D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] SPAM ...

 

On Sun, 24 Jan 2010, Simon Waters wrote:

Gordon Henderson wrote:

I suspect that if a spammer gets through the NoListing, it'll get
through the GreyListing too, but in any case, GreyListing (& SA) require
CPU & disk resources while NoListing doesn't.

Bypassing greylisting requires spammers to maintain state (or retry
routinely), both of which present a significant cost and above something
like trying the next MX which doesn't require significant state to be
maintained but can be done in a loop.

So whilst I'm sure all the spam from genuine email servers will pass
both greylisting and nolisting, spambots could more easily pass
NoListing if the spammer can be bothered.

Well, indeed. However, I don't think it'll be too long before some geek turns to the dark side with the lure of money and writes a zombie spambot that does a trivial amount of queuing, then ...

I am gob-smacked by the people who really don't have a clue though and let their (win) PC get infected, then wonder why it's going slow and their Internet connection is slow and ... Oh, time for a new PC ... (MY wifey has a friend in London who's exactly like that - her PC is riddled with just about everything all the time - she cleans it up, and a day later it's back - if only I could instll Linux for her...)

That said you can use both, I've been wary of NoListing simply because
of the appalling quality of some email servers (and admins), but I doubt
it causes many more issues than greylisting, and probably from the same
few servers that can't adhere to an RFC.

Indeed. It doesn't seem any worse than greylisting... I've chatted to a few friends who've been using it for a while and they're happy enough, so took the plunge myself...


It's going to be a bit of a disaster when the spammers cotton onto
NoListing and Greylisting, but GL has held out for a few years now..
Lets hope it holds up for a few more...

My stats show that greylisting is no longer the single most effective
preventative we use. The Spamhaus ZEN list exceeds it in terms of volume
stoped, this is due to big decline in GL effectiveness (it has dropped
from stopping 97+% of spam as a single measure to well under 90%) as
well as improvements to the Spamhaus block list (the inclusion of the
PBL being a key change).

Interesting - I stopped using the RLBs a few years back due to (their) politics, arguing, and some false-positives from customers. Maybe I'll look again.

I found the "ix.dnsbl.manitu.net" block list provided good skill, it is
an automatic block list based on current spam sources, and thus picks up
on individual spam runs from mail servers which have had accounts
compromised and the like. This works well with greylisting - come back
in 10 minutes when the block list has had a chance to add your IP
address. Although it became a political issue at work when it blocked
email from Demon. Clearly the list authors has a relatively small
whitelist of hosts not to block, and Demon's servers were spewing spam
at the time.

Woops :)

However:

  There are currently 489,639 entries listed at the dns-zone
  ix.dnsbl.manitu.net which have been collected during the last 12 hours
  (-8,925 within the last 5 minutes).

Staggering. They get in 5 minutes what I get in a day to my own account. I wish I could get away without providing email for punters, but where are they going to go then...

I think the bigger issue than spammer bypassing greylisting, or
nolisting, is credential theft. Hence the issue with emails from Yahoo
and Google.

There seemed to have been a spate of email from "myself" to me recently, advising me that my email configurations had changed and would I just login to this site to reset them... Hmmm... maybe time to flick the SPF switch..

Cheers,

Gordon

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html