Home page logo
/

basics logo Security Basics mailing list archives

RE: SPAM filter...
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Tue, 16 Dec 2003 11:29:21 -0800


        I believe Postfix can stop this form of attack. I.e. if their
sending them in one email, (i.e. lots of TO's or CC's) then you can turn
your smtpd_recipient_limit lower. Some spammers don't helo or ehlo. In
postfix turn on smtpd_helo_required to reject them right away. You can
also set the smtpd_soft_error_limit and smtpd_hard_error_limit to kill
the smtp connection after x 450 errors.

        We suffered from this problem and it was running on Exchange
server ragged. Now we run RHL 9.0, SA, Postfix and Amavid and I don't
notice a thing anymore. I agree with Chris, you might want to contact
your ISP because they are defiantly doing something wrong. If you have a
shell account with them I believe you can customize SA from your home
directory.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Chris Santerre [mailto:csanterre () MerchantsOverseas com] 
Sent: Tuesday, December 16, 2003 11:26 AM
To: 'naren () pactech net'; Shawn Jackson; 'Vedantam sekhar';
security-basics () securityfocus com
Subject: RE: SPAM filter...

Spamassassin high FP rate?????? What version are they running? A
properly
configured SA setup will have VERY low FP rate. Of course none of this
will
help you with a dictionary attack. Just firewall them. Or better yet,
teargrub them to a crawl. 

But talk to your ISP. SA 2.61 has been released. Bayes is wonderful when
trained. There are custom rules that have been made public to the SA
community that put a HUGE hurt on spam with little FPs. Here is a link
to a
searchable archive of the SATALK list:
http://news.gmane.org/gmane.mail.spam.spamassassin.general

Your ISP should allow you to customize your own SA scoring.

--Chris Santerre

-----Original Message-----
From: Naren - Pactech [mailto:naren () pactech net]
Sent: Tuesday, December 16, 2003 5:04 AM
To: 'Shawn Jackson'; 'Vedantam sekhar';
security-basics () securityfocus com
Subject: RE: SPAM filter...


Agreed with you .. but .. as implemented by one of my own ISP (where I
have an account .. ) SPAM Assasin has the highest false 
positive rates .. 

As that is beyond my control (i.e. the spam assasin is 
maintained by the
ISP) - there is nothing much I could do. Almost 10 % of my 
valid emails
become tagged as {SPAM} ..

In comparison, I would prefer something with a lower false 
positive rate
.. where the ones that missed out can be manually filtered, 
rather than
tagging valid emails .. as SPAM.

BTW, I have no experience with Amavisd-New

Anyway, I think the issue for Sekhar is on stopping people 
from finding
out valid emails. AS far as I know, there is no hard and fast 
solution for
that: the mail has to reach the database - or end email 
server, to confirm
if the email address that the mail is destined for exists or not !

The solutions for this would be .. 

1) dont bounce back unknown email addresses .. (easier to 
manage if the
number of users are small .. ) and instead re-route them to a 
dummy email
address or send to delete

2) filter (on the firewall or gateway .. depending on what 
you are using)
the sources sending these mails .. 

Dunno if these will solve the problem, or assist you, but I 
guess, they
should help .. !!

Naren

T. Naren 
Technical Manager - Pactech Pte Ltd., Singapore
Infocomm Security Solutions Distribution and Services
o: +65-62711123
p: +65-95778725
e: naren () pactech net 
w: <http://www.pactech.net>
[Firewalls: Borderware - Watchguard - Sonicwall]


-----Original Message-----
From: Shawn Jackson [mailto:sjackson () horizonusa com]
Sent: Tuesday, December 16, 2003 9:19 AM
To: Vedantam sekhar; security-basics () securityfocus com
Subject: RE: SPAM filter...



      We use Postfix, Amavisd-New and Spam Assassin and its cut
out-of-the-box we filtered 98% of our spam. All of which are 
open-source
projects. 

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Vedantam sekhar [mailto:sekhar56us () yahoo com] 
Sent: Friday, December 12, 2003 10:05 PM
To: security-basics () securityfocus com
Subject: SPAM filter...

Dear All,

Can any body suggest me the mail filter software(Opensource 
:-)) which can
avoid the dictionary atttacks on the server.Our mx server has 
Solaris O.S.


The spammmers are trying to find out the Valid E-mails by 
blindly sending
mails to randomly selected characters as receipent ID?


Thanks

V.N.SEKHAR


This mail has been scanned for known virusses, and spam, using the 
Borderware MXTreme Mail Firewall. For info, visit 
http://www.mxtreme.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault