Re: Email whitelist - how would you do it?

am 06.07.2006 17:28:42 von keeling

magnate :
> I've decided to bite the spam bullet and set up a whitelist on my mail
> server. So only people I have personally added to the whitelist will be
> able to send me mail, and all spam will be rejected. I have a couple of
..........................^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

No, *everything* from non-whitelisted senders will be rejected. Job
offers, requests for help, secondary accounts (yahoo, hotmail) of
whitelisted senders, etc.

> questions about this:
>
> 1. I currently use exim4 as my MTA - it looks possible to configure a
> whitelist using exim4 alone. Is there any advantage to installing and
> configuring spamassassin as well? Many people swear by spamassassin,

Not much unless your whitelisted senders send you spam, or you get
spam that forges their address as the From: address. I get lots of
spam that says it was sent by me.

> 2. Are whitelists fooled by spam which fakes its source? I mean,

Obviously. However, depending on what you use to implement
whitelisting, it could be simple or complex. For instance, mine goes
so far as to look at originating IP in Received: lines. If that
doesn't match where that whitelisted sender usually sends from,
/dev/null (Spamfile, actually).

> wondered if anyone here knew how effective they were. Is spamassassin
> less easily fooled than exim4?

?!?

Spamassassin is trainable, has many, many tests which it uses to
decide, and lets you decide what score defines good mail and what
UCE/UBE.

Exim has filters, yes? What else? I imagine Exim can be set up to
use spamassassin to do the tests. However, that's not exactly
whitelisting.

A much better place to ask these questions is comp.mail.misc.

[Followups set: comp.mail.misc]

--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html
Spammers! http://www.spots.ab.ca/~keeling/emails.html

Re: Email whitelist - how would you do it?

am 06.07.2006 17:58:34 von magnate

s. keeling wrote:
> A much better place to ask these questions is comp.mail.misc.

Thanks for the tip. I'll ask there.

CC

Re: Email whitelist - how would you do it?

am 06.07.2006 18:08:46 von magnate

s. keeling wrote:
> magnate :
> > I've decided to bite the spam bullet and set up a whitelist on my mail
> > server. So only people I have personally added to the whitelist will be
> > able to send me mail, and all spam will be rejected. I have a couple of
> .........................^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> No, *everything* from non-whitelisted senders will be rejected. Job
> offers, requests for help, secondary accounts (yahoo, hotmail) of
> whitelisted senders, etc.

That's right. I'm willing to put all the secondary accounts of my
personal contacts onto the whitelist (only a tiny fraction are geeky
enough to use more than one account). I'm willing to forego job offers
and other unsolicited non-spam. Those people can contact me via my web
site, or various kinds of instant messaging. If it's not spam, they'll
read a politely worded rejection which points them to these alternative
ways of contacting me.

> > questions about this:
> >
> > 1. I currently use exim4 as my MTA - it looks possible to configure a
> > whitelist using exim4 alone. Is there any advantage to installing and
> > configuring spamassassin as well? Many people swear by spamassassin,
>
> Not much unless your whitelisted senders send you spam, or you get
> spam that forges their address as the From: address. I get lots of
> spam that says it was sent by me.

That's what I was worried about.

> > 2. Are whitelists fooled by spam which fakes its source? I mean,
>
> Obviously. However, depending on what you use to implement
> whitelisting, it could be simple or complex. For instance, mine goes
> so far as to look at originating IP in Received: lines. If that
> doesn't match where that whitelisted sender usually sends from,
> /dev/null (Spamfile, actually).

Right. So it is surely possible to check the originating IP against the
DNS record of the claimed hostname, yes? That should get around simple
hostname faking, leaving only the trickier IP faking.

> > wondered if anyone here knew how effective they were. Is spamassassin
> > less easily fooled than exim4?
>
> ?!?
>
> Spamassassin is trainable, has many, many tests which it uses to
> decide, and lets you decide what score defines good mail and what
> UCE/UBE.

I'm not convinced that any machine can accurately judge the content of
mail. I want something which will simply judge the sender, and veto or
allow accordingly.

> Exim has filters, yes? What else? I imagine Exim can be set up to
> use spamassassin to do the tests. However, that's not exactly
> whitelisting.

Indeed not. So if I'm going to use a whitelist, I definitely don't need
spamassassin - thanks for helping me clear that up in my head. The
question remains, am I going to use a whitelist or not. I might try it
for a while and see how it goes.

Still very interested to hear from anyone else here who runs one.

CC

Re: Email whitelist - how would you do it?

am 06.07.2006 20:00:03 von Alan Connor

On comp.mail.misc, in , "s. keeling" wrote:
> Path: text.usenetserver.com!atl-c01.usenetserver.com!news.usenetse rver.com!atl-c03.usenetserver.com!news.usenetserver.com!bigf eed3.bellsouth.net!news.bellsouth.net!newsfeed2.telusplanet. net!newsfeed.telus.net!edtnps90.POSTED!53ab2750!not-for-mail
> Newsgroups: comp.os.linux.setup,comp.mail.misc
> From: "s. keeling"
> Subject: Re: Email whitelist - how would you do it?
> References: <1152198448.060037.97470@m38g2000cwc.googlegroups.com>
> Reply-To: keeling@spots.ab.ca
> Followup-To: comp.mail.misc
> X-UCE: I forward UCE/spam with ALL headers to abuse@your.isp UNREAD!

