Handling mail, was: Re: Re: Anybody Recognize These Uploads?

[Chuck Swiger <chuck () codefab com>]

Mike Hoskins wrote:
[ ... ]
> I think the clear point is that lazy admins (engineers, managers, etc.)
> have caused the current, broken Internet.
>
> Innocent email that gets caught by the RBL of the month, packets that get
> blackholed because the last user started a SYN flood (and the current user
> has no clue, nor dos the ISP/NSP's operations dept), etc., etc.  Goodby
> "open" Internet.  Ahh, but what did we expect...  As the number of people
> on the Internet approaches the number of people in the real world, the
> "open" and "idealistic" Internet (TCP/IP is idealistic) must become like
> the real world and suck more every day.

People who argue with pessimists tend to be wrong at least as often as they
are right, which is unfortunate; at least for those who are non-pessimists.
That being said, I think that even someone who would say something like
"the Internet must ... suck more every day" might find it useful to focus on
the things that don't suck; that is to say, the silver lining in the black
storm clouds of Internet suckatude, so to speak.

> It's easier to block a country, class A/B/C, etc. than it is to monitor,
> inspect, track and resolve potential issues.  Doing things simply because
> they're easy, however, rarely leads to the desired result.

It's easier to point out problems than it is to solve them, too.

"Bear in mind, at all times and in all circumstances, whatever the subject
under discussion-- be it never so dear to your heart and worthy of thoughtful
consideration at far greater length than that to which you are regretfully
obliged to constrain it-- that conciseness is a virtue of such paramount
importance that the present writer would ever dream of relinquishing it, even
for a moment; bearing in mind as well, that the related and yet not wholly
identical temptation to entangle both the narrative and the reader in a
thousand branching paths of digression, from which initally attractive yet
ultimately fruitless byways (like those deceptively promising mountain trails
which, when followed, gradually diminish to faint and narrow tracks and thence
to mere nothingness, leaving the traveller stranded at some spot deserted by
humanity not through whim or chance, but justly, on account of its intrinsic
lack of any interest whatsoever) one may only with great difficulty find one's
way back to the main thread, must also be sternly avoided.

Every time you explain this point to the reader, follow it with a firmly
worded assurance that that is exaactly what you intend to do.  Believe
yourself when you say it."  Apropos:

One can combine bandwidth limitation and email filtering or content-based
ratings using something like IPFW+dummynet, and filters like SpamAssassin or
MIMEdefang, which can either be invoked system wide (via the MTA), or on a
per-user basis via .forward files, procmail, etc.  Put something like this on
a firewall between your mailservers and the net:

ipfw pipe 1 config bw 300Kbit/s
ipfw pipe 2 config bw 10Kbit/s delay 200ms
ipfw pipe 3 config bw 5Kbit/s delay 5000ms
ipfw add pipe 1 tcp from important_client1.com to foo.com/24 25
ipfw add pipe 1 tcp from important_client2.com to foo.com/24 25
[ ...repeat as needed; could also divert them to mail.foo.com... ]

ipfw add pipe 3 tcp from 210.0.0.0/7 to foo.com/24 25
[ ...repeat as needed... ]

ipfw add pipe 2 tcp from any to spam.foo.com 25
ipfw add pipe 1 tcp from any to mail.foo.com 25

...and have MX records for foo.com which list:

foo.com.        MX 10 mail.foo.com.
foo.com.        MX 20 spam.foo.com.
mail.foo.com.   MX 10 spam.foo.com.

Pass out business cards with <user () foo com> and have your users set their MUA
From: headers to that; but have them use <user () mail foo com> for website
feedback forms, Usenet, mailing lists, etc.  Add the netblocks who launch
dictionary attacks against you to the third pipe, which is known as
"teergrubing spam".

You can then do things like have procmail or whatever file potential spam mail
into a different mailbox, search for a text/html content-type and de-MIME it,
feed it thru SpamAssassin, or combinations:

## .procmailrc
:0fw
| /usr/local/bin/spamassassin
:0
* ^X-Spam-Status: Yes
spambox

SpamAssassin generates headers like:

DATE: 21 Jan 01 8:24:27 PM
Message-ID: <N1msdrbJXNPfV4wg9>
Subject: *****SPAM***** Home Based Business for Grownups
To: undisclosed-recipients: ;
Sender: dev_null_sample_spam () example com
X-Spam-Status: Yes, hits=16.1 required=8.0
        tests=ALL_CAPS_HEADER,CALL_FREE,DATE_IN_PAST_24_48,
              DRASTIC_REDUCED,FROM_HAS_MIXED_NUMS,HOME_EMPLOYMENT,
              INVALID_DATE,INVALID_MSGID,LINES_OF_YELLING,
              MSGID_HAS_NO_AT,NO_REAL_NAME,ONCE_IN_LIFETIME,
              RCVD_IN_OSIRUSOFT_COM,REMOVE_SUBJ,SMTPD_IN_RCVD,
              SPAM_PHRASE_21_34,UNDISC_RECIPS,X_OSIRU_DUL,X_OSIRU_DUL_FH
        version=2.43
X-Spam-Flag: YES
X-Spam-Level: ****************
X-Spam-Checker-Version: SpamAssassin 2.43 (1.115.2.20-2002-10-15-exp)

...where the number of stars is the "level of spaminess" for the test message.

Of course, the details should be adjusted to suit the sitation: an ISP might
use this to permit normal users to send outbound mail from their homes without 
much noticable delay, but it would do quite a bit to slow down mass-mailers.

-Chuck

PS: The quote was from Steven Brust and T. Heyden.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards