Hi,
I have MDaemon installed and lately it has been working wonders to reject spam. However I've noticed that all it does is bounces the mail back to the person who supposedly sent it. Now we all know that it is almost always some innocent address or a fake address and so best case the bounce is pointless and worst case some innocent person is being bombarded with mails.
I'm relatively new to all this so please forgive me if this has been suggested before or indeed if it is simply possible with other mail servers. It occurs to me that we could list the various abuse addresses of the ISP hosting the black listed site and this could be returned when a match is found. If the server software then bounced the mail not to the sender but to the abuse address we would seriously start to affect these ISP's.
It seems to me this is not like the lycos solution because we are only sending a mail when we receive a mail that mentions a spam url. The result is that the more spam they send the more mails they receive from us, the less spam they send the less mail they will receive and no innocent addresses are affected.
There is a drawback to SURBL and that is that someone could end up black listed wrongly. This mechanism would add insult to injury but lets face it if I wanted to get at xyz.com I'd send out a bunch of spam as if it came from jdoe@xyz.com advertising xyz.com and wait for the them to appear on the black list and then send out more spam and now watch their ISP get really upset with them as the bounced messages end up with them.
Nick
On Mon, Dec 20, 2004 at 08:45:48PM +0100, Nick Askew wrote:
Hi,
I have MDaemon installed and lately it has been working wonders to reject spam. However I've noticed that all it does is bounces the mail back to the person who supposedly sent it. Now we all know that it is almost always some innocent address or a fake address and so best case the bounce is pointless and worst case some innocent person is being bombarded with mails.
AFAIK most daemons respond with a 5xx error when it gets a successful surbl result. I dont see this as being any different than normal RBL's which give an error on connection.
I'm relatively new to all this so please forgive me if this has been suggested before or indeed if it is simply possible with other mail servers. It occurs to me that we could list the various abuse addresses of the ISP hosting the black listed site and this could be returned when a match is found. If the server software then bounced the mail not to the sender but to the abuse address we would seriously start to affect these ISP's.
Most of these domains either dont have abuse addresses, nor care about any abuse email that rolls their way (the're just dummy domains who only exist for a month to spam, then die).. What you are suggesting is going to result in my server queueing the message (rather than just returning a 5xx half way through the SMTP conversation) and sending it to a (probably bogus) abuse address, which will bounce..
It seems to me this is not like the lycos solution because we are only sending a mail when we receive a mail that mentions a spam url. The result is that the more spam they send the more mails they receive from us, the less spam they send the less mail they will receive and no innocent addresses are affected.
The 5xx response goes back to the senders SMTP server, its up to that server what it wants to do it. It can silently drop it, or bounce it to the sender.
A better solution would be to have the mailer daemon do a wget on the URL in question once it gets a surbl hit.. Thats more of the Lycos solution.. heh
There is a drawback to SURBL and that is that someone could end up black listed wrongly. This mechanism would add insult to injury but lets face it if I wanted to get at xyz.com I'd send out a bunch of spam as if it came from jdoe@xyz.com advertising xyz.com and wait for the them to appear on the black list and then send out more spam and now watch their ISP get really upset with them as the bounced messages end up with them.
Thats true, but all blacklists AFAIK have to be manually added... Thats (i think) how things like this are dealt with.
Frank
I'm relatively new to all this so please forgive me if this
has been
suggested before or indeed if it is simply possible with other mail servers. It occurs to me that we could list the various abuse addresses of the ISP hosting the black listed site and this
could be
returned when a match is found. If the server software then bounced the mail not to the sender but to the abuse address we
would seriously
start to affect these ISP's.
Most of these domains either dont have abuse addresses, nor care about any abuse email that rolls their way (the're just dummy domains who only exist for a month to spam, then die).. What you are suggesting is going to result in my server queueing the message (rather than just returning a 5xx half way through the SMTP conversation) and sending it to a (probably bogus) abuse address, which will bounce..