If you can find the spammer's ISP, which you usually can't.

DUH

> X-UCE2: Wow, are spammers ever stoopid!

Really? They get spam in your mail boxes all the time.

And are never punished for it.

> X-PGP-Key: GPG key: http://keyserver.noreply.org:11371/pks/lookup?op=vindex&sear ch=0x48EE77B1AC94E4B7

Those are worthless unless they are _very_ carefully
investigated.

All of the worst spammers and crackers and cyberstalkers have
one or more psuedo-identities with PGP/GPG sigs/keys. Some run
their own keyservers to make it easy...

> Message-ID:
> User-Agent: slrn/0.9.8.1 (Debian)
> Lines: 51
> Date: Thu, 06 Jul 2006 15:28:42 GMT
> NNTP-Posting-Host: 209.115.174.241
> X-Trace: edtnps90 1152199722 209.115.174.241 (Thu, 06 Jul 2006 09:28:42 MDT)
> NNTP-Posting-Date: Thu, 06 Jul 2006 09:28:42 MDT
> Xref: usenetserver.com comp.os.linux.setup:407409 comp.mail.misc:159821
> X-Received-Date: Thu, 06 Jul 2006 11:28:42 EDT (text.usenetserver.com)

http://slrn.sourceforge.net/docs/README.offline>

Never seem someone try to convince the world that they hate
spammers who wasn't a spammer.

I used to hate spam until I discovered a filter that removed
it from my life without any muss or fuss. They are called
challenge-response systems. Here's a brief introduction and
a few links:

http://home.earthlink.net/~alanconnor/elrav1/cr.html

Keeps the effing trolls out of my mailboxes too.

Note: Spammers and trolls _hate_ challenge-response systems
because they can't beat them, so they'll post a bunch of
garbage here, more than likely. Some links to webspages put
up by spammers pretending to be spamfighters that don't make
any sense, and the like.

So I won't even bother downloading any articles on this thread.

I don't let Internet vermin bother me any more. They get to
keep their stinking, punk mouths shut when they are in my
newsreader and get to stay out of my mailboxes.

Alan

--
See my headers.

Re: Email whitelist - how would you do it?

am 07.07.2006 00:43:09 von Fred Viles

"magnate" wrote in
news:1152202126.201535.97890@s26g2000cwa.googlegroups.com:

>...
>If it's not spam, they'll read a politely worded
> rejection which points them to these alternative ways of
> contacting me.

Maybe, maybe not. You can't be sure of that unless you set up your
mailserver to accept-then-bounce, which is a very bad idea. It will
make you guilty of generating collateral spam to innocent third
parties when spammers forge their addresses in MAIL FROM. That way
lies blacklisting...

OTOH, if you configure your server correctly, issuing a 5xx rejection
with your politely worded pointer, legitimate senders often will not
see it. Either because their server is brain-dead and did not
include it in the DSN it generates, or because they don't read the
DSN carefully.

There's no easy answers in this game...

- Fred

Re: Email whitelist - how would you do it?

am 07.07.2006 01:36:12 von Alan Clifford

On Thu, 6 Jul 2006, magnate wrote:

m>
m> Still very interested to hear from anyone else here who runs one.
m>

I run a white list but it is towards the end of spam processing and was
origionally there to stop whitelisted addresses hitting the autoresponder.
This is implemented in procmail.

I now add to the whitelist in at least four ways. When I send mail, I
have an outgoing filter in Pine that adds the outgoing address to the
whitelist; anyone replying with the autoresponder's password is
whitelisted; there are certain addresses like the "tuna" address (see
signature) in a second whitelist based on incoming addresses that, if
used, will add the sender to the whitelist; and now I whitelist incoming
plussed addresses like alan+companyname@. I have a "naughty plus"
blacklist facility all ready to go but I haven't had any abuse yet. I
implemented the plussed addressed whitelisting so that I can give an email
address on websites where I have no idea what address their emails will
come from.

However, before reaching my autoresponder and white list, all mail has to
pass greylisting, spam assassin and my own procmail recipes. And the
greylisting and spam assassin are so successful it is probably time to
turn off the autoresponder and just filter to the "probably spam" folder.

I see that today a couple of emails got as far as the autoresponder. As
it happens they were both to an alan+companyname address but to my
purse-seine.net domain rather than to my clifford.ac domain so they didn't
qualify for whitelisting. But this is possibly a good example for
inclusion of one of the senders in the whitelist. The originator of one
was for the renewal of a subscription to a trade paper, the other was
spam. And with a to: address of alan+ReedElsevierGroupplc @
purse-seine.net, the trade paper has obviously abused the privilege of
being given my email address.

