Re: [courier-users] SPAM over SMTP

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Alessandro Vesely writes:

>> Various techniques, over many years, were proposed to address this naive  
>> trust-by-default nature of SMTP. The results have been quite lackluster. You  
>> may try to see if some of those approaches work for you, anything ranging  
>> from simple SPF checking (which Courier supports natively) to DKIM, which  
>> requires some extra stuff to be set up.
>
>
> Specifically, SPF can block the envelope FROM, a.k.a. bounce address, which  
> usually —but not always— equals the header From: address.  If your users  
> all post from known IP addresses, defining an SPF record that rejects  
> different addresses (i.e. ending in -all) is quite effective in eliminating  
> messages claiming to originate from your domain.  However, a few addresses  
> are set up to forward from third parties without actually whitelistening  
> them.  An SPF mechanism like ?exists:%{ir}.list.dnswl.org may attenuate — 
> but not eliminate— that risk.

Late last year I had repeated occurences of spam farms sending both MAIL  
FROM and RCPT TO myself. SPF rejected the MAIL FROM, but the sender was  
running a generic mail server, so then it proceeded to generate and send me  
a MAIL FROM:<> bounce, which included the original spam.

This pattern went away, but if it stayed it might've become necessary to  
have a failed SPF check trigger blacklisting everything from the same IP  
address, for some time.

> DKIM delivers domain authentication only.  Since spammers are good at  
> putting DKIM signatures, zdkimfilters has a shoot-on-sight feature of  
> dubious efficacy, as it relies on a whack-a-mole game.

This is why I never bought into DKIM. It solves a slightly different  
problem, and SPF is a very, very close functional match but is much simpler  
to set up:

Jan 27 07:02:54 shorty courieresmtpd[29677]: error,relay=::ffff:106.1.229.71,port=14269,from=<sk...@co...>: 517 SPF fail sk...@co...: Address does not pass the Sender Policy Framework
Jan 27 07:03:28 shorty courieresmtpd[29680]: error,relay=::ffff:106.1.229.71,port=15204,from=<sk...@co...>: 517 SPF fail sk...@co...: Address does not pass the Sender Policy Framework
Jan 27 07:03:53 shorty courieresmtpd[29683]: error,relay=::ffff:106.1.229.71,port=14486,from=<sk...@co...>: 517 SPF fail sk...@co...: Address does not pass the Sender Policy Framework

This took a few seconds to set up a decade ago, and it's been on cruise  
control ever since, with no maintenance.

>>> Well it is sad. Thanks anyway.
>>
>> This why the big guys, like Google and Microsoft, has been taking over E- 
>> mail. Their spam filters, based on AI-like algorithms and trained on  
>> tremendous amounts of E-mail, offer pretty much the only effective generic  
>> spam filtered E-mail that's available to the masses.
>
>
> Isn't there some eschatological meaning in that?  Let's keep fighting.

Everyone's on their own. There is no universal solution, but individuals can  
usually find their sweet spot for filtering. For me, it's SPF, callback  
verification, and manual blacklisting of a select number of spam friendly  
hosts.