Yes I suppose if you simply perform a whois on the IP address of the site you will end up with some spammer that does not care if you post to abuse or postmster. However I would think that most spam domains are purchased off other ISP's so after a while perhaps it would be possible to change the listed address to that of the ISP's ISP and so on until someone takes notice.
I'm sure that actually fetching the content of the site would work to deter people from sending out their URL as spam but it would lead to a new problem. Every machine in the world using SURBL (and let's face it that should be everyone, it works so well) could be used for a DoS attack just by sending an email (OK the domain would need to be in SURBL).
On Mon, Dec 20, 2004 at 09:42:26PM +0100, Nick Askew wrote:
[snip]
I'm sure that actually fetching the content of the site would work to deter people from sending out their URL as spam but it would lead to a new problem. Every machine in the world using SURBL (and let's face it that should be everyone, it works so well) could be used for a DoS attack just by sending an email (OK the domain would need to be in SURBL).
Gee, I guess that would be a /very/ unfortunate side effect of this.. :-) Why are you all looking at me like that? <G>
Frank
On Monday, December 20, 2004, 12:42:26 PM, Nick Askew wrote:
Yes I suppose if you simply perform a whois on the IP address of the site you will end up with some spammer that does not care if you post to abuse or postmster. However I would think that most spam domains are purchased off other ISP's so after a while perhaps it would be possible to change the listed address to that of the ISP's ISP and so on until someone takes notice.
Which is almost exactly what SpamCop does. (SpamCop tracks and reports both sender IPs and the Spamvertised web sites.) I recommend that everyone reports to SpamCop the spam that gets through their filters. Those reports are used to create RBLs and SURBLs like sc.surbl.org and ab.surbl.org.
I'm sure that actually fetching the content of the site would work to deter people from sending out their URL as spam but it would lead to a new problem. Every machine in the world using SURBL (and let's face it that should be everyone, it works so well) could be used for a DoS attack just by sending an email (OK the domain would need to be in SURBL).
Yes, and the same applies to sending outbound mail (such as to an abuse address) in response to a spam. Any outbound network traffic responding to spam is potentially dangerous to your network and those of innocent bystanders. It's not a good idea.
Jeff C. -- "If it appears in hams, then don't list it."
On Monday, December 20, 2004, 12:08:16 PM, Frank Precissi wrote:
On Mon, Dec 20, 2004 at 08:45:48PM +0100, Nick Askew wrote:
Hi,
I have MDaemon installed and lately it has been working wonders to reject spam. However I've noticed that all it does is bounces the mail back to the person who supposedly sent it. Now we all know that it is almost always some innocent address or a fake address and so best case the bounce is pointless and worst case some innocent person is being bombarded with mails.
AFAIK most daemons respond with a 5xx error when it gets a successful surbl result. I dont see this as being any different than normal RBL's which give an error on connection.
Keep in mind that some folks use SURBLs at the MTA level and others use it after the MTA has already accepted the mail, such as with SpamAssassin. (It is possible to call SpamAssassin from the MTA so that its results can be used to cause the MTA to reject mail, but that's a somewhat uncommon configuration.)
I'm relatively new to all this so please forgive me if this has been suggested before or indeed if it is simply possible with other mail servers. It occurs to me that we could list the various abuse addresses of the ISP hosting the black listed site and this could be returned when a match is found. If the server software then bounced the mail not to the sender but to the abuse address we would seriously start to affect these ISP's.
Most of these domains either dont have abuse addresses, nor care about any abuse email that rolls their way (the're just dummy domains who only exist for a month to spam, then die).. What you are suggesting is going to result in my server queueing the message (rather than just returning a 5xx half way through the SMTP conversation) and sending it to a (probably bogus) abuse address, which will bounce..
Probably that's the most likely result. As I mentioned in the other reply, generally speaking it's not a good practice to send any outbound network traffic in response to a spam. As Nick and others note, that can result in a DOS of both the sending and receiving servers.
It's probably better to remember or use information about spams received to block or delete future similar spams.
Jeff C. -- "If it appears in hams, then don't list it."
-
Frank Precissi -
Jeff Chan -
Nick Askew