LISTSERV - HP3000-L Archives

HP3000-L Archives

October 1998, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L October 1998, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Gateway and SPAM Filtering (Long, but a must read)
From:	Joe Geiser <[log in to unmask]>
Reply To:	Joe Geiser <[log in to unmask]>
Date:	Sat, 24 Oct 1998 23:00:59 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (142 lines)
Good evening good people of HP3000-L and comp.sys.hp.mpe:

I've received a few calls and e-mails asking why their messages were not
appearing on the newsgroups.  At first, I thought that DIGEX might be
filtering incoming posts for some reason or another, or that we weren't
getting a full feed.  So, with Mark Bixby's help, we switched over to CCCD's
newsfeed and disabled DIGEX's.  That seemed to make things a little
better... but we were still missing posts coming FROM HP3000-L!

Damned frustrating, but I think we now found the reason, and it came from
looking over our NetMail Error Logs... there was some real interesting
reading in those logs.

Ya see, we filter SPAM here, and we filter a ton of it thanks to NetMail,
which fronts (or "gates") all e-mail coming in.  Unfortunately, some mail
which isn't SPAM is caught in the net.  We update our SPAM filters daily
directly from 3K's server.  Let's take a look at some of the stuff we
caught, OK?  (these are just examples... you would love to see the entire
file!)


Our first example are some recent SPAMs that were refused this afternoon and
evening.  These are actual SPAMs refusals from our filters:

10/24/98 16:47:22  Host: (208.252.35.173) "MAIL.DELIVERY45125.COM" From:
"[log in to unmask]" Invalid Recipient "[log in to unmask]"
10/24/98 18:10:30  Host: (205.181.85.90) "205.181.85.90" From:
"Opportunity101" SPAM intercepted for "[log in to unmask]"
10/24/98 18:10:31  Host: (205.181.85.90) "205.181.85.90" From:
"Opportunity101" Don't know the host/domain "jgeiser".
10/24/98 21:15:45  Host: @166.055.035.007 All connections refused from this
IP address
10/24/98 21:16:05  Host: (166.55.35.7) "MAIL.HOTPOP.COM" From:
"<[log in to unmask]>" SPAM intercepted for "[log in to unmask]"
10/24/98 21:16:05  Host: (166.55.35.7) "MAIL.HOTPOP.COM" From:
"<[log in to unmask]>" SPAM intercepted for "[log in to unmask]"

Pretty much self explanatory, right?  SPAM is SPAM is SPAM, and this is the
real thing, caught and refused.


Now, there is the spam sent to HP3000-L as well.  For this, we have the
problem of not even knowing it came, because even though it comes from Raven
- Raven's just passing it through untouched.  The real REPLY TO header still
exists, and NetMail will refuse it.  See one example from this morning
below:

10/24/98 10:14:24  Host: (199.76.196.24) "RAVEN.UTC.EDU" From:
"[log in to unmask] [log in to unmask]>       >" Override address
allowed message for: comp.sys.hp.mpe
10/24/98 10:14:24  Host: (199.76.196.24) "RAVEN.UTC.EDU" From:
"[log in to unmask]" SPAM intercepted for "[log in to unmask]"
10/24/98 10:14:25  Host: (199.76.196.24) "RAVEN.UTC.EDU" From:
"[log in to unmask]" Domain in refuse list.

We try to get it because we have a forced receive for HP3000-L... but since
the domain is in the refuse list (in this case, HOTMAIL.COM) amongst other
things, we refuse it.  Many of you probably saw the item - those on Usenet
did not, at least not from here, and I can say with certainty, it didn't
make it to my inbox either.

Again, this is SPAM, pure and simple.  We filter it, it dosen't pass the
gateway.


Now, for the innocents -- real people posting real items, but get caught in
the safety net.  NOTE:  There are real people named here, but these people
ARE NOT spammers.  These people, because they want to keep their own receipt
of spam down, they get caught in the old Reverse DNS Lookup trap.

The problem is simple.  Someone puts NOSPAM either interspersed within their
domain name, or after the domain name itself.  Another case is where someone
uses a completely bogus domain name in their headers.  When the mail comes
here, Netmail will attempt a reverse DNS lookup (because we configured it to
do this) to ensure that the domain is legitimate - one of the many checks it
does to prevent SPAM from coming in.

Well, as you can see below -- here are two very good examples of posts that
just didn't make it, from two people on HP3000-L.

Poor Roy Buzdor tried - but we couldn't perform a reverse DNS lookup on his
domain of HOME.COMFORTABLY.  A nice antispam tactic, but if the mailer
performs a reverse DNS lookup, then guess what, the mail does not go
through.  I was wondering what happened to Roy, and now I know.  Here's the
example:

10/23/98 10:03:53  Host: (199.76.196.24) "RAVEN.UTC.EDU" From: "Roy Buzdor
<[log in to unmask]>" SPAM intercepted for "[log in to unmask]"
10/23/98 10:15:48  Host: (199.76.196.24) "RAVEN.UTC.EDU" From: "Roy Buzdor
<[log in to unmask]>" SPAM intercepted for "[log in to unmask]"

Another example is Michael Smith from Hertz -- apologies to Michael too --
his log entries were:

10/23/98 17:32:56  Host: (199.76.196.24) "RAVEN.UTC.EDU" From: ""Michael P.
Smith" <[log in to unmask]>" SPAM intercepted for "[log in to unmask]"
10/23/98 18:08:06  Host: (199.76.196.24) "RAVEN.UTC.EDU" From: ""Michael P.
Smith" <[log in to unmask]>" SPAM intercepted for "[log in to unmask]"

If you're going to use NOSPAM in your email, please don't include it either
intermixed or after the domain name... this was caused by the same reverse
DNS lookup as the previous example.


What we are going to do about this is up in the air.  I'd like to know what
you think.  Jeff:  It's your list, so I'd especially like to hear your
ideas.  There are three options in my mind right now:

1.  Please use a legitimate REPLY TO, so that the DNS lookup works, or at
very least, place the NOSPAM in your mailbox name, not the domain name.  We
don't perform finger checks (finger is a mailbox lookup, for the uninformed)
so you can put anything you want there.  (People replying to you privately
will have a problem, but hey, that's not OUR problem).  We will not turn off
Reverse DNS Lookup - that's a given.

2.  There's no way that Spam filtering is being turned off, so we just keep
right on filtering all of the incoming mail, including HP3000-L gateway to
Usenet posts...

3.  Allow Raven (the server that handles HP3000-L) to send posts directly to
the Usenet Gateway server here (which is NOT the Netmail server).
Currently, this server is locked down and only properly authenticating
members of this domain can access it.  This, of course, can be overridden
and we can allow specific servers SMTP servers to access it, and thus, allow
these posts to go directly to it.

If anyone has any other ideas, by all means, make them known.


Best Regards,
Joe

==========================================================
Joe Geiser, Senior Partner, CSI Business Solutions, LLC
 ** Your Client-Server and Internetworking Specialists **
Phone: +1 (215) 945.8100  Fax: +1 (215) 943.8408
*New* Toll-Free (US/Canada): (877) 945-8100
http://www.csillc.com
==========================================================
HP Channel Partner         Allaire Alliance Partner
Microsoft ClubWin - Team One
ATOM RSS1 RSS2
RAVEN.UTC.EDU