A SpamAssassin surprise
Back in April, an important anniversary went mostly unremarked: it was a full 30 years since the sending of the still-famous "green-card spam". Those of us who were recipients of that missive were horrified at the time, but nowhere near as horrified as we would have been had we known what was coming. Almost overnight, email was transformed from a collaborative service to a pipeline that would be constantly abused by ill-meaning actors. Spam now dominates the email stream; this problem has driven many other changes to email, not all of which are good.
For most of the last three decades, anybody wanting to run their own email system has needed some way of filtering out spam — at least, if they want that email system to actually be useful. There are a number of tools out there that can take on that task, but many of us rely on Apache SpamAssassin to keep the trash out of our inboxes. SpamAssassin combines a long list of heuristics (does the email start with "Dear beneficiary"? does it have a strange date? does it reference large amounts of money?) with a trainable Bayesian filter and the ability to query reputation services ("blocklists") on the Internet. It does not do a perfect job, but a well-trained SpamAssassin installation will identify most spam with a negligible false-positive rate.
Recently, though, vast amounts of obvious spam started evading SpamAssassin and landing in our inboxes. The investigation provoked by that onslaught turned up an interesting failure mode for SpamAssassin — one that other users may want to be aware of.
Validity confusion
A close look at the spam that got through revealed, along with numerous opportunities to get rich, deal with chronic health issues, or make improbable anatomical changes, that a couple of rules (RCVD_IN_VALIDITY_CERTIFIED and RCVD_IN_VALIDITY_SAFE) were firing in all of them. These rules are meant to fire if the machine that presented the message under consideration appeared in a couple of reputation lists maintained by a company called Validity. These are not blocklist databases, though; instead, they are allowlists, indicating that the email is highly likely to be trustworthy and should be delivered normally.
SpamAssassin works by calculating a score for each message based on the rules that trigger; each rule will adjust the score up or down. These two rules, combined, will reduce an email's spam score by five points. Five is also the number of points required for an email to be judged as spam in the default SpamAssassin configuration; if all emails start triggering those rules, that threshold is effectively raised to ten points. The result is that a lot of email that would otherwise have been properly classified as spam now looks legitimate; you really did have an unknown rich uncle whose estate can be yours if you just pay a small advance fee.
One can imagine all kinds of unpleasant outcomes that can result from giving a private company the ability to make spammy email look legit. SpamAssassin has also had an occasional history of introducing negative-score rules that have been promptly exploited by spammers. So it was easy to jump to the conclusion that, somehow, spammers had learned how to appear in the Validity allowlist databases and were taking full advantage of that ability. But that conclusion was incorrect.
It seems that, beginning in March, Validity introduced a limit on the number of queries that any given site is allowed to make to its databases. Some investigation confirmed that LWN's email server had, indeed, exceeded that limit and been cut off. The message returned by the server was clear enough:
28.88.79.45.sa-trusted.bondedsender.org. 10 IN TXT \
"Excessive Number of Queries | \
https://knowledge.validity.com/hc/en-us/articles/20961730681243"
SpamAssassin, however, did not read that explanation; instead, it took the presence of a reply as an indication that the site in question appeared in the list, and duly decremented the spam score of the message accordingly. That resulted in us having to clear out our inboxes with snow shovels.
There are a number of ways that anybody encountering this problem can address it, once it has been identified. Configuring SpamAssassin to use a local, caching DNS server will reduce blacklist queries and is the recommended path, but neither Debian nor RHEL derivatives ship with that configuration. Validity will allow more traffic from sites if an account has been set up for them. Or one can simply configure SpamAssassin to not query the Validity lists at all. That last option was taken, and our inboxes quickly returned to a more rational state. Though "rational" is a relative term for any inbox that is the target of a linux-kernel subscription.
Email in the 2020s
Running an email server requires configuring and maintaining several complex, security-sensitive pieces of software. In the absence of a full-time administrator, whoever handles that task has to get by with an imperfect understanding of how all of those components work. It is probably a fair guess that a large proportion of SpamAssassin users do not even know that the Validity lists exist, much less that their system is trusting those lists to make decisions about email delivery. SpamAssassin nicely hides the fact that its users are depending on an outside company's generosity and integrity to manage their email stream — and that works well most of the time.
In LWN's case, that configuration was introduced as part of a hurried email server replacement driven by the demise of CentOS 7. A suitably diligent administrator would have learned about the use of this service and made proper decisions about the configuration of the spam filter, but that is not what happened here. And everything quietly worked as expected, until it didn't. Even running our own system, we found ourselves having trusted a company we had never heard of, which had been given the ability to essentially bypass spam filtering.
