Not main of the main ones say this.
Watch the false +ives on this one. You'll get a reasonble number.
bl.spamcop.net , [kr|cn|ng|br].rbl.cluecentral.net

1. False positives
2. Timeouts when the RBL dies or gets DOSed
3. False positives

It's a little off topic, and not really suitable for deployment on an isp
central mail server, but..

I think I've 100% solved my personal spam problem. I 0wn it, it is my b***h =)

Tune out now if you don't care, read on if you want to know how.

I've been using TMDA for about a year now, and I recently added Spam
Assassin to that.

The first piece of spam that made it through this system arrived today.
Thats out of about 4000 bits of spam. The only reason that made it through
was that the spammer actually replied to the confirmation email that TMDA
sends back (I'll get him later).

TMDA works like a treat. You have to make the decision that you're willing
to inconvienience people who mail you the first time (with a confirmation
process). Out of the 294 people on my whitelist I've only had two complain.
And both of them thought it was a better idea after I phoned/had beer with
them. I worry that some people will not respond nor complain, but a quick
check of unconfirmed messages shows me that this is not the case. Even my
grandmother managed to work it out.
This will not be appropriate for you work email account however.
Telling customers to prove who they are is never good. I also have email
aliases which mypass some or all of my spam system. eg if I know someone is
going to hate being annoyed then they might get ***@deanpemberton.com which
has no checking on it.

The downside to TMDA is that it tries to send a confirmation email for each
suspect email that it receives. The postmaster for the box where I have
this set up had a bit of a whinge that this was causing too much postmaster
mail (because most of them will die because they are sent to bogus spam
addresses). His solution to this was to front end the system with Spam
Assassin.

I was pretty dubious at first. The reason I had gone with TMDA was that I
never wanted to miss a real message. I didn't think that packages like SA
did a very good job.

I'm happy to say that I've been proved 100% wrong. SA sits at the front and
looks at the messages - if it thinks it's spam then it tags it with why and
places it in my Spam folder (which I think I'd check once a day when I'm
bored). I think it has tagged real mail as spam once and that was because
a friend forwarded me some spam.

If the message makes it through SA, and about 10% of spam does, then TMDA
gets it and sends off a confirmation email if the address is not in it's
whitelist.


This is so effective that as I say only one piece of spam in the last 4000
has made it to my inbox. And that needed to a) not look like spam to SA,
and b) have the spammer give his real address and then take the time to
reply to a confirmation message from me. Quite rare eh.

SA is doing such a good job that I've started to apply some statistical
modeling to how it ranks my spam. It fits a weibul distribution almost
perfectly and I plan to use this to tune the parameters so that I can prove
that it's catching the maximum amount of spam while minimising the risk of
it tagging real mail. The graphs look pretty =)


So this double approach really works for me.

If you want to know anything else then just mail me offline.
If you want to see it in action (TMDA that is) then mail me offline =)

Here are some links


http://tmda.net/
http://spamassassin.org/


Later


Dean

Be warned, I might call you on that tonight. :-) Ive got no idea what our
local node number is though..

In terms of spam, ive adopted essentially the same policy as Nathan Ward
pointed out, which has been useful so far - except for the completely
noncooperative nature of the one network I can positively identify as
having sold an address on my domain in their spamlist...

So the second part of my personal system is to actively do the following:

1) Watch my web server logs for crawlers from 'dodgy' networks. (read:
*.cn, *.kr, *.br etc)
2) Firewall said networks from my MTA/Webserver (same box) entirely
3) Look up individual spam source IPs with whois, send abuse complaints in
the first instance..
4) Block spamming MTA (smtp only) in the second instance.
5) skip step 3 where source IP is *.cn. *.kr, *.br, or where spam type is
persistant.

The amount of spam ive dealt with of late has dropped significantly as a
result of the above. Essentially what ive done is built my own RBL,
because at least this way im personally responsible for what gets blocked
and what is permitted, and not at the whim of some 3rd party block list...

And personally while I see TMDA as quite effective, I also see it as a
serious inconvenience.

Mark.

I agree with Juha.

We are seeing more and more spam hitting the mail servers that is being
relayed via open socks proxies.
At this rate, I think its just going to be a matter of time before we're
forced to block inbound connections on proxy ports.

I've had good results with the Osirusoft RBL's - Joe combines the more
commonly used ones. Be aware that you may need to whitelist some regions
- keep any eye on your rejections.
Spamcop seems to be fairly conservative in its listings. I'd disagree
with Mike Beattie's comments - the rant on the link posted is just that,
a misguided rant. I'm sure we're all aware of the additional workload
created by UCE. Unfortunately, it would seem that at least one ISP (that
of Mr. Felton) failed to perform due diligence.