--
Alan

( If replying by mail, please note that all "sardines" are canned.
There is also a password autoresponder but, unless this a very
old message, a "tuna" will swim right through. )

Re: Email whitelist - how would you do it?

am 07.07.2006 02:03:43 von Sam

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-8387-1152230622-0005
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Usenet Beavis writes:

> On comp.mail.misc, in , "s. keeling" wrote:
>> Path: text.usenetserver.com!atl-c01.usenetserver.com!news.usenetse rver.com!atl-c03.usenetserver.com!news.usenetserver.com!bigf eed3.bellsouth.net!news.bellsouth.net!newsfeed2.telusplanet. net!newsfeed.telus.net!edtnps90.POSTED!53ab2750!not-for-mail
>> Newsgroups: comp.os.linux.setup,comp.mail.misc
>> From: "s. keeling"
>> Subject: Re: Email whitelist - how would you do it?
>> References: <1152198448.060037.97470@m38g2000cwc.googlegroups.com>
>> Reply-To: keeling@spots.ab.ca
>> Followup-To: comp.mail.misc
>> X-UCE: I forward UCE/spam with ALL headers to abuse@your.isp UNREAD!
>
> If I can only find where I misplaced my brain, which I usually can't.

*SLAP* *SLAP* *SLAP* *SLAP* *SLAP* *SLAP* *SLAP* *SLAP* *SLAP* *SLAP* *SLAP*

BEAVIS!!!!!!

Welcome back to comp.mail.misc. I guess you're tired of getting
bitchslapped in news.software.readers?

*SLAP*

Or not.

*SLAP*

You know that you are forbidden to post in this newsgroup.

*SLAP* *SLAP* *SLAP*

And you know that, as a punishment, I must smack your bitch up.

*SLAP*

It's for your own good, you know.

*SLAP* *SLAP*

You need a combination of both a positive and a negative reinforcement, to
learn a thing or two.

*SLAP*

This, if you can't tell, is the negative reinforcement part of your learning
process.

*SLAP* SLAP*'

>
> DUH
>
>> X-UCE2: Wow, is Usenet Beavis ever stoopid!
>
> Really?

Really.

> I post kookfarts every day. Shouldn't that count for something?

I'm a frayed knot.

>> X-PGP-Key: GPG key: http://keyserver.noreply.org:11371/pks/lookup?op=vindex&sear ch=0x48EE77B1AC94E4B7
>
> Those are worthless to me, because I have a very small brain that is
> totally incapable of understanding anything more complicated than a
> ball on a string.

Eat your Wheaties, Beavis.

> All of my mental superiors, at least all the ones I consider to be my
> heroes, they all use PGP/GPG sigs/keys. Some even run their own keyservers
> which is really impressive.

Beavis, I'm sure that you find the working of the refridgerator door light
equally impressive.

>

Thank you for your kookfart, Beavis.

Why the long face, Beavis? It's been more than 24 hours since your last
kookfart explosion. You must be running out of gas, you poor dear.

> Never seen someone try to convince the world that he is hot shit on a bun
> who wasn't really a Beavis.

Right.

> I used to be a normal person, who could relate to people. Until I met
> Bigfoot (http://tinyurl.com/23r3f) and got seduced by the Dark Side Of
> The Force (http://tinyurl.com/2gjcy). And that's how I became The Usenet
> Beavis. The only thing I ever do is have one kookfart after another, as
> long as I don't run out of gas. Please visit my home page at:
>
> http://www.geocities.com/suhatrasabib

Beavis, you were such a cute baby. What happened?

> This is how I keep all normal people out of my mailbox.

No kidding.

> Note: The Usenet Beavis hates when nobody responds to him, except to smack
> his bitch up, so I try to post bigger and bigger kookfarts all the time,
> in hopes of getting someone weak-minded to pay any attention to me. I
> think that I'm such a hot piece of shit on a bun, and it never enters my
> microscopic brain that I'm full of it, and instead of dealing with the
> sad reality, I'd rather stick my head in a pile of sand, and pretend that
> it's not raining.

Beavis, that's not really rain.

> I will be downloading and reading every articles in this thread, because I
> am an attention pig.

Good for you.

> I don't let common sense bother me any more. Common sense causes some
> kind of an allergic reaction. So beware, and make sure that your bladders
> are in good working order, because I'm the Usenet Beavis, the enemy of
> weak bladders everywhere!
>
> Beavis
>
> --
> See my kookfarts.

*SLAP*

--=_mimegpg-commodore.email-scan.com-8387-1152230622-0005
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQBEraTex9p3GYHlUOIRAokWAJ0f2shX4SmjdKa7tdSHkQ7B3Vy7QACf QV98
n8bRrZuAZwWwIAe44VAO6w0=
=mUel
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-8387-1152230622-0005--

Re: Email whitelist - how would you do it?

am 07.07.2006 02:04:40 von Alan Clifford

On Thu, 6 Jul 2006, Fred Viles wrote:

FV> OTOH, if you configure your server correctly, issuing a 5xx rejection
FV> with your politely worded pointer, legitimate senders often will not
FV> see it. Either because their server is brain-dead and did not
FV> include it in the DSN it generates, or because they don't read the
FV> DSN carefully.
FV>

I have a wild card entry, slightly munged here because no doubt it will be
harvested.

