarnio wrote:

> On Mon, Sep 02, 2002 at 04:28:37PM -0600, Andreas Dilger wrote:
> ...
> > > Folks,  when you deploy that kind of testers, DO VERIFY THAT THEY
> > > HAVE SANE CACHES!  A positive result shall be cached for at least
> > > two hours, a negative result shall be cached for at least 30 minutes.
> >
> > Do you know if this is one of the default checks from spamassassin?
>
>   No idea.  I have seen these coming from Exim 4.10, Exim-something,
>   some sendmail milter (whatever that is), etc..
>
>   Apparently the idea (which I have thought of long ago, and rejected
>   as incomplete) has caught, and has multiple implementations...

Personally i don't think this kind of tests are going to reduce the spam
that much but a simple lookup in the subscribers database might help
reducing the smtp-test traffic only for non-subscriber addresses.



- Davide

[ot] Re: Stupid anti-spam testings...

[Matt Bernstein]

At 02:32 +0300 Matti Aarnio wrote:

>On Mon, Sep 02, 2002 at 04:28:37PM -0600, Andreas Dilger wrote:
>...
>> Do you know if this is one of the default checks from spamassassin?
>
>  No idea.  I have seen these coming from Exim 4.10, Exim-something,
>  some sendmail milter (whatever that is), etc..
>
>  Apparently the idea (which I have thought of long ago, and rejected
>  as incomplete) has caught, and has multiple implementations...

I only speak (and even then not officially) for Exim's implementation,
which is "verify = sender/callout" in Exim 4. I will check to see what
caches may or may not apply. (I think Exim might not cache this, in which
case I'll try to get this caching onto the wish list.)

Anyway I think this kind of paranoia is just silly. It's trivial to forge 
a valid sender address, so why bother checking anything other than a 
syntactically valid domain name?

>  - usw-sf-list1.sourceforge.net  use probably their own code
>    usw-sf-fw2.sourceforge.net too...  possibly more systems there..

These may well be Exim.

>  - quetz.demon.co.uk tests from  Exim 4.10
>  - somebody.symons.net tests from Exim 3.35
>
>  Right now something like 5-7 different systems are doing it.
>  Try to imagine when all 3500 targets do it...  BRRRRR...
>  (Sure, VGER can handle it, no problem, but it is that much
>   wasted cycles, and network traffic...)

In Exim's case the network traffic will be minimal:

EHLO host.name
MAIL FROM:<>
RCPT TO:<sender@for.verify>
RSET

..is about as much as you'll get. The wasted cycles will be more 
important.

Sorry for the noise on the list..

Re: Stupid anti-spam testings...

[Barry K. Nathan]

On Tue, Sep 03, 2002 at 02:32:30AM +0300, Matti Aarnio wrote:
>   some sendmail milter (whatever that is), etc..

I don't know if this helps, but it might:
http://www.milter.org/about.shtml

-Barry K. Nathan <barryn@pobox.com>

Re: [ot] Re: Stupid anti-spam testings...

[Kevin P. Fleming]

Matt Bernstein wrote:
> 
> Anyway I think this kind of paranoia is just silly. It's trivial to forge 
> a valid sender address, so why bother checking anything other than a 
> syntactically valid domain name?
> 

Because, believe it or not, most spammers don't bother. The main server 
that I maintain (_NOT_ where I receive L-K) drops at least 20 messages a 
day at RCPT TO: time using this very check. Considering that's 50% of 
the spam we drop at RCPT TO: time, I'd say it's worth it.

But I do agree, the systems doing the callouts should cache the results 
(I'm an Exim 4.10 user as well).

Re: Stupid anti-spam testings...

[Henning P. Schmiedehausen]

Matti Aarnio <matti.aarnio@zmailer.org> writes:

>  some sendmail milter (whatever that is), etc..

mail filter. The filtering API of sendmail 8.12+. You can e.g. attach
SpamAssassin here...

	Regards
		Henning

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22  Fon.: 09131 / 50654-0   info@intermeta.de
D-91054 Buckenhof     Fax.: 09131 / 50654-20