The Current Spam (Cop?) thread

Dustin Decker dustind at moon-lite.com
Thu Feb 13 18:41:31 CST 2003 

Hey all,

[Shameless plug up ahead - sort of long rant too.]

I was just pondering the merits of this most recent thread.  Spoofed or
not, it would appear that if there is any validity to what we're seeing
here vis-a-vis SpamCop (or was it Spam Arrest?) there is obviously a flaw
in the methodology behind the technology.  Forgive me, there is another
spam blocker group doing something similar now and I've been following
that thread on the Politecbot list too so I may have two different groups
confused to some degree.

At any rate - I think using relay databases _may_ have merit.  God knows 
I've used ordb and spamhaus with some success in the past.  Ultimately 
though, there are denial of service issues inherint in db driven scenarios 
- it's just too easy to fool them into erroneously adding an address to 
the db.  Even if the folks running the shop _so_ rectify the situation, 
the morning eggs are already on their faces.

What I have found to be the most effective anti-spam measure so far has 
been SpanAssassin.  I'll not digress into setup issues or the like - 
although not extremely difficult, the documentation was a big quirky for 
me.  What I do want to express though is how tremendously effective it has 
been for me.

I have several different addresses I use for various things - some are 
genuine while others are just an alias to my main account.  Over the past 
18-24 months I've seen my spam queue expand from aprox. 10 per day to 
perhaps 200.  I'm not doing any serious acrobatics with Spam Assassin such 
as running it in daemon mode or the like, and I haven't even tweaked the 
default ruleset since I installed it about 4 months ago.  Since January 
20th, I've caught 1058 spam messages.  (There were a couple thousand more, 
and I deleted them a while back... silly really, I should have held onto 
them for analysis when I have time.)

Spam Assassin makes it pretty easy to split things based on score.  I've 
created two folders - "INBOX.ProbablySPAM" and "INBOX.DefinatelySPAM" into 
which things get filtered by procmail.  I review them once in a while to 
make sure I've not had a false positive, and can honestly say I've only 
had TWO out of the 1058 since January 20th!  I'm quite anxious to use this 
on an entire domain and see how it behaves in daemon mode and will happily 
report on the results once I've done that.

Anyway, to get back to my point: Centralized controls are always at risk 
of either becoming draconian (in the case of a supposed anit-spam group 
currently spamming folks about their services, or other forms of abuse) or 
vulnerable to attack as a result of having so many eggs in one basket so 
to speak.  While it's not particulary important for everyone to have their 
own anti-spam software running locally, it would probably be more 
_effective_ (although in terms of bandwidth not as effective perhaps) to 
have multiple measures much closer to the destination delivery points.  

The best thing, IMHO, is some heuristics at _ALL_ SMTP servers that 
analyze headers, and kick out stuff that is blatantly or obviously forged 
or tampered with.  Then do the word based and other forms of anti-spam 
measures further from the border.

What does everyone else think?  I get the impression if the national 
no-call list legislation that's been in the news lately actually does 
pass, spam at that level will be addressed soon enough.  But I digress - 
that's a whole different thread.  <grin>
Dustin

-- 
/---------------------------------------------------------------------------------------| Dustin 
Decker - CNA, MCP.             |       http://www.dustindecker.com             |
| Network Administrator/Engineer        |       Mobile: 913.579.7117                    |
| Preferred Physicians Group            |       Office: 913.262.2585                    |
| http://www.ppminfo.com                |                                               |
|---------------------------------------------------------------------------------------|
|                                                                                       |
|	"The essence of being human is that one does not seek perfection, that one is	|
|	sometimes willing to commit sins for the sake of loyalty, that one does not 	|
|	push asceticism to the point where it makes friendly intercourse impossible, 	|
|	and that one is prepared in the end to be defeated and broken up by life, which |
|	is the inevitable price of fastening one’s love upon other human individuals."	|
|					--George Orwell (1903–50), British author.	|
---------------------------------------------------------------------------------------/

More information about the Kclug mailing list