[extropy-chat] the RBL racket

Eugen Leitl eugen at leitl.org
Mon Sep 11 07:07:33 UTC 2006


On Mon, Sep 11, 2006 at 12:48:01AM -0400, Robert Bradbury wrote:

>    But this stuff is so easy to filter.  I never receive images from

For now, it is easy to filter. For you and me. Not for most people.

>    anyone (or almost never).
>    The people I would want to receive images from are whitelisted.  All

I've never bothered with whitelisting. Way too much work.

>    the email that contains binary data, images, undesirable character
>    sets, a host of easy to identify Subject line misspellings, etc. gets
>    flagged very early on before the rule based or Bayesian filtering

I deny most Windows mailware at MTA level:
v64:/etc/postfix# cat body_checks.regexp
/^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$/
   REJECT Keep your executables!

v64:/etc/postfix# cat mime_header_checks.pcre
/^Content-(?:Disposition:\s+attachment;|Type:).*\b(?:file)?name\s*=.*\.(?:
        ad[ep]                                                  |
        asd                                                     |
        ba[st]                                                  |
        chm                                                     |
        cmd                                                     |
        com(?=$|")                                              |
        cpl                                                     |
        crt                                                     |
        dll                                                     |
        eml                                                     |
        cpl                                                     |
        crt                                                     |
        dll                                                     |
        do                                                      |
        eml                                                     |
        exe                                                     |
        hlp                                                     |
        hta                                                     |
        in[ifs]                                                 |
        isp                                                     |
        js                                                      |
        jse?                                                    |
        lnk                                                     |
        md[betw]                                                |
        ms[cipt]                                                |
        nws                                                     |
        ocx                                                     |
        ops                                                     |
        pcd                                                     |
        p[ir]f                                                  |
        pps                                                     |
        reg                                                     |
        rm                                                      |
        sc[frt]                                                 |
        sh[bsm]                                                 |
        swf                                                     |
        url                                                     |
        vb[esx]?                                                |
        vxd                                                     |
        zip                                                     |
        ws[cfh]                                                 |
        \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}
                )\b/x           REJECT Windows executables not allowed

>    processing.  I would bet less than 1% of it has to be "thought" about.
>    I'd only have to move this slightly upstream (before qmail receives
>    the entire "text" of the message) and it would get terminated before

Yeah -- but I recommend choosing postfix over qmail (which is
abandonware, and can't be adopted due to the license).

>    it has consumed a fraction of its potential bandwidth.
>    The real problem involves (a) virus/trojan infected relay machines and
>    (b) ISPs who don't censor widespread spammers.  Those can be solved by
>    forcing the infected machines off of the network (it isn't hard for

Doesn't work. Most spam today is just some ten messages from
a single machine, which is not enough even for human diagnostics.

>    ISPs to monitor and flag accounts which have high outgoing SMTP
>    activity to "unusual" locations and ISP operating "standards" (would

Anything beginning with "people should" doesn't work on a large
scale.

>    you allow a physicians with dirty hands to operate on you?).
>    I think the recent U.S. Court action classifying spammers as
>    trespassers and subject to fines and jail time in line with that is a
>    big step in the right direction.

What I've receive spam from the U.S.? Doesn't help me one bit.

-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
URL: <http://lists.extropy.org/pipermail/extropy-chat/attachments/20060911/8ebaccaa/attachment.bin>


More information about the extropy-chat mailing list