@clifford.ac error:550 "Spam problems. Try XXXXXXXXXXXXXXX@clifford.ac"

I see from the log that this is hit frequently but I have never received
an email to that address.

I guess you could call this a form of whitelisting but on destination
addresses as you need a list of legitimate addresses that get past this
rejection.

--
Alan

( If replying by mail, please note that all "sardines" are canned.
There is also a password autoresponder but, unless this a very
old message, a "tuna" will swim right through. )

[OT] Fred Viles (was: Email whitelist - how would you do it?)

am 07.07.2006 02:20:57 von Alan Connor

On comp.mail.misc, in , "Fred Viles" wrote:

> Path: text.usenetserver.com!atl-c01.usenetserver.com!news.usenetse rver.com!atl-c05.usenetserver.com!news.usenetserver.com!cycn y01.gnilink.net!spamkiller2.gnilink.net!gnilink.net!trndny02 .POSTED!56ddd13d!not-for-mail

> Newsgroups: comp.mail.misc
> Subject: Re: Email whitelist - how would you do it?
> From: Fred Viles

http://groups.google.com/advanced_group_search
Fred Viles
Results 1 - 16 of 16 posts in the last year
10 alt.dbs.echostar
1 ba.internet
5 comp.mail.misc

So you expect us to believe that someone who is obviously a
Usenet pro has only posted 16 times?

1.You have a special, ever-changing, spam-blocking mailbox
devoted to the Usenet.

> References: <1152198448.060037.97470@m38g2000cwc.googlegroups.com> <1152202126.201535.97890@s26g2000cwa.googlegroups.com>
> Organization: Embedded Performance, Inc.

2. You know how to add gratuitous headers.

It's probably completely bogus. Otherwise there'd be a URL
to a website, and even then he might have nothing to do with
that company (if it exists). He might be using the name of
someone who works there.

Companies don't generally like their employees to behave like
trolls on the Internet, for obvious reasons.

> Message-ID:

> User-Agent: Xnews/5.04.25

3. Sophisticated newsreader.

> Lines: 23
> Date: Thu, 06 Jul 2006 22:43:09 GMT
> NNTP-Posting-Host: 70.20.46.161

$ host 70.20.46.161
Name: pool-70-20-46-161.man.east.verizon.net
Address: 70.20.46.161

> X-Complaints-To: abuse@verizon.net

Why complain? I'm not downloading a single article on this
thread. Or from this alias, ever, nor any responses to his
articles.

> X-Trace: trndny02 1152225789 70.20.46.161 (Thu, 06 Jul 2006 18:43:09 EDT)
> NNTP-Posting-Date: Thu, 06 Jul 2006 18:43:09 EDT
> Xref: usenetserver.com comp.mail.misc:159825
> X-Received-Date: Thu, 06 Jul 2006 18:43:12 EDT (text.usenetserver.com)

http://slrn.sourceforge.net/docs/README.offline>

Alan

--
See my headers.

FAQ: Canonical list of questions Beavis refuses to answer (V1.90) (was Re: [OT] Usenet Beavis

am 07.07.2006 02:40:34 von Sam

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-8387-1152232833-0010
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Usenet Beavis writes:

> http://groups.google.com/advanced_group_search
> Fred Viles
> Results 1 - 16 of 16 posts in the last year

Results 1 - 10 of 23,600 for usenet beavis (0.22 seconds)

You win, Beavis.

> So do you really believe that someone who is a Usenet Beavis
> really understands how Usenet and Google works?

Nope.

> 1. I have a desperate urge to continuously post kookfarts, because I'm
> starved for attention.

Check.

>> References: <1152198448.060037.97470@m38g2000cwc.googlegroups.com> <1152202126.201535.97890@s26g2000cwa.googlegroups.com>
>> Organization: Embedded Performance, Inc.
>
> 2. I know how to have a cow for no reason whatsoever.

Check.

>
> I'm a sorry excuse for a human being. My problem is that
> I was dropped on my head as a child. This resulted in me
> suffering from Attention Deficit Disorder, which eventually
> turned me into the Usenet Beavis.

At least look on the bright side: you're providing free entertainment for
the masses.

> Companies don't generally like their employees to behave like
> the Usenet Beavis on the Internet, for obvious reasons.

Correct.

>> Message-ID:
>
>> User-Agent: Xnews/5.04.25
>
> 3. Sophisticated newsreader.

Beavis, to you anything beyond paper and crayons seems sophisticated.

>> Lines: 23
>> Date: Thu, 06 Jul 2006 22:43:09 GMT
>> NNTP-Posting-Host: 70.20.46.161
>
> $ host 70.20.46.161
> Name: pool-70-20-46-161.man.east.verizon.net
> Address: 70.20.46.161

Beavis is pretending he knows something about DNS.

