Re: [Asrg] [ASRG] SMTP pull anyone?

Rich Kulawiec <rsk@gsp.org> Tue, 18 August 2009 02:09 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6605B3A697E for <asrg@core3.amsl.com>; Mon, 17 Aug 2009 19:09:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D19-vrIcwqmh for <asrg@core3.amsl.com>; Mon, 17 Aug 2009 19:09:56 -0700 (PDT)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) by core3.amsl.com (Postfix) with ESMTP id 5202D28C1A0 for <asrg@irtf.org>; Mon, 17 Aug 2009 19:09:55 -0700 (PDT)
Received: from squonk.gsp.org (bltmd-207.114.25.206.dsl.charm.net [207.114.25.206]) by taos.firemountain.net (8.14.1/8.14.1) with ESMTP id n7I29vqr020318 for <asrg@irtf.org>; Mon, 17 Aug 2009 22:09:59 -0400 (EDT)
Received: from avatar.gsp.org (avatar.gsp.org [192.168.0.11]) by squonk.gsp.org (8.14.1/8.14.1) with ESMTP id n7I22N1l023007 for <asrg@irtf.org>; Mon, 17 Aug 2009 22:02:23 -0400 (EDT)
Received: from avatar.gsp.org (localhost [127.0.0.1]) by avatar.gsp.org (8.14.3/8.14.3/Debian-4) with ESMTP id n7I29qrq031118 for <asrg@irtf.org>; Mon, 17 Aug 2009 22:09:52 -0400
Received: (from rsk@localhost) by avatar.gsp.org (8.14.3/8.14.3/Submit) id n7I29qQK031117 for asrg@irtf.org; Mon, 17 Aug 2009 22:09:52 -0400
Date: Mon, 17 Aug 2009 22:09:52 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <20090818020952.GA30677@gsp.org>
References: <922a897b0908170253k60c0d57dh5e593c78f9137fab@mail.gmail.com> <20090817144450.GA22048@gsp.org> <4A898440.6080006@mail-abuse.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4A898440.6080006@mail-abuse.org>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [Asrg] [ASRG] SMTP pull anyone?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2009 02:09:57 -0000

On Mon, Aug 17, 2009 at 09:24:32AM -0700, Douglas Otis wrote:
> Could you provide a brief outline regarding what constitutes an  
> efficient anti-spam solution?

Sure.  In brief (really brief!) and in (rough) order of application
	and increasing resource cost:

Spamhaus DROP list on perimeter routers/firewalls
Consider IDP list on perimeter routers/firewalls
Use firewall rulesets per-country, see ipdeny.com *or* if possible,
	use default-deny and grant access per-country
Use multiline SMTP greeting (defeats some zombies)
Use "greetpause" or equivalent (defeats some zombies)
Enforce DNS/rDNS existence/consistency checks on
	hostname, MX records and HELO parameter;
	defer/reject as appropriate
Blacklist known virus/ratware senders, e.g. "big@boss.com".  Faster
	than running through an AV check
Permanently blacklist known phisher domains.  Even if acquired by legit
	companies will never be used.
Consider blacklisting spammer-infested/useless TLDs (e.g., .info, .mobi)
	with whitelisting as needed, if needed
Permanently blacklist known spammer domains (e.g. Joe Wein's list)
Permanently blacklist any "snowshoe" domain/domain group on sight
Blacklist any "snowshoe" network range on sight
Use enemieslist or other similar rDNS-based blocks on end-user/dynamic names
Use Spamhaus Zen DNSBL
Use other DNSBLs/RHSBLs as appropriate
Throttle connections with excessive attempts/deliveries
	to nonexistent users/etc.

Obviously, the choice of which ones, in which order, with which
configuration, depends on mail system administrator knowledge of local
mail patterns.  Everyone should analyze their own logs to gain that
knowledge.  And some of these are no-brainers no matter what those
patterns are, e.g., DROP list, DNS/rDNS checks, Spamhaus Zen, etc.
And I've probably omitted some by doing this off the top of my head.
On a Monday. ;-)

---Rsk