Gordon

Further to this, is anyone using SpamAssassin for large-ish scale
filtering? With RBLs or without? Or anything else?

-- don

It is possible to set SpamAssassin up so that users can control their
own spam filters.
This does require a reasonable amount of coding to get it to work.

I believe that Steve Phillips was working on something like this a while
ago.
Getting something like that working in conjunction with RBL queries on a
per-user level would be great for allowing the customers more control
over their mailbox.

There is also another approach to bulk mail - DCC - which uses checksums
to identify UCE. As to how effective it is though, I have no idea....

Sorry, guess I wasn't clear on blocking open proxies.

I was meaning that if the current trend of abusing open proxies
continues, we'll end up denying any inbound traffic destined for
customers on proxy ports.
Those that don't will end up blocklisted as more and more people bounce
spam off their customers.
We've already started denying port 25 connections from DSL netblocks in
parts of the U.S.
We're returning a 553 with a message to relay through their ISP. It
helps, but I don't think its an ideal solution.

The lack of any form of redress against spammers doesn't help the issue
either.
Unfortunately, we end up carrying the traffic costs.

Joe Jared's lists at relays.osirusoft.com do contain open proxies, but
these aren't actively maintained. Once listed, the user must request
re-testing before the block is removed. Re-tests are not automatic. The
biggest problem, especially with DSL, is those users on dynamic
addresses and running open proxies. In that case, the only solution is
to block the entire range.

Given the wide range of client software used, I don't think there's any
easy answer to this issue. If the SMTP protocol is re-written to enhance
security and accountability for traffic, the negative effects on legacy
systems would be huge. Attacking the problem at the client end would
pose similar problems.

Spamassassin still looks to be one of the best options at this stage.


Gordon

Funny I could have sworn that is what ihug's been doing for the last year
or so. Of course it means you accept the message and don't save the
bandwidth (as such) but the bandwidth overhead for spam isn't huge.

Spamassassin has RBLs (plus DCC, Razor, Bayes and other buzzwords) built
in so you can use it to tag/block according to them on a per-user basis.

I was thinking about doing a talk about this at nznog this year if enough
peoiple are interested.

Yip yip! I'd come and egg you ... on I mean. Especially if you were to
include a section on defensive strategies against large dictionary attacks
and similar abuses.

Hi,

A bit of a "me too" post in that I use the ***@domain mechanism,
and have recently been given the benefit of SpamAssassin both at work
and on my personal mail, but I haven't seen anyone mention the
disposable email address services like sneakemail.com.

Despite the execrable name and user interface, it's useful if you don't
have control of your own domain and mail-server. They have finally
introduced "instant" address generation, so you can give out addresses
off-line... there are other services, vive le difference.

But I agree with the poster who said the RBLs are on their way out, they
are too crude a tool and an estimate of the false positives they
blocked, IIRC, was about 11%.

When I read the horror stories here about how the Net is being strangled
in order to choke spam, it's scary. Bob Frankston comments:

"I'm afraid of the spam hunters. They are trying to find all those bad
people and get rid of them. It seems obvious that there is something
called Spam and we must get rid of it. Having a simple term, even if
it's still a trademark for Hormel's Deviled Ham, has misframed the
problems."

http://satn.org/archive/2003_02_02_archive.html#90265861

What you are seeing in all the growingly successful approaches is edge
and collaborative filtering, after all, what may be spam to you is
hugely amusing to me. I have a collection of that which you call 419.
They are hilarious. One man's ceiling is another man's floor and all
that.

I think by having a user configurable edge, doctors and legislators can
email about "sex" without having to resort to neologisms like "secks."

And, with a good user interface, most users (I read even Dean's
grandmother, you agist pig! :) can control what they receive.

It's one of my favourite RFC quotes:

"In contrast with paper-based communication, it is interesting to note
that the RECEIVER of a message can exercise an extraordinary
amount of control over the message's appearance. The amount of
actual control available to message receivers is contingent upon the
capabilities of their individual message systems."

-- RFC822

In the case of spam, it's literally the appearance of the email in the
users mail box.

Spam is another problem that wasn't going to be fixed in some
heavyweight core, but at the edge, where the individual receiver has a
right to their own opinion about what constitutes... spam, porn, et al
and needs only to be provided with better "capabilities of their
individual message systems."


Hamish.