That company chose to limit the availability of this service. That is within Validity's rights, even though it advertises that its lists are used in SpamAssassin's default rules; no promise was ever made that this free service would remain available. SpamAssassin's blocklist policy allows the inclusion of rules that use "free for some" services, since they work for a large subset of users. Anybody wanting to disable the use of blocklists entirely can do so with the skip_rbl_checks configuration parameter. One could argue with these policies, but they are at least clear.
What has always been less clear is the justification for negative-score rules in SpamAssassin in the first place. They are a tempting target for spammers, many of whom are certainly on the lookout for ways to get email past SpamAssassin, and they have created problems in the past. Decades of experience suggest that false-positive results from SpamAssassin are rare; it is not clear that there is a need for rules designed to reduce them. If those rules do exist, though, they should not fire in cases such as this one, where the expected condition is not present; a bug report has been duly filed.
There is arguably a case for the existence of reputation services for email; the fact that they are widely used attests to that. But we are essentially entrusting one of our important communication channels to unaccountable third parties with predictable results; anybody who has run an email server for a while knows the sinking feeling that comes with having to request removal from another blocklist — again. These services have been part of a dynamic that makes it increasingly difficult for small sites to get their email delivered at all.
All told, it not surprising that many people who would have once run their
own mail systems have decided to throw in the towel and use one of the big
providers instead. What was once a nice, federated service (in a much
simpler time) has become a complex mess with high barriers to entry,
pushing users into a small number of large, proprietary services. Email
was not designed for these times, and we still lack something better to
replace it. So those email administrators who stubbornly hang on to their
own installations will continue to have to deal with glitches like the one
described here; we will add another piece of duct tape to the system and
continue to muddle along as well as we can.
Posted Aug 30, 2024 15:24 UTC (Fri)
by pizza (subscriber, #46)
[Link] (3 responses)
dns_query_restriction deny sa-trusted.bondedsender.org
Alternatively, as the article partially mentions, you can globally disable all RBL checks entirely with:
skip_rbl_checks 1
Posted Aug 30, 2024 15:38 UTC (Fri)
by gwolf (subscriber, #14632)
[Link] (1 responses)
Well, maybe not --- I'll anyway go look at this "bondedsender.org" and its relation with Validity, and...
But thanks anyway!
Posted Aug 31, 2024 10:59 UTC (Sat)
by claviola (subscriber, #8533)
[Link]
Posted Oct 22, 2024 16:22 UTC (Tue)
by jahlives (guest, #174160)
[Link]
header RCVD_IN_VALIDITY_BLOCKED eval:check_rbl('zen-lastexternal','sa-trusted.bondedsender.org.','^127.255.255.255$')
and then a
if can(Mail::SpamAssassin::Conf::feature_dns_block_rule)
which let spamassassin "ignore" the result of the lookup
Oct 22 18:06:16.337 [623] dbg: dnseval: checking RBL sa-trusted.bondedsender.org, set zen-lastexternal, rule RCVD_IN_VALIDITY_BLOCKED
I'm using spamassassin 4.0.1 so maybe this feature is new in the 4.X SA. But the steps above can be repeated for any list that returns a unique code for excessive querying
Posted Aug 30, 2024 16:16 UTC (Fri)
by ceplm (subscriber, #41334)
[Link] (3 responses)
Posted Aug 30, 2024 17:11 UTC (Fri)
by smurf (subscriber, #17840)
[Link]
Looking at the headers of one such message in my suspected-spam folder (identified by Thunderbird's "adaptive junk mail controls", not SpamAssassin) the trick seems for the spammer to create a trial subscription to Google Workspace, then set up a mailing list and subscribe the victims to it without their consent. Presto, you may now send spam.
Posted Aug 31, 2024 12:04 UTC (Sat)
by willy (subscriber, #9762)
[Link] (1 responses)
Posted Aug 31, 2024 14:23 UTC (Sat)
by Wol (subscriber, #4433)
[Link]
Except when it isn't. Yahoo succeeded VERY reliably in putting all the ham in the spam-bin, and leaving the spam in the inbox. So I just deleted everything in the inbox, and read everything in the junk mail box :-)
Cheers,
Posted Aug 30, 2024 18:06 UTC (Fri)
by raven667 (subscriber, #5198)
[Link]
I appreciate that I'm not the only one who had (has, still have some stragglers) a busy last 6mo migrating services.
