[CentOS] spam control

Wed Oct 25 14:52:38 UTC 2006
Aleksandar Milivojevic <alex at milivojevic.org>

Quoting James Fidell <james at cloud9.co.uk>:

> It's sorely tempting to set up a lowest-priority MX that either
> points to 127.0.0.1, or to a machine that has a daemon on port 25
> just returning 4xx SMTP errors in response to every connection.

While it might be tempting, you'll end up loosing some legitimate  
email.  You might also end up being automatically blacklisted by some  
sites.  Some sites block domains that have 127.0.0.1 in MX list.   
Sometimes, MX lookup on domain part of sender's address in viruses and  
spam returns a name that when resolved points to 127.0.0.1.  Intention  
is that if bounce is generated, it goes to the local account.  Mail  
servers are way too often configured to include copy of original email  
in the bounce.  Since bounce is generated locally it might bypass  
spam/virus checks.  Sneeky, eh.

I've also seen MTA implementations that don't really care about  
priorities, they simply connect to the first MX that DNS query  
returned.  It's broken all right, but that's how the things are.

Even with just the "standard" greylisting (no 127.0.0.1 or always  
return 4xx on lowest priority MX tricks), you'll get in trouble from  
time to time.  I'm not talking about delivery delays (that can be  
longer than one hour in worst case).

The Symantec Antivirus for Mail Gateways (at least some versions of  
it) generates warning email back to the sender when it gets 4xx.   
Rather annoying to the senders that happen to work at places that have  
it deployed on the border.

Some mail servers (not sure if it's MTA itself or misconfiguration on  
the admin part though) treat 4xx same as 5xx.  No retries, they bounce  
mail right away.

Some sites have server farms for outgoing mail.  If you greylist only  
on sender/recipient pair, no big deal.  If you greylist on  
sender/recipient/IP triplet, some emails will never pass greylisting  
since connection comes from different IP address every time.  Most  
greylisting implementations that check the triplet come with  
whitelisting support and predefined lists of some well known big sites  
that have farms for outgoing email.  But you can always hit some not  
on the list.  I've got bit by that some time ago when I was  
experimenting with greylisting on my personal domain.

In short, while greylisting reduces spam significantly, be prepared  
that it's not trouble-free solution.  Be prepared to implement  
workarounds for troublesome sites (boils down to some sort of  
whitelisting).  Your users don't care that MTA on the sender's side is  
broken.  They want to exchange emails, and the intial delay introduced  
by greylisting is already annoying enough for them (for some even more  
annoying than spam).

As more sites implement greylisting, spammers are more likely to start  
retrying addresses they got 4xx.  I already see more and more spammers  
doing this.  This makes gerylisting a "temporary solution" that works  
now.  In future it will be less and less effective.

It's the same thing as with SPF/CallerID/DomainKey.  Analysis shows  
that even today volume of spam that fails SPF/CallerID/DomainKey  
checks is about the same as volume of spam that pass those checks  
(actually, those checks are not designed to detect or block spam, they  
are designed to attempt to prevent others to use your domain name in  
faked email addresses).  With domains being sold for around $10/year,  
I don't see much use of forcing spammers to use their own domain  
though (so we can blacklist them).  The trouble with "allow unless  
explicitly denied" approach is that it doesn't really work.  It's the  
truth you'll find in chapter one of any book on security.  Spammers  
can easilly use fresh new domain for each single mass mailing.  It  
will only bring the increased revenue to domain registrars (and we'll  
see number of entries in com/net/org zones on top-level DNS servers  
exploding).

Want to start new domain registrar business?  Now might be a good  
time.  If this SPF/CallerID/DomainKey thing becomes widespread, you'll  
get your share from spammers profits (as they will be forced to buy  
new domains at least on monthly basis, if not more often).

Spam is a multi-billion dollar business.  Regardless of which side of  
the fence you sit.

-- 
NOTICE: If you are not intended recipient, you are hereby notified
that by reading this message you agreed not to disturb frogs during
mating season.  For more info, visit http://www.8-P.ca/