spamd: feature request - BSD

This is a discussion on spamd: feature request - BSD ; Would it be possible to add a feature to spamd that would allow it to perform filtering based on the "From" address? I'm thinking we could call this "brownlisting". The way I imagine it working is that you could brownlist ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: spamd: feature request

  1. spamd: feature request

    Would it be possible to add a feature to spamd that would allow it
    to perform filtering based on the "From" address? I'm thinking we
    could call this "brownlisting". The way I imagine it working is
    that you could brownlist an IP address (or range).

    Then, for each such brownlisted address or range, you could instruct
    spamd to "pass through" anything "From:" a certain regexp pattern,
    and to tarpit anything else.

    Where I see this being useful is for ISPs like hotmail.com -- I
    don't necessarily want to receive email from just "anyone" at
    hotmail.com, because it's probably spam, but I do want to receive
    email from a select few individuals.

    spamd doesn't need to get emotionally involved with the transport of
    normal mail, it could transparently pipe the regular mail to the MTA,
    which should be a low overhead operation.

    This could be extended to "To" addresses as well -- I have a number
    of "well known" (to me, anyway) spamtrap addresses to which I know
    that there is no legitimate mail.

    Or, if anyone can suggest a better way of accomplishing a similar
    filtering system, please do so.

    (Yes, this is for a "small" system -- I don't know how well this
    would scale to a campus-wide or corporate-wide system).

    Cheers,
    -RK

    --
    Robert Krten, Antique computer collector looking for PDP-8 and PDP-8/S
    minicomputers; check out their "good home" at www.parse.com/~museum

  2. Re: spamd: feature request

    On Wed, 06 Jun 2007 14:51:29 +0000, Robert Krten wrote:

    > Would it be possible to add a feature to spamd...


    Maybe, but this is the wrong place, and the wrong way to ask.

    Place:

    To reach developers, you are better off using the misc@ mailing
    list.

    Way:

    The project's culture usually rejects "development requests" out-of-hand,
    unless money or equipment (or both) are offered. Better acceptance is
    likely if you first submit a patch with your attempted changes, and then
    ask for help getting it working. Once it is tested and working, submit
    the completed patch for review. Yes, this is more difficult than
    just asking for something and hoping, but it should be more successful.

    > ...it could transparently pipe the regular mail to the MTA...


    That is not how spamd works. It is integrated into the network via
    PF table manipulation. All spamd could do is whitelist, which would
    allow the sending MTA to succeed on it's *next* attempt, never the current
    one.

    > Or, if anyone can suggest a better way of accomplishing a similar
    > filtering system, please do so.


    SpamAssassin?

    --
    Replying directly will get you locally blacklisted.
    Change the address; use my first name in front of the @ if you want to
    communicate privately.


  3. Re: spamd: feature request

    On 2007-06-06, Robert Krten wrote:



    > This could be extended to "To" addresses as well -- I have a number
    > of "well known" (to me, anyway) spamtrap addresses to which I know
    > that there is no legitimate mail.


    man 8 spamdb

    It seems like you're looking for something like this:

    sudo spamdb -T -a ''

    (Any spam zombies trawling this NG for addresses are of course
    welcome to try that one.)

    EAa
    --
    Oneday they'll build phasers and there'll be demand for that good old
    solid mechanical "click" of a hammer locking back. -- AdB

  4. Re: spamd: feature request

    Eystein Roll Aarseth wrote:
    > On 2007-06-06, Robert Krten wrote:
    >
    >
    >
    >> This could be extended to "To" addresses as well -- I have a number
    >> of "well known" (to me, anyway) spamtrap addresses to which I know
    >> that there is no legitimate mail.

    >
    > man 8 spamdb
    >
    > It seems like you're looking for something like this:
    >
    > sudo spamdb -T -a ''
    >
    > (Any spam zombies trawling this NG for addresses are of course
    > welcome to try that one.)
    >

    I note that lately I've been getting email sent to
    trap@clevermonkey.org, which I've never used anywhere. It appears that
    a spider (or a human) deduced that email addresses in the form of
    "spam[mumble]@foo.com" might be valid if you just remove the "spam" part.

    This implies that "spam[mumble]@foo.com" may no longer be a Good Enough
    obfuscation technique (was it ever?)