Posted Aug 30, 2024 18:17 UTC (Fri)
by fmarier (subscriber, #19894)
[Link]
Looks like you have to register your IP address(es) with them and then you're not subject to the same monthly limits.
Posted Aug 30, 2024 19:32 UTC (Fri)
by jond (subscriber, #37669)
[Link] (4 responses)
Posted Aug 30, 2024 19:44 UTC (Fri)
by maru (subscriber, #35964)
[Link] (2 responses)
Posted Aug 30, 2024 21:00 UTC (Fri)
by jond (subscriber, #37669)
[Link]
Mythic handle having clean IP reputations, DKIM and all that stuff. I just had to add a few TXT records (mostly copy and paste from their docs) and configure the accounts/“mailboxes” in their admin webpages to have smtp auth credentials.
As part of what I pay for I could actually use their receipt service (they do smtp receipt, imap, filtering, webmail) if/when I feel like handling the migration.
Posted Aug 30, 2024 21:08 UTC (Fri)
by admorgan (subscriber, #26575)
[Link]
Posted Aug 30, 2024 20:13 UTC (Fri)
by dskoll (subscriber, #1630)
[Link]
I run my own mail server too. I do not use any RBLs because I find my existing anti-spam mechanisms work fine and I'd rather not rely on RBLs.
I still send outbound mail myself, and so far so good... my IP address is not associated with a bad reputation. I have a virtual machine hosted by OVH that handles my email. I did set up SPF, DKIM and DMARC to improve deliverability.
Posted Aug 31, 2024 10:19 UTC (Sat)
by JulianGro (subscriber, #170093)
[Link] (41 responses)
Funny enough, Google is so well known when it comes to spam, that a good amount of services blacklist Google email addresses from their registration forms.
Posted Aug 31, 2024 16:07 UTC (Sat)
by dskoll (subscriber, #1630)
[Link] (39 responses)
Really? I have never encountered that. I run my own mail server and my email address points at my own domain name, and I've never once encountered a web site that has rejected my email address.
Posted Aug 31, 2024 18:37 UTC (Sat)
by ballombe (subscriber, #9523)
[Link] (23 responses)
Posted Aug 31, 2024 20:27 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (1 responses)
Cheers,
Posted Sep 2, 2024 10:26 UTC (Mon)
by pbonzini (subscriber, #60935)
[Link]
(That's sarcasm, or rather disillusionment, if that wasn't clear).
Posted Aug 31, 2024 22:01 UTC (Sat)
by dskoll (subscriber, #1630)
[Link] (20 responses)
Wow, I'm surprised. As I said, I've never encountered such a web site, and if I ever did, I'd quickly decide that it's product or service is something I can do without.
Posted Sep 1, 2024 7:04 UTC (Sun)
by ceplm (subscriber, #41334)
[Link] (19 responses)
That is their canonical site are https://www.bbc.co.uk and https://www.ox.ac.uk/, respectively, all UK domains are thus divided (and Aussies copies the scheme from them, https://www.abc.net.au/).
Posted Sep 1, 2024 9:51 UTC (Sun)
by excors (subscriber, #95769)
[Link] (18 responses)
But given how common those domains have been since the early days of the internet, I'd guess the email validation systems usually aren't quite that dumb, they'll probably use something like the Public Suffix List (https://publicsuffix.org/) which tries to identify all the registrar-controlled suffixes that people can register under (so it has "com" and "uk" but also "ac.uk", "co.uk", "*.sch.uk" (the third level is the local authority name), etc). Or they'll use an incomplete, outdated, broken version of that list encoded in a regex they found on some blog two decades ago, which is fine for all the people with hotmail.co.uk addresses, and only causes a problem for the relatively few people using mail.companyname.com or new TLDs.
(The PSL is also used by e.g. DMARC to identify domains that belong to the same organisation: https://dmarc.org/2023/05/m3aawg-calls-for-coalition-to-s...)
Posted Sep 1, 2024 12:33 UTC (Sun)
by yeltsin (guest, #171611)
[Link] (8 responses)
Posted Sep 2, 2024 2:29 UTC (Mon)
by NYKevin (subscriber, #129325)
[Link] (7 responses)
Posted Sep 2, 2024 9:34 UTC (Mon)
by yeltsin (guest, #171611)
[Link] (6 responses)
e.g. ~sircmpwn/sr.ht-packages@lists.sr.ht
I guess it's one more reason we need diversity in both, because it forces everybody to comply with the standards. Gmail is very specific on what you can (or cannot) do with your username; other large providers are similar. If that's the only thing everyone is using, it is the new de-facto standard.