>> X-Complaints-To: abuse@verizon.net
>
> Why complain?

Because you're wasting a lot of perfectly good oxygen, Beavis.

> I'm a Usenet Beavis, who is having an orgasm over
> a bunch of headers from someone else's posts. Some people have a
> a foot fetish. Others have a fetish over some produce vegetable
> perhaps. I have a fetish over message headers.

At least it keeps you off the streets, and out of trouble.

>

Thank you for your kookfart, Beavis.

> Beavis
>
> --
> See my kookfarts.

*SLAP*

FAQ: Canonical list of questions Beavis refuses to answer (V1.90)

This is a canonical list of questions that Beavis never answers. This FAQ is
posted on a semi-regular schedule, as circumstances warrant.

For more information on Beavis, see:

http://www.pearlgates.net/nanae/kooks/ac/

Although Beavis has been posting for a long time, he always remains silent
on the subjects enumerated below. His response, if any, usually consists of
replying to the parent post with a loud proclamation that his Usenet-reading
software runs a magical filter that automatically identifies anyone who's
making fun of him, and hides those offensive posts. For more information
see question #9 below.

============================================================ ================

1) Why are you afraid of posting to alt.usenet.kooks?

2) If your Challenge-Response spam filter works so well, why are you munging
your address, when posting to Usenet?

3) If spammers avoid forging real E-mail addresses on spam, then where do
all these bounces everyone reports getting (for spam with their return
address was forged onto) come from?

4) If your Challenge-Response filter is so great, why don't you use it?
(http://tinyurl.com/rvvsd)

5) Do you still believe that rsh is the best solution for remote access?
(http://tinyurl.com/5qqb6)

6) What is your evidence that everyone who disagrees with you, and thinks
that you're a moron, is a spammer?

7) What is your evidence that everyone who disagrees with you, and thinks
that you're a moron, is a "troll"?

8) How many different individuals do you believe really post to Usenet? What
is the evidence for your paranoid belief that everyone, except you, who
posts here is some unknown arch-nemesis of yours?

9) How many times, or how often, do you believe is necessary to announce
that you do not read someone's posts? What is your reason for making these
regularly-scheduled proclamations? Who do you believe is so interested in
keeping track of your Usenet-reading habits?

10) When was the last time you saw Bigfoot (http://tinyurl.com/23r3f)?

11) If your C-R system employs a spam filter so that it won't challenge
spam, then why does any of the mail that passes the filter, and is thusly
presumed not to be spam, need to be challenged?

12) You claim that the software you use to read Usenet magically identifies
any post that makes fun of you. In http://tinyurl.com/3swes you explain
that "What I get in my newsreader is a mock post with fake headers and no
body, except for the first parts of the Subject and From headers."

Since your headers indicate that you use slrn and, as far as anyone knows,
the stock slrn doesn't work that way, is this interesting patch to slrn
available for download anywhere?

13) You regularly post alleged logs of your procmail recipe autodeleting a
bunch of irrelevant mail that you've received. Why, and who exactly do you
believe is interested in your mail logs?

14) How exactly do you "enforce" an "order" to stay out of your mailbox,
supposedly (http://tinyurl.com/cs8jt)? Since you issue this "order" about
every week, or so, apparently nobody wants to follow it. What are you going
to do about it?

15) What's with your fascination with shit? (also http://tinyurl.com/cs8jt,
and http://tinyurl.com/qv296; or http://makeashorterlink.com/?A2343263D and
http://makeashorterlink.com/?G2242163D ) ?

16) You complain about some arch-nemesis of yours always posting forged
messages in your name. Can you come up with even a single URL, as an example
of what you're talking about?

17) You always complain about some mythical spammers that pretend to be
spamfighters (http://tinyurl.com/br4td). Who exactly are those people, and
can you post a copy of a spam that you supposedly received from them, that
proves that they're really spammers, and not spamfighters?

--=_mimegpg-commodore.email-scan.com-8387-1152232833-0010
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQBEra2Cx9p3GYHlUOIRAvaDAJ4xCx3giqjbJSanhh8FZPklGGWuGACf Y4A2
EZMFBy0gYDOdFqrSOiI1jAQ=
=LOa8
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-8387-1152232833-0010--

Re: Email whitelist - how would you do it?

am 07.07.2006 13:07:12 von magnate

Alan Clifford wrote:
> On Thu, 6 Jul 2006, magnate wrote:
>
> m> Still very interested to hear from anyone else here who runs one.
>
> I run a white list but it is towards the end of spam processing and was
> origionally there to stop whitelisted addresses hitting the autoresponder.
> This is implemented in procmail.

Well, thanks for the info but that's way too complex for me. I want to
set up a whitelist and be done with it, everyone else can go to hell. I
have absolutely no need for unsolicited email of any sort. People can
get in touch with me by post, IM, my blog, FriendsReunited, usenet etc.
etc. I'm quite happy with being totally unable to receive emails from
domains not on my whitelist.

