[H-GEN] Email filtering

David Duffy david at audiovisualdevices.com.au
Wed Sep 24 07:14:57 EDT 2003 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On 2003-09-24, David Duffy wrote:

>>With the current wave of virus emails (Microsoft lookalikes),
>>what's the best way to automatically reject/clobber them?
>>I guess I could use a procmail rule (tried but failed!) but I'd
>>rather reject them in the first place instead of accepting them
>>only to drop them later on in the chain. That raises another
>>question; if I reject an email using the access file, how much
>>of that email makes it onto my system? Just the header?
>>

Greg Black wrote:

>The question is not clear, but I'm going to assume that you're
>talking about the SMTP server at mail.audiovisualdevices.com.au
>since that's a real SMTP server and it looks like it belongs to
>you.
>  
>

My appologies. I sometimes forget that not everyone on this
list has their own domain. I take it for granted sometimes.

>If you reject the connections based on their IP address, then
>none of the mail gets through to you.  But, with these specific
>messages, that is not generally possible or desirable.
>  
>

So the access file acts on the email's IP/domain before even
accepting the whole email? I currently use this to block the
known repeat spammers.

>If you want to reject the messages based on their content, you
>have to read at least enough content to determine that the
>message should be dropped.  As a human, having now seen several
>hundred of these, I feel confident that I can do it.  But I'd be
>reluctant to program such a thing because of the risk of false
>positives.  Since you're using Sendmail 8.11.6, you might like
>to try the sendmail lists to see if people have come up with
>techniques that they feel comfortable with.  I don't use
>sendmail (which has just had yet another security hole found),
>so I can't advise more than that.
>

OK, I see what you mean. To make an intelligent descision on whether
or not you want the email, you really have to accept it, see if it is crap
and then drop it into the bucket if it is. All in all, there's no real 
way to
refuse the mail unless you *know* the IP address is definately a dud.

>In my case, I expect that this particular flood will die off in
>the next few days and so I don't plan to attack it in any more
>aggressive way than using SpamAssassin to reject anything with a
>Microsoft executable in its payload.  This does mean that I've
>received several tens of MB of unwanted email, but so far it's a
>cost I can bear.
>

I might add Spamassassin to the other user accounts too so that all
really dodgy looking stuff () goes into my spam box.

>Whatever you do, don't bounce the messages -- that will only
>make things worse and won't help anybody.  If you identify them,
>just drop them on the floor.
>

Is dropping still better than rejecting even with known spammers?
I mean, if the get a reject, do they remove your address?
David...

-- 
___________________________________________
David Duffy        Audio Visual Devices P/L
U8, 9-11 Trade St, Cleveland 4163 Australia
Ph: +61 7 38210362   Fax: +61 7 38210281
New Web: www.audiovisualdevices.com.au
___________________________________________



--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list