Posted Sep 2, 2024 9:56 UTC (Mon)
by anselm (subscriber, #2796)
[Link] (3 responses)
I'm generally happy that most places seem to have caught on to the idea that foo+bar@example.com is, in fact, a valid e-mail address in spite of the “+”. This used to be a major annoyance a few years ago.
Posted Sep 3, 2024 0:21 UTC (Tue)
by khim (subscriber, #9252)
[Link] (2 responses)
Gmail did that. In Gmail everything after Gmail is large enough and common enough to force developers to accept these. I'm not sure smaller mail providers can do that.
Posted Sep 3, 2024 7:41 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (1 responses)
That "+" thing is in the original RFC. Gmail didn't force others to accept it - they would have *been* forced to accept it.
Cheers,
Posted Sep 3, 2024 14:08 UTC (Tue)
by khim (subscriber, #9252)
[Link]
Whenever thinks worked that way? Things like Why do you think
Posted Sep 2, 2024 13:59 UTC (Mon)
by dskoll (subscriber, #1630)
[Link] (1 responses)
Yes, people don't understand email. It's very annoying.
Web developers: The only thing you should do to validate an email address is (1) check that it contains an @ character, and (2) check that everything after the last @ character is a domain name that has either an A or an MX record that ultimately points to at least one routable IPv4 or IPv6 address. That's it. Nothing else.
I say last @ character because "@$foo"@example.com is theoretically a valid form of email address, though I doubt it'd actually work in many places.
Posted Sep 3, 2024 13:44 UTC (Tue)
by brunowolff (guest, #71160)
[Link]
This illusrates another issue with email addresses. There are at least three different encodings for them (raw, 821 and 822). "@$foo"@example.com might be a raw address or it might be an 821 or 822 encoding of @$foo@example.com .
Posted Sep 1, 2024 13:20 UTC (Sun)
by farnz (subscriber, #17727)
[Link] (8 responses)
Unfortunately, I have had to use a gmail.com address at more than site that's rejected my .uk address for having "too many parts". I've also had rejections of my gmail.com address (easily worked around, thanks to Google's flexibility), since you can't have a dot to the left of the @ sign according to some web developers.
Basically, think of a way to get it wrong - there will be sites that get it wrong. Thankfully, since it's just e-mail addresses, it's relatively easy to get a new "free" address from somewhere like GMail that works around the mistakes, but I've encountered similar stupidities with credit card details, where a web developer has confidently assumed that certain things are not possible, and been absolutely floored to discover that banks have issued "impossible" cards (completely within the card spec, but not what the web developer expected, because of things like a CV2 number that "looked like" an expiry date).
Posted Sep 1, 2024 17:53 UTC (Sun)
by Heretic_Blacksheep (guest, #169992)
[Link] (1 responses)
That may be fine for personal, or small business pages that are largely just a static advertisement for a person or business, but anytime you need more than that these graphic design houses aren't qualified.
Posted Sep 2, 2024 8:42 UTC (Mon)
by farnz (subscriber, #17727)
[Link]
Combine that with an effort to minimise the number of back end errors you see (certainly the case with the e-mail and credit card ones I saw), where you're trying not to send data to the back end if you "know" it's invalid, and you have something that apparently works until you get real users on it.
The trouble is that when you try to fix "mistakes" by the user (and I have no doubt that some users would type their expiry of 1/23 into the CV2 box as 123), you have to ensure that this can't be a genuine user - asking "are you sure - 123 looks like it might be your card expiry" is OK to reduce back end error rates, but "123 is not a valid CV2" is simply wrong, when it's the number on my card.
Posted Sep 14, 2024 11:25 UTC (Sat)
by sammythesnake (guest, #17693)
[Link] (5 responses)
First, the spec is easily found and clearly defined - it's not rocket surgery to get the whole thing right (including knowing if the card is a visa or amex or whatever, so don't ask the user!)
On the other hand, the spec itself is a bear, with 1001 different historical warts, so if you think you find a way to simplify it (which inevitably means being wrong, of course) I can absolutely understand the temptation to do so...
Ideally, the banks etc. would all get together and agree to retire all but one checksum algorithm, standardise on one number length etc. so that the spec can be implemented in half a dozen lines of code, but that's herding cats :-(
Posted Sep 14, 2024 14:09 UTC (Sat)
by Wol (subscriber, #4433)
[Link]
It's amazing the number of people who it never occurs to to try and get it right. I've just been asked to implement a check on lorry driver hours, and my FIRST reaction was to ask the requester to send me a copy of the appropriate regulations.
