[volunteers] [PenLUG] Help / Ideas needed for next week's

Scott Boyd sboyd at astreet.com
Sat Jan 20 15:47:37 PST 2007


Oh we want to talk about email and spam. As an ISP owner I know the spam 
wars well.

BTW, Postini historically is not a Linux shop, but that may have changed.

Alvin Oga wrote:

>hi ya mark
>
>  
>
>>mark weisler wrote:
>>
>>Something on my mind is the future of SMTP (mail) given all the spam problems
>>    
>>
>
>fun issue .. 
>ask 10 (ten) peole how they solve it and you'll get 50 ( 5-0 ) different and distinct answers
>
>  
>
Actually, there are lots of good answers. The problem is an installed 
base of mail systems that can't use any of the workable techniques. This 
is why outsourced spam filtering is popular. Just place the outsourced 
filter company server as your primary MX record and they do all the work 
passing you the clean stuff and giving you web based access to the 
rejected cruft.

>>I'm just about ready to ask Postini if they would speak to our LUG(s).
>>    
>>
>
>sounds like a good idea .. since they're down the street 
>
>baracuda claims to have lots o corp clients, and some of my custsomers
>uses them to clean their emails
>
>ironport uses a modified spam-assassin and was jsut bought out for $800M by cisco
>whom also claims to have more corp clients than baracuda
>
>  
>
Barracuda was also using a modified spam assassin.

Ironport is valuable primarily for their SMTP email cannons and other 
specialized hardware.

>"corp clients" does matter because:
>a) they have real $$ to spend
>b) they will change to another vendor if the current one does not solve
>   the spam problem
>c) the clients understand there are several problems with filtering spam
>d) there seems to be very very few spam that gets thru those outsourced filters
>
>- i wonder what people think about when they find out their corp emails is
>  flagged to be read sometimes manually to filter out spam
>	- it's corp mail so "free speech" and privacy does not come into play
>
>	- i'm sure the ceo and cfo and coo have their own private mail address
>	with encryption turned on to "talk" to each other 
>
>  
>
They have out-of-band email accounts.

>>* Are we getting to the point where mail server administration is more than=
>>most individuals or smaller shops can reasonably handle?
>>    
>>
>
>we've been way past that point for a while ...
>otherwise, the outsourced corp spam filter house would not have been growing
>
>  
>
Because IT departments are blamed enough. Outsourcing the spam problem 
gets users off their back and frees them up for other projects.
Spam can be controlled if you use open source software that can be 
modified to react to changing attacks, but most companies have purchased 
closed systems that are vulnerable. The only way to protect those 
systems is to put something in front of them... which is a suboptimal 
solution. Though projects like ASSP are useful.

>>* What can Postini tell us about special processing techniques they use to
>>manage spam?
>>    
>>
>
>i'm not sure they'll get too much into the details of their recipe for their
>golden egg .. but still would be good to hear from them
>
>  
>
They will not tell you much. Their pitch is: "Dirty mail comes in here 
and clean mail goes out there." Kind of like a sewage treatment plant. 
They do not have anything really different from anyone else except that 
they do have more computing power to throw at the problem and a web 
interface for customers to correct mistakes via. 

>>* What role might cryptography play in managing spam (by, in part, clearly=
>>identifying the mail originator)
>>    
>>
>
>  
>
See Domain Keys. Though email that is certified by the sending email 
domain is not a solution by itself as SPF has shown.

http://en.wikipedia.org/wiki/Sender_Policy_Framework

(Spammers adopted SPF faster than legit mail senders.)

>a spammer that does NOT change the body of the content is a "dummy" spammer
>
>md5 on the body ( spam contents ) will always be the same if they do
>not change the body, even if its the first line of: dear "sucker" 
>
>if the body is dynamically changed, a 1 second solution, that'd render all 
>( content based ) md5 based spam filter methods useless
>
>	- say 5 minute of perl hack should be able to set you up with a
>	perl based md5 spam filter ... any subsequent incoming email
>	with the same md5 is most likely ( 99.999999999% ) spam
>
>  
>
There is already a good system for identifying bulk email with changes, 
it's called Distributed Checksum Clearinghouse:

http://www.rhyolite.com/anti-spam/dcc/

It's tells you what is bulk very reliably. Of course, bulk is not 
necessarily spam.... but it is a good starting indicator.

>there's gazillion spam filter rules for the gazillion+1 spammer methodologies
>
>  
>
Greylisting works well against Zombie Windows PCs and SMTP cannons that 
do not queue email.

The big problem at the moment is the "penny stock" spam where every 
message is unique and the pitch is wrapped in a distorted image file 
designed to readable by humans (barely in some cases) but not OCR 
systems surrounded by regular text that the spammers hope will either 
get through or spoil Bayesian learning systems. These emails are 
generated by at minimum tens of thousands of broadband connected Zombie 
Windows PCs that have the compute power to generate individual unique 
content for every spam message.

>-------
>
>i have collected all the ip#, domain names, sender's email addy of any
>incoming spam ... and have seen a drop of incoming spams from a few 
>thousand a day to a few hundred now which implies most all spams come 
>from the same (spammers mta) sources
>
>	host# grep REJECT access | wc -l          
> 	19899
>
>  
>
Ahhh, but you can't do that if you are a service provider.

>c ya
>alvin
>
>_______________________________________________
>PenLUG-Members mailing list
>PenLUG-Members at penlug.org
>http://www.penlug.org/mailman/listinfo/penlug-members
>  
>
Scott Boyd
A-Street Internet
100 El Camino Real
San Carlos, CA 94070

(650)-596-3500




More information about the volunteers mailing list