| 1 |
Alex Efros wrote: |
| 2 |
> Hi! |
| 3 |
> |
| 4 |
> On Mon, Sep 22, 2008 at 07:53:57PM +0200, Thilo Bangert wrote: |
| 5 |
>> i've heard of cases, where spammers used the subscribe address of |
| 6 |
>> mailinglists as envelope sender. an out-of-office reply is sent to the |
| 7 |
>> subscribe address from the target of the spam - the mailing list software |
| 8 |
>> sends a confirmation mail - the autoresponder correctly authorises the |
| 9 |
>> the subscription request. |
| 10 |
>> |
| 11 |
>> ...but then again, thats what you get for sending out-of-office |
| 12 |
>> autoresponses. |
| 13 |
> |
| 14 |
> Sorry for OT, but I wanna install spam-protection tool based on |
| 15 |
> confirmation email request (somebody send me email, my tool delay that |
| 16 |
> email and automatically reply requesting confirmation, he confirm, my tool |
| 17 |
> receive that confirmation and: 1) add his email to while-list; 2) deliver |
| 18 |
> his initial email to my mailbox). I'm aware about several such tools, but |
| 19 |
> I'm not sure how they handle incoming emails from other robots - like mail |
| 20 |
> lists, or some news subscriptions and notifications from websites. |
| 21 |
> |
| 22 |
> I just don't wanna put myself in position like other people who spam |
| 23 |
> maillists I read with senseless messages from their tools like |
| 24 |
> autoresponders or so... |
| 25 |
> |
| 26 |
> Can anybody recommend me tool which is able to correctly handle these cases? |
| 27 |
> To be honest, I don't see a way to realize this feature... :( |
| 28 |
> Ability to protect all accounts at our email domain is good to have, but |
| 29 |
> personal-only tool is acceptable too. (I use qmail, if this is important.) |
| 30 |
> |
| 31 |
|
| 32 |
I would recommend not to implement such a tool. |
| 33 |
|
| 34 |
1) I wouldn't send you mail anymore if you made me jump through hoops to |
| 35 |
confirm that me is actually I. |
| 36 |
2) I personally think it's a stupid way of dealing with the problem |
| 37 |
3) I can't see any way to get them to work with lists |
| 38 |
|
| 39 |
1) and 2) are obviously very personally biased & opinionated :-) |
| 40 |
|
| 41 |
Judging from the mail/spam volumes at my work, you might be very happy |
| 42 |
if you just implemented grey-listing. This basically tells every new |
| 43 |
sender of email (or email-address, depends on implementation) to go and |
| 44 |
come back in 5 minutes. It sends a 4xx status code, which tells the |
| 45 |
sender that the mailserver is currently unable to accept mail, but will |
| 46 |
do so in a short while. |
| 47 |
|
| 48 |
Most greylisting tools automaically whitelist senders if they come back |
| 49 |
for a configurable period of time. |
| 50 |
|
| 51 |
Since most spammers, virii and other bogus mailsenders do not implement |
| 52 |
a full queue-ing system to redeliver mail at a later time if they |
| 53 |
receive a 4xx response they bugger off to harass other poor souls on the |
| 54 |
internet. |
| 55 |
|
| 56 |
Since most legit mailsenders actually use a mailserver with a queueing |
| 57 |
system they resend the mail within the specified period and mail gets |
| 58 |
delivered. |
| 59 |
|
| 60 |
As a bonus, it's absolutely low-impact on your mailserver wrt performance. |
| 61 |
|
| 62 |
Dropped spam ratio with > 60% for me, the rest is taken care of by the |
| 63 |
usual combination of (automated) blacklisting and spamassasin. |
| 64 |
|
| 65 |
If you use postfix it is as simple as emerge postgrey and go read the |
| 66 |
manual. |
| 67 |
|
| 68 |
Just my 2 cts |
| 69 |
|
| 70 |
Ramon |
Archives