Spammers hapless fate = ISP toil and sweat
Mario Valente mvalente at esoterica.pt
Wed Sep 17 18:16:12 CEST 1997
>>Spamming is a serious problem. [...] > >Thanks to Luis! I totally agree, we need to handle these >assholes seriously. > >My personal filtering technique is to accept the email and never >deliver it. Interestingly enough, some of the spammers have one As postmaster for Esoterica together with Paulo Laureano (who's on holiday) I and Paulo have been responsible for dealing with the spammers. There are two distinct problems: one is your local users being hit by spam. I dont mean one or two or ten. I mean when someone gets a hold of your list of users (/etc/passwd or mailing lists or scanning Usenet) or (like we had in the past) have someone create a program to generate all the permutations of 8 letters and try do deliver mail to permutationN at esoterica.pt. The other problem is your email server being used as a relay for spamming. Someone delivers mail on your server saying it is destined for somewhere else. Not only do you spend computation and bandwidth resources, but you also appear to be the origin of the spam, and thus get bothered a lot by other sysadms. This last problem was quite simple to solve, since there are patches and configurations for sendmail to do relay for only a list of machines. The second problem we dealt with by detecting which spams were being sent and blocking email coming from such domains or addresses. The problem with this approach is that there's still a conection being made; there's still a process launched on your machine. The next solution was to block packets coming from those addresses to port 25 of any machine on our network. This, together with the no-relay change, worked wonders. Our spammer friends didnt like this at all. They started sending out spam through other mail servers with fake From addresses ending in @esoterica.pt; we've had no end of complaints from people thinking we were the origin of spam and had to do no end of explanation. Our current solution is quite devious :-) We receive mail from anywhere!....Yes...But we have a daemon running that checks the incoming mail queue for certain patterns of use, domains, volume of messages, etc. If a spam is detected, the daemon at once, using Linux's ipfwadm ( firewall/packet blocking tools), blocks reception of packets from the address/domain originating the spam for about 15 minutes. After that the reception is restored. This means that normal mail comes in; even very frequented mailing lists are no problem; but a repeated message, from the same address with the same size puts up a red sign; some of the messages are received; but then reception is blocked and for 15 minutes no more messages can be delivered; for the spammers it looks like a network congestion or lack of connectivity, so they give us no problems; 15 minutes later, reception is reestablished, for normal recepetion of email (even from the previous offending domain) or for another 15 minutes of blocking. This has worked wonders. We still receive unsolicited email, but no more heavy duty spams. C U! -- Mario Valente
[ lir-wg Archives ]