[KLUG Members] How I Defeated SPAM

Adam Tauno Williams awilliam at whitemice.org
Wed Nov 10 19:41:57 EST 2004

Previous message: [KLUG Members] samba server can be browsed but not pinged
Next message: [KLUG Members] How I Defeated SPAM
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yep, I've done it, at least for now.  Via an apparently little known
trick I picked up at an Anti-SPAM presentation: Greylisting.  This
defeats bulk SPAM without user intervention, great guey gobs of Perl, or
statistical analysis bordering on numerology.

http://hcpnet.free.fr/milter-greylist/

{unpack}
./configure
make
make install
/usr/local/bin/milter-greylist -f /etc/mail/greylist.conf -u
mail /var/milter-greylist/milter-greylist.sock

And add 

INPUT_MAIL_FILTER(`filter2',
`S=local:/var/milter-greylist/milter-greylist.sock')
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')

to /etc/mail/linux.mc

then

m4 /etc/mail/linux.mc > /etc/sendmail.cf
/etc/rc.d/sendmail restart

BINGO!  Go from a constrant stream of SPAM down to 2 to 3 messages A
DAY!  Sweet, and all utilitzing standard SMTP features.

The trick is that bulk spammers don't retry failed deliveries; why would
they?  They must have millions of them.  What a grey list does is
maintain a database of message tuples (from address, from ip, to
address).  Every time a message arrives the grey list milter checks the
tuple against its database, if the tuple exists the messages enters
further MTA processing without incident.  If the tuple does not exist
the milter does two things (1) rejects the message with a 451 error and
(2) adds the tuple to its database.  The magic part is that a 451 is a
temporary delivery error (server to busy, etc...) and a *REAL* MTA on
the sending end will simply return within ~15 minutes.  But the spam bot
just bails and jumps to the next address to blast.  When the *REAL* MTA
tries to resend the message it is accepted, since the tuple exists in
the grey list milter's database.  The user never knows anything happens,
except that perhaps the message took a bit longer to deliver.  And since
the milter maintains tuples in its database for a period of time
(configurable), once a tuple is added further traffic between the two
correspondants is not delayed.

Sitting and watching the presentation was like getting hit with a 2x4,
once you see it, it is just so obvious.  We've been running this for a
couple of weeks and it is PHENOMINALLY successful.  Getting SPAM, bulk
SPAM at least, is now pretty rare, maybe a couple messages a day.  And
almost all the really obnoxious stuff (Viagra, etc..) is bulk SPAM.

Thought someone else might be interested in this.

Previous message: [KLUG Members] samba server can be browsed but not pinged
Next message: [KLUG Members] How I Defeated SPAM
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Members mailing list