Firewall Wizards mailing list archives
Handling mail, was: Re: Re: Anybody Recognize These Uploads?
From: Chuck Swiger <chuck () codefab com>
Date: Fri, 03 Jan 2003 17:51:30 -0500
Mike Hoskins wrote: [ ... ] > I think the clear point is that lazy admins (engineers, managers, etc.) > have caused the current, broken Internet. > > Innocent email that gets caught by the RBL of the month, packets that get > blackholed because the last user started a SYN flood (and the current user > has no clue, nor dos the ISP/NSP's operations dept), etc., etc. Goodby > "open" Internet. Ahh, but what did we expect... As the number of people > on the Internet approaches the number of people in the real world, the > "open" and "idealistic" Internet (TCP/IP is idealistic) must become like > the real world and suck more every day. People who argue with pessimists tend to be wrong at least as often as they are right, which is unfortunate; at least for those who are non-pessimists. That being said, I think that even someone who would say something like "the Internet must ... suck more every day" might find it useful to focus on the things that don't suck; that is to say, the silver lining in the black storm clouds of Internet suckatude, so to speak. > It's easier to block a country, class A/B/C, etc. than it is to monitor, > inspect, track and resolve potential issues. Doing things simply because > they're easy, however, rarely leads to the desired result. It's easier to point out problems than it is to solve them, too. "Bear in mind, at all times and in all circumstances, whatever the subject under discussion-- be it never so dear to your heart and worthy of thoughtful consideration at far greater length than that to which you are regretfully obliged to constrain it-- that conciseness is a virtue of such paramount importance that the present writer would ever dream of relinquishing it, even for a moment; bearing in mind as well, that the related and yet not wholly identical temptation to entangle both the narrative and the reader in a thousand branching paths of digression, from which initally attractive yet ultimately fruitless byways (like those deceptively promising mountain trails which, when followed, gradually diminish to faint and narrow tracks and thence to mere nothingness, leaving the traveller stranded at some spot deserted by humanity not through whim or chance, but justly, on account of its intrinsic lack of any interest whatsoever) one may only with great difficulty find one's way back to the main thread, must also be sternly avoided. Every time you explain this point to the reader, follow it with a firmly worded assurance that that is exaactly what you intend to do. Believe yourself when you say it." Apropos: One can combine bandwidth limitation and email filtering or content-based ratings using something like IPFW+dummynet, and filters like SpamAssassin or MIMEdefang, which can either be invoked system wide (via the MTA), or on a per-user basis via .forward files, procmail, etc. Put something like this on a firewall between your mailservers and the net: ipfw pipe 1 config bw 300Kbit/s ipfw pipe 2 config bw 10Kbit/s delay 200ms ipfw pipe 3 config bw 5Kbit/s delay 5000ms ipfw add pipe 1 tcp from important_client1.com to foo.com/24 25 ipfw add pipe 1 tcp from important_client2.com to foo.com/24 25 [ ...repeat as needed; could also divert them to mail.foo.com... ] ipfw add pipe 3 tcp from 210.0.0.0/7 to foo.com/24 25 [ ...repeat as needed... ] ipfw add pipe 2 tcp from any to spam.foo.com 25 ipfw add pipe 1 tcp from any to mail.foo.com 25 ...and have MX records for foo.com which list: foo.com. MX 10 mail.foo.com. foo.com. MX 20 spam.foo.com. mail.foo.com. MX 10 spam.foo.com. Pass out business cards with <user () foo com> and have your users set their MUA From: headers to that; but have them use <user () mail foo com> for website feedback forms, Usenet, mailing lists, etc. Add the netblocks who launch dictionary attacks against you to the third pipe, which is known as "teergrubing spam". You can then do things like have procmail or whatever file potential spam mail into a different mailbox, search for a text/html content-type and de-MIME it, feed it thru SpamAssassin, or combinations: ## .procmailrc :0fw | /usr/local/bin/spamassassin :0 * ^X-Spam-Status: Yes spambox SpamAssassin generates headers like: DATE: 21 Jan 01 8:24:27 PM Message-ID: <N1msdrbJXNPfV4wg9> Subject: *****SPAM***** Home Based Business for Grownups To: undisclosed-recipients: ; Sender: dev_null_sample_spam () example com X-Spam-Status: Yes, hits=16.1 required=8.0 tests=ALL_CAPS_HEADER,CALL_FREE,DATE_IN_PAST_24_48, DRASTIC_REDUCED,FROM_HAS_MIXED_NUMS,HOME_EMPLOYMENT, INVALID_DATE,INVALID_MSGID,LINES_OF_YELLING, MSGID_HAS_NO_AT,NO_REAL_NAME,ONCE_IN_LIFETIME, RCVD_IN_OSIRUSOFT_COM,REMOVE_SUBJ,SMTPD_IN_RCVD, SPAM_PHRASE_21_34,UNDISC_RECIPS,X_OSIRU_DUL,X_OSIRU_DUL_FH version=2.43 X-Spam-Flag: YES X-Spam-Level: **************** X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp) ...where the number of stars is the "level of spaminess" for the test message. Of course, the details should be adjusted to suit the sitation: an ISP mightuse this to permit normal users to send outbound mail from their homes without much noticable delay, but it would do quite a bit to slow down mass-mailers.
-Chuck PS: The quote was from Steven Brust and T. Heyden. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Re: Anybody Recognize These Uploads?, (continued)
- Re: Re: Anybody Recognize These Uploads? Christopher Hicks (Jan 05)
- Re: Re: Anybody Recognize These Uploads? Paul D. Robertson (Jan 05)
- Re: Re: Anybody Recognize These Uploads? Gary Flynn (Jan 05)
- Message not available
- Re: Re: Anybody Recognize These Uploads? Marcus J. Ranum (Jan 03)
- Re: Re: Anybody Recognize These Uploads? Mike Hoskins (Jan 03)
- Re: Re: Anybody Recognize These Uploads? Mike Hoskins (Jan 03)
- Re: Re: Anybody Recognize These Uploads? David Lang (Jan 03)
- Re: Re: Anybody Recognize These Uploads? Gary Flynn (Jan 03)
- RE: Re: Anybody Recognize These Uploads? Paul D. Robertson (Jan 05)
- RE: Re: Anybody Recognize These Uploads? Bill Royds (Jan 05)