1 |
Alex Efros wrote: |
2 |
> Hi! |
3 |
> |
4 |
> On Mon, Sep 22, 2008 at 07:53:57PM +0200, Thilo Bangert wrote: |
5 |
>> i've heard of cases, where spammers used the subscribe address of |
6 |
>> mailinglists as envelope sender. an out-of-office reply is sent to the |
7 |
>> subscribe address from the target of the spam - the mailing list software |
8 |
>> sends a confirmation mail - the autoresponder correctly authorises the |
9 |
>> the subscription request. |
10 |
>> |
11 |
>> ...but then again, thats what you get for sending out-of-office |
12 |
>> autoresponses. |
13 |
> |
14 |
> Sorry for OT, but I wanna install spam-protection tool based on |
15 |
> confirmation email request (somebody send me email, my tool delay that |
16 |
> email and automatically reply requesting confirmation, he confirm, my tool |
17 |
> receive that confirmation and: 1) add his email to while-list; 2) deliver |
18 |
> his initial email to my mailbox). I'm aware about several such tools, but |
19 |
> I'm not sure how they handle incoming emails from other robots - like mail |
20 |
> lists, or some news subscriptions and notifications from websites. |
21 |
> |
22 |
> I just don't wanna put myself in position like other people who spam |
23 |
> maillists I read with senseless messages from their tools like |
24 |
> autoresponders or so... |
25 |
> |
26 |
> Can anybody recommend me tool which is able to correctly handle these cases? |
27 |
> To be honest, I don't see a way to realize this feature... :( |
28 |
> Ability to protect all accounts at our email domain is good to have, but |
29 |
> personal-only tool is acceptable too. (I use qmail, if this is important.) |
30 |
> |
31 |
|
32 |
I would recommend not to implement such a tool. |
33 |
|
34 |
1) I wouldn't send you mail anymore if you made me jump through hoops to |
35 |
confirm that me is actually I. |
36 |
2) I personally think it's a stupid way of dealing with the problem |
37 |
3) I can't see any way to get them to work with lists |
38 |
|
39 |
1) and 2) are obviously very personally biased & opinionated :-) |
40 |
|
41 |
Judging from the mail/spam volumes at my work, you might be very happy |
42 |
if you just implemented grey-listing. This basically tells every new |
43 |
sender of email (or email-address, depends on implementation) to go and |
44 |
come back in 5 minutes. It sends a 4xx status code, which tells the |
45 |
sender that the mailserver is currently unable to accept mail, but will |
46 |
do so in a short while. |
47 |
|
48 |
Most greylisting tools automaically whitelist senders if they come back |
49 |
for a configurable period of time. |
50 |
|
51 |
Since most spammers, virii and other bogus mailsenders do not implement |
52 |
a full queue-ing system to redeliver mail at a later time if they |
53 |
receive a 4xx response they bugger off to harass other poor souls on the |
54 |
internet. |
55 |
|
56 |
Since most legit mailsenders actually use a mailserver with a queueing |
57 |
system they resend the mail within the specified period and mail gets |
58 |
delivered. |
59 |
|
60 |
As a bonus, it's absolutely low-impact on your mailserver wrt performance. |
61 |
|
62 |
Dropped spam ratio with > 60% for me, the rest is taken care of by the |
63 |
usual combination of (automated) blacklisting and spamassasin. |
64 |
|
65 |
If you use postfix it is as simple as emerge postgrey and go read the |
66 |
manual. |
67 |
|
68 |
Just my 2 cts |
69 |
|
70 |
Ramon |