What I need to know now is how to configure exim to verify that emails
really are from where they say they are from - otherwise a whitelist is
useless. Does anyone know how to do this? Is it possible to fake an
originating IP, not just a From: domain? If so, is it possible to
detect fake valid IPs? (Invalid IPs - bogons - are of course easy to
weed out.)

CC

Re: Email whitelist - how would you do it?

am 07.07.2006 14:15:42 von James Wilkinson

magnate wrote:
> What I need to know now is how to configure exim to verify that emails
> really are from where they say they are from - otherwise a whitelist is
> useless. Does anyone know how to do this? Is it possible to fake an
> originating IP, not just a From: domain? If so, is it possible to
> detect fake valid IPs? (Invalid IPs - bogons - are of course easy to
> weed out.)

Hi there.

As you can see, I'm also a Demon subscriber. Demon's DNS servers appear
to have no knowledge of the dbass.demon.co.uk domain -- it doesn't seem
to have any MX records (so e-mail can be delivered there).

So it looks as though the above e-mail address doesn't work. That's OK,
given your wish not to have people e-mail you. But it might be a good
idea to have an *obviously* dud e-mail address there. For one thing, if
you're not going to read people's e-mails, you might as well save them
the time they took writing them. For another, there's no guarantee
(unless you know otherwise) that Demon won't allocate the domain to
someone else. Then they'll be reading your e-mail (which you don't want)
and your spam (which they won't want).

The .invalid domain is reserved for this purpose.

So are you trying to protect a Demon address? Is it a residential ADSL
connection, or do you have dial-up, or a business line?

Demon don't SMTP deliver e-mail to residential ADSL accounts: you have
to use POP3 to download it. That means that you'll probably be using
fetchmail to pipe incoming e-mail into exim. Demon will (or used to) use
SMTP to deliver to dial-up accounts [1], and they will let you host a
primary MX for business accounts. But with dial-up accounts, the e-mail
will still come via Demon's servers, and it still might come via Demon's
backup MXes even if you've got a business line.

So unless you've got a business connection, the IP address that connects
to exim will be either yours or Demon's -- which isn't that helpful in
filtering. You can try filtering based on the IP addresses in the
mail headers, but that means downloading the e-mail.

So either you're still going to have to download everything, or you're
going to have to do *two* levels of whitelisting -- one based on the
"MAIL FROM" address, which should filter e-mails down to the ones
allegedly from whitelisted accounts, and one based on IP addresses. At
the moment, it looks like you can take the IP address from the line
Received: from [211.106.174.67] (helo=3Dyesshin.org)
by $SOMETHING-hub.mail.demon.net ...
seriously: it's a Demon computer saying that it received the e-mail from
that IP address. It was sent over a TCP connection, so either it *did*
come from that IP address, or someone's hijacked control of routing or a
router en-route. (It's possible...) But again, there's no guarantee that
Demon will continue to name their receiving MXes that way.

The *next* problem you have to cope with is "how do you know which IP
addresses are valid?" Sender Policy Framework (SPF) actually helps here
(which is unusual), but (a) you'd probably have to script a SPF lookup
yourself, and (b) many (most?) sites don't publish records. Again,
without SPF, your correspondent's ISPs are quite at liberty to change
hosts, IP addresses, names, or to merge, get bought, sell off
operations, etcetera, all without consulting you. [2]

So, at least initially, I'd get whitelisting going based on the alleged
sender, and blacklist anything that comes in from Demon that's allegedly
=66rom your site (unless you're on a mailing list)[3].

Don't forget that Demon expect to be able to send you e-mail.

In any case, once e-mail has gone through Demon's servers, it's too late
to issue a rejection message these days -- you'll be sending unsolicited
bulk (due to the quantity of spam) e-mails to forged addresses.

Hope this helps,

James.

[1] They've kept this working from the days before POP3.

[2] Disgraceful, isn't it?

[3] I'm seeing a lot of spam that's allegedly from westexe.demon.co.uk,
but none allegedly from anyone I correspond with.
--=20
E-mail address: james | "No animals were harmed in the making of this burge=
r."
@westexe.demon.co.uk | -- "I'm Sorry, I Haven't A Clue", BBC Radio 4

Re: Email whitelist - how would you do it?

am 07.07.2006 15:43:10 von magnate

James Wilkinson wrote:
> magnate wrote:
> > What I need to know now is how to configure exim to verify that emails
> > really are from where they say they are from - otherwise a whitelist is
> > useless. Does anyone know how to do this? Is it possible to fake an
> > originating IP, not just a From: domain? If so, is it possible to
> > detect fake valid IPs? (Invalid IPs - bogons - are of course easy to
> > weed out.)
>
> Hi there.
>
> As you can see, I'm also a Demon subscriber. Demon's DNS servers appear
> to have no knowledge of the dbass.demon.co.uk domain -- it doesn't seem
> to have any MX records (so e-mail can be delivered there).