I think this will be the third regulation I've implemented a check for - the previous one was "a driver cannot work for more than 13 calendar days without a 45hr break". The guy who implemented the previous version of the check thought all he needed to look at was the previous, current and next calendar week. How can you check a 13-day rule if at the start of the week you can only see back 8 days! And he just couldn't see what was wrong with it.
Cheers,
Posted Sep 14, 2024 16:27 UTC (Sat)
by farnz (subscriber, #17727)
[Link] (3 responses)
The trouble is that, while I've encountered cases that are the payment card industry's fault (Amex CV2 being 4 digits and in a different place on the card, some cards having a 19 digit PAN), I've also encountered a lot that add complexity (like "CV2 can't be interpreted as a date in the format M/YY"). And while I get the temptation to simplify in ways that you think don't matter, adding complexity because you assume things outside the spec doesn't make a huge amount of sense to me.
Posted Oct 2, 2024 8:22 UTC (Wed)
by taladar (subscriber, #68407)
[Link] (2 responses)
Wouldn't that break for the last three months of every year? Not to mention that 4 digit years should really be used for everything by now.
Posted Oct 2, 2024 10:12 UTC (Wed)
by farnz (subscriber, #17727)
[Link]
The CV2 is three digits; I had a CV2 (at the time) of 821, and the site rejected this on the grounds that this "must" be the issue date of my card, not the CV2.
I assume that they were looking at the last 2 digits, and deciding if it looked "too close" to a plausible expiry or issue year in order to determine if the CV2 was valid, but the error message told me that it was rejecting it because I'd supplied the issue date, not the CV2. Experimentally, it also rejected 828 as my card expiry date (even though I had put in the actual expiry date elsewhere in the form).
Posted Oct 2, 2024 10:34 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
And why use YYYY for user interaction when all dates are "about now"? Credit card dates are all within a 10-yr windows, so YY is not ambiguous.
Cheers,
Posted Aug 31, 2024 18:38 UTC (Sat)
by NYKevin (subscriber, #129325)
[Link] (14 responses)
1. Obnoxious website (hosted at www.example.com) decides that it wants to demand your email address in exchange for reading their articles (or whatever they have on their website).
Posted Aug 31, 2024 22:03 UTC (Sat)
by dskoll (subscriber, #1630)
[Link] (13 responses)
Well, that's just lazy programming. Back in the day, I did write code to try to detect these sorts of shenanigans, but it was based on a deny list (and looked at both the domain names and the associated MX records to find throwaway providers.) It worked well enough for us. And I'd never have dared to attempt an allow list.
Posted Sep 1, 2024 0:48 UTC (Sun)
by NYKevin (subscriber, #129325)
[Link] (12 responses)
Rationale: Let's assume that you're not selling the user's email directly to spammers (because if you are, then you're one of the evil people who are causing all these problems in the first place, and I frankly don't care whether your business model makes sense or not). The only way you're (ethically) making money is if you subscribe the user to a legitimate marketing list of some kind, which presumably allows the user to unsubscribe whenever they want (because that's what "legitimate" means). You're relying entirely on the hassle hurdle, and many users are not going to play ball - when they get tired of receiving your emails, they are not going to be genteel and click "unsubscribe." Some of them are just going to click the "report spam" button (or whatever their big webmail provider calls it), and sooner or later you're going to find yourself on a denylist, probably one of the obnoxious non-public ones that email operators are always complaining about.
Of course, if you try to ask those users why they did that, a lot of them will say things like "I dunno, I just click that button when I want to stop receiving emails from somebody. Does it do anything else?"
Posted Sep 1, 2024 1:23 UTC (Sun)
by dskoll (subscriber, #1630)
[Link] (10 responses)
Our case was that we were a B2B business offering a free trial of our product to corporate customers, and we needed a way to contact them after the trial was over. So when they applied for the trial, we emailed them a link they could use to download the product.
Posted Sep 2, 2024 14:51 UTC (Mon)
by taladar (subscriber, #68407)
[Link] (9 responses)
Posted Sep 2, 2024 16:18 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (5 responses)
Yes, from the customer's point of view, it might suck to be contacted after you've decided you don't want the product. But from the vendor's p-o-v, most customers will not provide feedback unless they are actually interested in the product. So how does the vendor tell the difference between the customer thinking (a) this product is crap, (b) this product doesn't fit my requirements, (c) this product is great but I can't see how we would use it, and (d) the customer employee thinking "that was a nice waste of time getting paid for doing nothing". I'm sure you can think of many others which - without the vendor being able to pro-actively reach out - would all be conflated as "prospective customer never came back".
