On Tue, 9 Jul 2002, Theo Van Dinter wrote:
>
> Basically, I use a bunch of open-relay RBLs and a few custom sendmail
You problably don't realize that blocking open-relays means that you have
misconfigured your spam filters to allow _more_ spam, rather than less.
Its more because by doing so you can't block spam sent through closed
relays, even though the source IP address of the abuser has been reported
to RBL.
Also, ISP's cannot block open relays since this violates 18 USC
2701(A)(2), which prohibits ISP's from blocking authorized email. Some
have, but stopped after receiving letters from our attorney reminding them
of the statute, and the $1000 per affected user that they owe us if the
blocking is intentional. Very little of our email has ever been blocked
by an open relay list. And what is blocked is often spam bounces--the
bounces going back from spam to a non-existant user. Very, very few people
use these services.
Evidence of the lack of use is obvious: The MAPS RBL consumes more than 1
T3 of bandwidth, according to Vix, and the Open Relay black lists are
frequently found operating off of T1's or less. There can't be many
"customers."
Many of the Open relay black lists have been shutdown by courts or by
their upstreams. Their scanning has caused computers to crash, which
violates criminal statutes in the US. In short, they are widely
recognized as abusive, and possibly criminal organizations.
Also, many of the open relays are operated by ISPs, such as us. I won't
explain the many situations where Open Relay is necessary, and why SMTP
AUTH is dead, and such. That much is either obvious by now, or you don't
need to know it, since you might not ever need open relay yourself.
Rather, most (perhaps all) of the open relay Black Lists are actually
spammers themselves. This needs explanation.
For many years, we have used cisco logging of all inbound syn packets to
tcp port 25 on all of our address space (even unallocated space). This
reveals who is scanning for relays. Actually, it just reveals the IP
address of the scanner. When they find a relay, and then relay test it, we
can see who the recipient email was, and that identifies the scanner. In
the past, I have also setup unused relays, and submitted these to an OR
black list, in our own "tests". Within days (sometimes hours), of
submission, this unused relay will start getting abuse. Sometimes the /24
of the relay is also scanned, sometimes not. However, it is never scanned
prior to submission.
Only relays listed in the O.R. black lists are ever abused. The Open
Relay Black Lists are the spammers sending abuse through open relays.
Also, once you subscribe to a OR black list, your domain will start
getting abuse email, which your BL then blocks. This serves to keep you
addicted, and to show the "effectiveness" of the BL. You've been scammed.
There are a number of things that we do to protect our relays and identify
abusers, and I do a lot of analysis on the spam sent. Most of the spam is
not commercial. Marketers want to sell products. Antispammers want to
annoy people into banning spam/closing relay service/etc. So the
non-commercial spam is sent by antispammers. Since nearly all of the spam
is non-commercial, it follows that nearly all spam is sent by
antispammers.
So, use content based spam filtering, and avoid the open relay black
lists.
--Dean
> rules to block obvious spam at the SMTP level. Then during delivery,
> users can run SpamAssassin (http://www.spamassassin.org -- an absolutely
> terrific open source spam scanner) to determine if a message is spam or
> not. Procmail then handles what they want to do with the spam from there.
>
> Another good tool (works with SpamAssassin too) is Razor
> (http://razor.sf.net/). It works by checking incoming messages against
> a centralized database of reported spams.
>
> There's also DCC (Distributed Checksum Clearinghouse, also works with
> SpamAssassin, http://www.rhyolite.com/anti-spam/dcc/). I haven't tried
> it, but it's similar to Razor but checks for "bulkiness" of a message, as
> opposed to determining if a specific message was reported as spam or not.
>
>
---
Send mail for the `bblisa' mailing list to `[EMAIL PROTECTED]'.
Mail administrative requests to `[EMAIL PROTECTED]'.