Hi James,

I gave up on Demon four or five years ago, when they would not offer
broadband for a reasonable price. I waited and waited, stuck on dial-up
for over two years after residential broadband was available. They
wanted 50 quid a month I think (plus a huge installation fee), and in
the end I went with Telewest for half that (and free installation).
Never looked back. I registered my own domain and have plenty of email
delivered successfully to it - so much, in fact, that I need to do
something about all the spam.

> So it looks as though the above e-mail address doesn't work. That's OK,
> given your wish not to have people e-mail you. But it might be a good
> idea to have an *obviously* dud e-mail address there. For one thing, if

I was with Demon when I first registered for Google groups, and there
wasn't so much spam that you daren't use a real email address. Since
I've left Demon I've changed the emails I use for everything else, but
it's handy to have a non-functioning email for Usenet because it's so
often harvested.

The worst that happens is that someone replies to one of my posts
saying "I emailed you but it got bounced", and I get in touch with them
and they re-send it. It's only a problem for people who don't keep
copies of their sent messages.

> So are you trying to protect a Demon address? Is it a residential ADSL
> connection, or do you have dial-up, or a business line?

It's a residential Telewest cable connection. 4Mbit, 24/7 uptime,
pseudo-static IP (ie. they don't force-change it but you lose the lease
if you're offline for more than a day or two, and then it will change).
My domain and its MX are registered with DynDNS and my Linux ddclient
program notifies DynDNS automatically if the IP changes.

> Demon don't SMTP deliver e-mail to residential ADSL accounts: you have

No, but Telewest do. Best of both worlds: incoming SMTP, outgoing
smarthost.

> So either you're still going to have to download everything, or you're
> going to have to do *two* levels of whitelisting -- one based on the

Since my box's IP is the one set for the MX record, I "download" all
the emails anyway (ie. they come into port 25 on my machine to be
processed by exim). I have no problem with that.

> The *next* problem you have to cope with is "how do you know which IP
> addresses are valid?" Sender Policy Framework (SPF) actually helps here
> (which is unusual), but (a) you'd probably have to script a SPF lookup
> yourself, and (b) many (most?) sites don't publish records. Again,
> without SPF, your correspondent's ISPs are quite at liberty to change
> hosts, IP addresses, names, or to merge, get bought, sell off
> operations, etcetera, all without consulting you. [2]

Yes, this is the tricky bit. Like I said, it's easy to spot invalid IPs
- I'm sure exim can be configured to use the same bogons-update that
Shorewall uses - the real problem is IPs which are valid but incorrect
(ie. do not correspond to the domain they claim to have been sent
from). It should be possible to check this too, by querying MX records
via DNS, but I'm going to have to do some learning to hack that.

> So, at least initially, I'd get whitelisting going based on the alleged
> sender, and blacklist anything that comes in from Demon that's allegedly
> from your site (unless you're on a mailing list)[3].

I'll start with a whitelist of senders I know personally, and expand
from there. I'll watch carefully for spam getting through by faking
sender info, and take action accordingly.

> Don't forget that Demon expect to be able to send you e-mail.

Not any more! Telewest have hardly contacted me in four years apart
from to return my calls, which is great. They always use the phone
anyway.

> In any case, once e-mail has gone through Demon's servers, it's too late
> to issue a rejection message these days -- you'll be sending unsolicited
> bulk (due to the quantity of spam) e-mails to forged addresses.

Yes, I've abandoned the idea of a politely-worded rejection message -
I'll simply put the explanation on my web site.

> Hope this helps,

Yes, it does - many thanks,

Chris

Re: Email whitelist - how would you do it?

am 07.07.2006 16:30:14 von Fred Viles

"magnate" wrote in
news:1152279790.350414.108300@k73g2000cwa.googlegroups.com:

>...
> the real problem is IPs
> which are valid but incorrect (ie. do not correspond to the
> domain they claim to have been sent from). It should be possible
> to check this too, by querying MX records via DNS,

It is easy enough in exim to make the check you are talking about,
but it won't have the desired effect. The problem is that you are
assuming that legitimate mail from a given sender domain will come
from an inbound (MX) host for that domain, but there's no basis for
that assumption. It is a good practice, and hence common, for
inbound and outbound servers to be separate.

Not to mention the fact that legitimate senders may have multiple
ISPs and send via whichever one they happen to be connected with ATM,
or may be sending from a webmail account, or be using a legitimate
gmail address but sending via their ISP's smarthost, etc., etc..

- Fred

Re: Email whitelist - how would you do it?

am 07.07.2006 16:41:32 von magnate

Fred Viles wrote:
> "magnate" wrote in
>
> >...
> > the real problem is IPs
> > which are valid but incorrect (ie. do not correspond to the
> > domain they claim to have been sent from). It should be possible
> > to check this too, by querying MX records via DNS,
>
> It is easy enough in exim to make the check you are talking about,
> but it won't have the desired effect. The problem is that you are
> assuming that legitimate mail from a given sender domain will come
> from an inbound (MX) host for that domain, but there's no basis for
> that assumption. It is a good practice, and hence common, for
> inbound and outbound servers to be separate.