    Anyway, I gladly added to my spamtrap list. I
    like this system, where spammers tell me what address they are going to use.

    --
    clvrmnky

    Direct replies will be blacklisted. Replace "spamtrap" with my name to
    contact me directly.

  5. Re: spamd: feature request

    Robert Krten wrote:
    > Would it be possible to add a feature to spamd that would allow it
    > to perform filtering based on the "From" address? I'm thinking we
    > could call this "brownlisting". The way I imagine it working is
    > that you could brownlist an IP address (or range).
    >
    > Then, for each such brownlisted address or range, you could instruct
    > spamd to "pass through" anything "From:" a certain regexp pattern,
    > and to tarpit anything else.
    >
    > Where I see this being useful is for ISPs like hotmail.com -- I
    > don't necessarily want to receive email from just "anyone" at
    > hotmail.com, because it's probably spam, but I do want to receive
    > email from a select few individuals.
    >
    > spamd doesn't need to get emotionally involved with the transport of
    > normal mail, it could transparently pipe the regular mail to the MTA,
    > which should be a low overhead operation.
    >
    > This could be extended to "To" addresses as well -- I have a number
    > of "well known" (to me, anyway) spamtrap addresses to which I know
    > that there is no legitimate mail.
    >
    > Or, if anyone can suggest a better way of accomplishing a similar
    > filtering system, please do so.


    I use Postfix+Postgrey as a spamd replacement. Postfix has quite a few
    anti-spam measures (I suppose all decent MTAs have), and is very
    flexible; in the worst case, you can always write a custom policy
    server. Although such a setup wouldn't tarpit anything.

    If you're interested, I could delve a little deeper into this, but my
    time is rather limited right now.

    Blocking all of hotmail.com most likely isn't a very good idea, though.
    There is no real reason, either: whatever you may think of Hotmail, I
    don't receive that much spam from their servers (certainly, I do receive
    a lot from ...@hotmail.com; but spamd works based on IP address, and
    greylists those just fine).

    Joachim

  6. Re: spamd: feature request

    On 2007-06-06, Clever Monkey wrote:
    >
    > I note that lately I've been getting email sent to
    > trap@clevermonkey.org, which I've never used anywhere. It appears that
    > a spider (or a human) deduced that email addresses in the form of
    > "spam[mumble]@foo.com" might be valid if you just remove the "spam" part.


    Well, it seems like _some_ spammers try to clean their lists of
    obviously bad addresses. And fail. My spamd had several lengthy
    conversations with some boxes in Canada a while ago that insisted that
    there *had* to be a user with the mail address
    <.eystaar@all-evil.homeunix.org> on this box. There isn't. The only
    way the spammer could have got that address is that he'd stripped most
    of the part before the @ in one of my Usenet Message-ID's. (No, there
    isn't an eystaar@ either - I use a different login name locally.)

    > This implies that "spam[mumble]@foo.com" may no longer be a Good Enough
    > obfuscation technique (was it ever?)


    It'll still take care of those spammers that _don't_ filter their
    lists. I've seen a few spammer's lists during discussion in
    news.admin.net-abuse.email - some of them had lots of *spam*@, noc@,
    security@ and abuse@ addresses, and of course the same stuff after the
    @ (@example.com, @nospamplease.xxx, etc), others had none of that
    sort. Most spammers are lazy and don't care about undeliverable
    addresses - why should they when they usually use zombified Windows
    boxes anyway?

    > Anyway, I gladly added to my spamtrap list. I
    > like this system, where spammers tell me what address they are going to use.


    Yeah, awfully nice of them, eh? :-)

    EAa
    --
    Note to spammers: Don't spam your registrar's abuse guy.
    -- Malcolm Staudinger in NANAE, Message-ID:
    <1163990166.133900.205220@f16g2000cwb.googlegroups. com>

  7. Re: spamd: feature request

    Eystein Roll Aarseth wrote:
    > On 2007-06-06, Clever Monkey wrote:
    >> I note that lately I've been getting email sent to
    >> trap@clevermonkey.org, which I've never used anywhere. It appears that
    >> a spider (or a human) deduced that email addresses in the form of
    >> "spam[mumble]@foo.com" might be valid if you just remove the "spam" part.

