Michael; I can't wait to test it! :-) Doug
====================================== Stop spam on your domain, use our gateway! For hosting solutions http://www.clickdoug.com ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772 ====================================== If you are not satisfied with my service, my job isn't done! ----- Original Message ----- From: "Michael Dinowitz" <[EMAIL PROTECTED]> To: "CF-Community" <[EMAIL PROTECTED]> Sent: Thursday, June 12, 2003 6:57 PM Subject: Re: iMS CFUG Edition | I feel that banning an IP or domain is a last resort type thing. It is a total | failure in communications and should only be done as a last resort. This is why | I don't use outside RBLs or the like. If someone is going to be banned, I have | to be sure the reason is good. The process I take may be a long one, but it | results in a sure ban. | Every spam message I get results in a message to the TRUE domain the spam came | from. In many cases I have to hunt down the true domain and in some I can't find | them. In a few cases I've got personal messages telling me that the account has | been closed or the relay fixed. In most I get an automatic response which I | ignore. In a few I get error messages telling me that one or the other account | is not in existence and I basically take it on trust that it'll be looked at. | When I get a message of both accounts being non-existent, that's when I start | doing more investigations. In a very few cases this results in a banning. In | most it does not. It takes more time, but it's better to be sure. | Anyway, I rely on the pattern machine a lot more than any banned list. :) | As for links within a spam message, I ignore them. I've been sent spamcop | messages because a site I was working with was in a message wrongly flagged as | spam. I'm against draconian rules like they have. | | The point of all this is to be very light on the admin side, totally self | contained and very processor light. The rules I have now are ONLY for the | headers of the message. If you put in body scan rules as well, then you'll get | almost 100%. All that's needed is 1 person generating proper rules for all and | then an admin just to look over the spam subjects/results. I've got an admin for | myself that allows me to look at 20 spam messages at a time, show why its spam, | what the subject/to/from was and allows me to do something with it. One step | operation to process the spam and email the spamming domains. Not perfect yet, | but.... | Ah, if only I trusted the other spam fighting tools to do the job I wanted. :) | | | > If I understand that correctly, that is pretty arcane, especially if the | domain | > is either spoofed or "joe-jobbed" which would put them in an innocent | bystander | > category. Operating against the IP number, while not always perfect, is more | > perfect that using a domain name. | > | > However, there is something else to consider too, and that is reporting the | > spamvertised web sites, which requires deobfuscating the URL encoding that | some | > of the more clueless spammers do. | > | > I also have found that most of the open relay/open proxy block lists only | > actually offer a partial listing of actual relays. This is the reason that | for | > a blocker to be effective, one must choose several from a long list of | databases | > in order to do the job you want to do. Most of them allow access at no | charge. | > some are self-updating, and others never update and consequently get stricter | > and stricter, which is not a good thing. | > | > Now, filtering rules, are something else again, and that is a good thing to | > spend effort on, to score the subject and content, and when a threshold is | > reached the mail is isolated. The open relay stuff is checked first, and if | an | > IP appears on one of them then that mail is not even allowed a connection. | For | > rules to apply, the email must be downloaded to apply the rules, and once | > downloaded, either dumped into dev/null (deleted) or routed to a spam folder. | > for periodic review to guard against false positives. | > | > I have been involved in anti-spamming for several years, and I recognize the | > yeoman's job you are doing to create a workable application, and hopefully | will | > not require a heavy administrative burden for the user. | > | > The one good thing that can come from the occasional good email that has been | > blocked is the pressure the ISP's customer can directly apply to them to | rigidly | > enforce their Terms of Service. The most effective tool for reducing the | > endless spew of spam will be when the ISP can no longer make a profit by | either | > hosting it or allowing it to pass through their systems at the expense of | losing | > their regular customers. | > | > My experience is that the smaller, regional service providers are the most | > responsive to spam complaints and are pretty quick about terminating accounts, | > whereas the larger providers are so swamped with complaints, they are, for the | > most part, unresponsive. Another problem is misconfigured mail servers that | are | > operating as open relays, mostly off shore, that do not follow the RFC's which | > require them to report accurately the origin of email transiting their | servers. | > The cause may be that so much software overseas is pirated, it is not kept up | to | > date, but I am only guessing here. The result in those cases is that one can | > never trace all the way back to the origin the source of the spam. | > | > | > ====================================== | > Stop spam on your domain, use our gateway! | > For hosting solutions http://www.clickdoug.com | > ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772 | > ====================================== | > If you are not satisfied with my service, my job isn't done! | > | > ----- Original Message ----- | > From: "Michael Dinowitz" <[EMAIL PROTECTED]> | > To: "CF-Community" <[EMAIL PROTECTED]> | > Sent: Thursday, June 12, 2003 5:41 PM | > Subject: Re: iMS CFUG Edition | > | > | > | As a side note, this is one of the reasons for banning a domain. When I get | > spam | > | from a domain I email both their postmaster and abuse accounts. When I get | an | > | email like this, the domain gets flagged as needing a once over. If, after a | > | once over, I can't get any response from them (even a recorded message), | then | > | it's banned. | > | This place happens to be a substance abuse center. I'll then go into the | spam | > | message to see if they were sending it or if they have an open relay. If | they | > | sent it, then they're spammers and are blocked. If it's a relay, I'll try to | > | hunt down their admin to report it. | > | | > | <[EMAIL PROTECTED]>: host posti.a-klinikka.fi[193.64.139.107] said: 550 | > 5.7.1 | > | Unable to relay for [EMAIL PROTECTED] | > | | > | <[EMAIL PROTECTED]>: host posti.a-klinikka.fi[193.64.139.107] said: | 550 | > | 5.7.1 Unable to relay for [EMAIL PROTECTED] | > | | > | | > | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=5 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=5 This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5