Oh yes, I hadn't considered that. I don't suppose you can assume that
the sending server has a name which has anything at all in common with
the mail domain (eg. mail from someone@somewhere.com won't necessarily
originate from machine in the somewhere.com domain) ... but still, you
could at least look up the originating IP and see if it has any
connection with the claimed sending domain ... that might require a bit
of learning or hand-tweaking.

> Not to mention the fact that legitimate senders may have multiple
> ISPs and send via whichever one they happen to be connected with ATM,
> or may be sending from a webmail account, or be using a legitimate
> gmail address but sending via their ISP's smarthost, etc., etc..

I'm quite happy to add the additional accounts or domains of any
friends with multiple ISPs (very very few of my contacts have more than
one email address or ISP). Smarthosts are a positive boon, because they
reduce the number of potential legitimate senders and they're usually
very helpfully named (smtp.isp.co.uk or similar).

Whatever happens, it sure as hell isn't going to be simple.

Ho hum.

CC

Can Alan Connor understand "lurking"? No.

am 08.07.2006 00:46:58 von TwistyCreek

Alan Connor wrote:

> On comp.mail.misc, in , "Fred Viles" wrote:
>
> > Path: text.usenetserver.com!atl-c01.usenetserver.com!news.usenetse rver.com!atl-c05.usenetserver.com!news.usenetserver.com!cycn y01.gnilink.net!spamkiller2.gnilink.net!gnilink.net!trndny02 .POSTED!56ddd13d!not-for-mail
>
> > Newsgroups: comp.mail.misc
> > Subject: Re: Email whitelist - how would you do it?
> > From: Fred Viles
>
> http://groups.google.com/advanced_group_search
> Fred Viles
> Results 1 - 16 of 16 posts in the last year
> 10 alt.dbs.echostar
> 1 ba.internet
> 5 comp.mail.misc
>
> So you expect us to believe that someone who is obviously a
> Usenet pro has only posted 16 times?

how is he 'obviously a usenet pro'? Maybe he's spent a couple of years
lurking, only posting when he's got a question.

as for 'sophisticated newsreader'... maybe he's got the brains to read
reviews, websites, docs, and what other users have to say and make his
choice based on those data, then spend time reading docs and becoming
familiar with the program before using it?

AC is such a floon!

Re: Can Alan Connor understand "lurking"? No.

am 08.07.2006 01:41:42 von Alan Connor

On comp.mail.misc, in , "TwistyCreek" wrote:

http://slrn.sourceforge.net/docs/README.offline>

> Subject: Can Alan Connor understand 'lurking'? No.

Doesn't matter. What matters is that I can force dipschitts like
you to post stupid things on the Subject line.

While you cower behind yet another kindergarden psuedo-identity
with your tail between your legs where your balls should be.

Note: I will not be downloading any articles on this thread.

Alan

--
See my headers.

Re: Can Usenet Beavis understand "lurking"? No.

am 08.07.2006 02:08:03 von Sam

Thank you for your kookfart, Beavis.

>> Subject: Can Usenet Beavis understand 'lurking'? No.
>
> Doesn't matter. What matters is that I am the Usenet Beavis, and who cares
> if I have absolutely no clue whatsoever what lurking means?

We all do, Beavis. As long as you remain blissfully ignorant of Usenet
basics, you'll forever remain the lovable kookbag that you are.

> While you continue to make fun of the Usenet Beavis, and use me as an
> example of the dangers of drinking alcohol during pregnancy.

Even Bigfoot knows better than that.

> Note: I will be downloading every article in this thread.

And you will love every byte of each and every one.

> Beavis
>
> --
> See my kookfarts.

*SLAP*

--=_mimegpg-commodore.email-scan.com-5679-1152317282-0001
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQBErvdix9p3GYHlUOIRAleJAJ9cIqMLqmrCRZV9IDApMFSVfSucDgCf Yfhq
s8G9SPrH4B2G5BXFxCRT+CI=
=6ElT
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-5679-1152317282-0001--

Re: Email whitelist - how would you do it?

am 08.07.2006 19:25:14 von TS

In article ,
Fred Viles wrote:
> There's no easy answers in this game...

Maybe so, but there are some good options. Adding adresses to a
whitelist is easy per se, but the crucial, tricky problem is that of
the first contact.

One of the options is to set up (or include on) a web page that can
be used to send the email. The upside of the method is that in
practice it has turned out to be very spam resistant. The downside
is that to send the first email the sender has to know the address
of the web page (which, basically, is no more complicated than
knowing an email address!).

On the web page one has something like this
Send
email to Yours Truly

In the procmail filter one accepts unkown email if the KEYWORD
apprears in the adress.

All the best, Timo

--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:ts@uwasa.fi ; FIN-65101, Finland
Timo's procmail tips at http://www.uwasa.fi/~ts/info/proctips.html