    >
    > Well, it seems like _some_ spammers try to clean their lists of
    > obviously bad addresses. And fail. My spamd had several lengthy
    > conversations with some boxes in Canada a while ago that insisted that
    > there *had* to be a user with the mail address
    > <.eystaar@all-evil.homeunix.org> on this box. There isn't. The only
    > way the spammer could have got that address is that he'd stripped most
    > of the part before the @ in one of my Usenet Message-ID's. (No, there
    > isn't an eystaar@ either - I use a different login name locally.)
    >

    Oh man. That's rich, and obviously not done by a human. That leading
    dot screams address massaging via a script.

    >> This implies that "spam[mumble]@foo.com" may no longer be a Good Enough
    >> obfuscation technique (was it ever?)

    >
    > It'll still take care of those spammers that _don't_ filter their
    > lists. I've seen a few spammer's lists during discussion in
    > news.admin.net-abuse.email - some of them had lots of *spam*@, noc@,
    > security@ and abuse@ addresses, and of course the same stuff after the
    > @ (@example.com, @nospamplease.xxx, etc), others had none of that
    > sort. Most spammers are lazy and don't care about undeliverable
    > addresses - why should they when they usually use zombified Windows
    > boxes anyway?
    >

    I figured this was the case.
    --
    clvrmnky

    Direct replies will be blacklisted. Replace "spamtrap" with my name to
    contact me directly.

  8. Re: spamd: feature request

    According to Eystein Roll Aarseth :
    > On 2007-06-06, Clever Monkey wrote:


    [ ... ]

    > Well, it seems like _some_ spammers try to clean their lists of
    > obviously bad addresses. And fail. My spamd had several lengthy
    > conversations with some boxes in Canada a while ago that insisted that
    > there *had* to be a user with the mail address
    > <.eystaar@all-evil.homeunix.org> on this box. There isn't. The only
    > way the spammer could have got that address is that he'd stripped most
    > of the part before the @ in one of my Usenet Message-ID's. (No, there
    > isn't an eystaar@ either - I use a different login name locally.)


    This has been done for *years*. I used to get spam addressed to
    such "usernames" which included system name which had been retired
    several years before, until I started blocking anything to the retired
    systems.

    A *real* e-mail from my systems would not have the machine name
    in it -- just the domain name, which has MX records pointing to the mail
    servers, so I would not lose any valid e-mail by doing such blocking in
    the "badmailto" file (qmail as the MTA, with a patch to allow
    wildcarding in the badmailto and badmailfrom files.)

    Enjoy,
    DoN.



    --
    Email: | Voice (all times): (703) 938-4564
    (too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
    --- Black Holes are where God is dividing by zero ---

  9. Re: spamd: feature request

    DoN. Nichols wrote:
    > According to Eystein Roll Aarseth :
    >> On 2007-06-06, Clever Monkey wrote:

    >
    > [ ... ]
    >
    >> Well, it seems like _some_ spammers try to clean their lists of
    >> obviously bad addresses. And fail. My spamd had several lengthy
    >> conversations with some boxes in Canada a while ago that insisted that
    >> there *had* to be a user with the mail address
    >> <.eystaar@all-evil.homeunix.org> on this box. There isn't. The only
    >> way the spammer could have got that address is that he'd stripped most
    >> of the part before the @ in one of my Usenet Message-ID's. (No, there
    >> isn't an eystaar@ either - I use a different login name locally.)

    >
    > This has been done for *years*. I used to get spam addressed to
    > such "usernames" which included system name which had been retired
    > several years before, until I started blocking anything to the retired
    > systems.
    >
    > A *real* e-mail from my systems would not have the machine name
    > in it -- just the domain name, which has MX records pointing to the mail
    > servers, so I would not lose any valid e-mail by doing such blocking in
    > the "badmailto" file (qmail as the MTA, with a patch to allow
    > wildcarding in the badmailto and badmailfrom files.)
    >

    Typically, addresses with machine names escaping into the wild should
    be rare nowadays. We were discussing harvesters munging emails to
    remove identifiers to derive "correct" emails, not necessarily about
    emails with machine names in them.

    --
    clvrmnky

    Direct replies will be blacklisted. Replace "spamtrap" with my name to
    contact me directly.

+ Reply to Thread