Firewall Wizards mailing list archives
Re: NoSpam! 2.07 & InfoSec Resources
From: bill () WLK COM (Bill Kennedy)
Date: Sun, 9 Nov 1997 12:29:42 -0600 (CST)
Please excuse the amount of quoted text, but my comments won't make sense without both Jason and Darren's remarks.
From: Darren Reed <darrenr () cyber com au> Subject: Re: NoSpam! 2.07 & InfoSec Resources In some mail I received from Jason R. Rhoads, sie wroteVersion 2.07 of NoSpam! is now available: http://www.sabernet.net/products What is it? NoSpam! is an patch for smap, the sendmail wrapper client included in the TIS Firewall Toolkit. The patch provides a mechanism to stop spam from being delivered to users at your site.
At http://www.ironhand.net there is a product inspired by smap/smapd that handles spam and relay filtering. It grew up as a heavily hacked smap and worked well, but I decided to start fresh. Like smap/smapd it has separate enqueue and dequeue programs, so it's entirely feasible to use a different dequeuer to implement different filter policies before forwarding to the MTA.
What concerns me most, with smap, is preventing the site from being used as a relay. I'm aware of sendmail bits to stop relaying, but, do they work in conjunction with smap ? I've looked at http://www.cih.com/~hagan/smap-hacks/ but I'm not sure what's there does what I want. My scenario at present is: Internet-----[X]Firewall[Z]----Company_A [Y] | Company_B,Company_C
[ ... ]
Also, how are anti-spam patches for smap currently dealing with addresses such as: joe%foo.bar%bar.baz () company com
Ironhand is moderately clever about unraveling aberrant addresses that are moderately RFC-822 compliant. It also handles Banyan and Lotus variants and tries very hard with the ones spoken with a Pacific Northwest accent. I do not suggest that there aren't some addresses, e.g. unquoted VMS, where it utterly fails, but it logs all pertinent status and there's a volume control on the logging.
? Darren
Although the ironhand software is "pay fer" there is an evaluation license available without cost. It is entirely possible to build airtight relay filtering for Darren's scenario within the ten rule limit and get some pretty darned good spam filtering as well. It was my intent, when building the suite, that the no fee version be fully functional for defeating relays in order to encourage all sites worldwide to stop tolerating relayed spam. Darren's scenario can be completely enforced with three entries each in the permit_recv and permit_send filters and still have seven rules left for expansion within the ten rule evaluation limit. Relayed spam can be severely curtailed using the deny_majors filter. I put aol.com, compuserve.com, juno.com and hotmail.com in there so that any mail bearing a MAIL FROM address in those domains that didn't originate from one of their servers (peer name/address, HELO name/address) rejects as a relay. Better than 25% of the stops here are made by those four rules in that filter. All of the documentation and the evaluation binaries are available at no cost. There is one more reason to be encouraged about the ironhand software. Most of the complaints I see in the news groups and mailing lists are about high rates of leaks and "false positives". My site handles 300-700 receipts a day and has been running ironhand since last May. I've had two false positives since then and I get 3-5 leaks a day as the spammers morph and cloak. The design emphasis has been to forward legitimate correspondence while stopping spam and relay attempts. I believe that in order to avoid false positives (rejecting legitimate correspondence) you have to tolerate some leaks, ironhand is well balanced in that regard. Finally, so that it's clear, ironhand is indeed a commercial offering but I emphasize that formidable defenses can be constructed with the evaluation version. Either go to www.frus.com and click on the SMTP firewall or go directly to www.ironhand.net for more information. Read the on_the_cheap blurb in the samples directory for a no cost approach. -- Bill Kennedy bill () WLK COM | "Man who it is very bad luck to get in a fight | with because he has devils on his side" | Comanche name for "Captain Jack", Texas Ranger
Current thread:
- NoSpam! 2.07 & InfoSec Resources Jason R. Rhoads (Nov 07)
- Re: NoSpam! 2.07 & InfoSec Resources Darren Reed (Nov 07)
- Re: NoSpam! 2.07 & InfoSec Resources Jyri Kaljundi (Nov 08)
- <Possible follow-ups>
- Re: NoSpam! 2.07 & InfoSec Resources Bill Kennedy (Nov 09)
- Re: NoSpam! 2.07 & InfoSec Resources Darren Reed (Nov 07)