Re: NoSpam! 2.07 & InfoSec Resources

[bill () WLK COM (Bill Kennedy)]

Please excuse the amount of quoted text, but my comments won't make sense
without both Jason and Darren's remarks.

> From: Darren Reed <darrenr () cyber com au>
> Subject: Re: NoSpam! 2.07 & InfoSec Resources
>
> In some mail I received from Jason R. Rhoads, sie wrote
> > Version 2.07 of NoSpam! is now available:
> >       http://www.sabernet.net/products
> >
> > What is it? NoSpam! is an patch for smap, the sendmail wrapper client
> > included in the TIS Firewall Toolkit. The patch provides a mechanism
> > to stop spam from being delivered to users at your site.

At http://www.ironhand.net there is a product inspired by smap/smapd that
handles spam and relay filtering.  It grew up as a heavily hacked smap and
worked well, but I decided to start fresh.  Like smap/smapd it has separate
enqueue and dequeue programs, so it's entirely feasible to use a different
dequeuer to implement different filter policies before forwarding to the MTA.

> What concerns me most, with smap, is preventing the site from being
> used as a relay.  I'm aware of sendmail bits to stop relaying, but,
> do they work in conjunction with smap ?
>
> I've looked at http://www.cih.com/~hagan/smap-hacks/ but I'm not sure
> what's there does what I want.
>
> My scenario at present is:
>
> Internet-----[X]Firewall[Z]----Company_A
>                   [Y]
>                    |
>           Company_B,Company_C
[ ... ]
> Also, how are anti-spam patches for smap currently dealing with addresses
> such as:
>
> joe%foo.bar%bar.baz () company com

Ironhand is moderately clever about unraveling aberrant addresses that are
moderately RFC-822 compliant.  It also handles Banyan and Lotus variants
and tries very hard with the ones spoken with a Pacific Northwest accent.
I do not suggest that there aren't some addresses, e.g. unquoted VMS, where
it utterly fails, but it logs all pertinent status and there's a volume
control on the logging.
> ?
>
> Darren

Although the ironhand software is "pay fer" there is an evaluation license
available without cost.  It is entirely possible to build airtight relay
filtering for Darren's scenario within the ten rule limit and get some
pretty darned good spam filtering as well.  It was my intent, when building
the suite, that the no fee version be fully functional for defeating relays
in order to encourage all sites worldwide to stop tolerating relayed spam.
Darren's scenario can be completely enforced with three entries each in the
permit_recv and permit_send filters and still have seven rules left for
expansion within the ten rule evaluation limit.  Relayed spam can be severely
curtailed using the deny_majors filter.  I put aol.com, compuserve.com,
juno.com and hotmail.com in there so that any mail bearing a MAIL FROM
address in those domains that didn't originate from one of their servers
(peer name/address, HELO name/address) rejects as a relay.  Better than 25%
of the stops here are made by those four rules in that filter.  All of the
documentation and the evaluation binaries are available at no cost.

There is one more reason to be encouraged about the ironhand software.  Most
of the complaints I see in the news groups and mailing lists are about high
rates of leaks and "false positives".  My site handles 300-700 receipts a
day and has been running ironhand since last May.  I've had two false positives
since then and I get 3-5 leaks a day as the spammers morph and cloak.  The
design emphasis has been to forward legitimate correspondence while stopping
spam and relay attempts.  I believe that in order to avoid false positives
(rejecting legitimate correspondence) you have to tolerate some leaks, ironhand
is well balanced in that regard.  Finally, so that it's clear, ironhand is
indeed a commercial offering but I emphasize that formidable defenses can be
constructed with the evaluation version.  Either go to www.frus.com and click
on the SMTP firewall or go directly to www.ironhand.net for more information.
Read the on_the_cheap blurb in the samples directory for a no cost approach.
-- 
Bill Kennedy bill () WLK COM  | "Man who it is very bad luck to get in a fight
                           |  with because he has devils on his side"
                           |  Comanche name for "Captain Jack", Texas Ranger