I've been on the receiving end of that, and once I'd downloaded the pdf, I wasn't impressed. I only responded because I received a chase-up email, and politely said that on reading the pdf, it was clear it would be of no use to my in my job. But without the nice personal chase, they would have heard nothing.
Cheers,
Posted Sep 2, 2024 22:20 UTC (Mon)
by dskoll (subscriber, #1630)
[Link] (4 responses)
Wol, we didn't want good honest feedback. We wanted to make sales. :)
Posted Sep 2, 2024 22:53 UTC (Mon)
by Wol (subscriber, #4433)
[Link] (3 responses)
One of my friends was a very good salesman. His technique was to go in and ask "What's your problem?". He then followed up with "we have these products that look like what you're looking for".
MUCH more effective than "we have this wonder product, now what's your problem".
And even if you get the feedback "this is a lovely product. I just don't see how it's any use to me", it tells your sales guys to leave alone and don't waste effort. AND THAT CAN GET YOU SALES. On several occasions, I've gone back to a company that's treated me with respect, and taken a previous "no I'm not interested" with good grace. Because I feel I can trust them!
Cheers,
Posted Sep 2, 2024 23:33 UTC (Mon)
by dskoll (subscriber, #1630)
[Link] (2 responses)
What can I say? We ran the company successfully for 19 years, so our techniques worked.
Posted Sep 3, 2024 7:38 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (1 responses)
I think you miss the point of what I'm saying - that sort of follow-up - that you were doing - is (a) great at weeding out false prospects (giving you more time to focus where you *were* likely to get results), and (b) handled properly can leave a great feeling in the prospect who is then more likely to cold-call when they see a use for your technology.
I'm not surprised the company did well. (Provided you didn't spoil it some other way :-)
Cheers,
Posted Sep 3, 2024 12:55 UTC (Tue)
by dskoll (subscriber, #1630)
[Link]
But when you chased up, and got negative feedback, I presume you spent no further effort following that prospect up?
It depends. Usually we did not. If the negative feedback was about the product itself, we did consider it, and if we felt the criticism was valid, we'd use it to improve the product, and let the prospect know we were doing that, if we thought they'd reevaluate.
Posted Sep 2, 2024 22:19 UTC (Mon)
by dskoll (subscriber, #1630)
[Link] (2 responses)
We would have lost many sales that way. Much as many people don't like to admit it, getting in touch with people partway through a trial is a very effective sales technique.
I no longer have any skin in the game (sold the companies ages ago) but do speak from experience.
Posted Sep 5, 2024 12:18 UTC (Thu)
by taladar (subscriber, #68407)
[Link] (1 responses)
Posted Sep 14, 2024 11:38 UTC (Sat)
by sammythesnake (guest, #17693)
[Link]
Posted Sep 1, 2024 9:36 UTC (Sun)
by farnz (subscriber, #17727)
[Link]
FWIW, this is what I have a gmail.com address for. If I think you're demanding my e-mail address for obnoxious or nefarious purposes, that's the one you get given, and I'll very happily mark any junk from you as spam. You go to a separate mailbox, where someone big handles the filtering, and you end up on a non-public denylist at Google if you can't be bothered to avoid being obnoxious having demanded my e-mail address.
Posted Sep 5, 2024 7:34 UTC (Thu)
by rwmj (subscriber, #5474)
[Link]
Posted Aug 31, 2024 10:53 UTC (Sat)
by marcH (subscriber, #57642)
[Link] (2 responses)
You mean like... every piece of software and IT system ever?
> Email was not designed for these times, and we still lack something better to replace it.
Email was not designed for any specific times: it was designed for a gentlemen's club. The initial (lack of) design works great... in a gentlemen's club but it never stood any chance to scale as is. "The entire world is welcome to my inbox! Anonymously and for practically free! Help yourself!" Any one seriously wondered what would happen? That was predictable even before the Internet and the "attention merchants". Just look at your real mailbox and multiply it by a couple millions.
Even inside a company where 100% of the people are authenticated and identifiable and 99.99% behave professionally it still isn't great.
Posted Sep 2, 2024 16:24 UTC (Mon)
by rgmoore (✭ supporter ✭, #75)
[Link] (1 responses)
Except that the gentlemen's club atmosphere was tied to a specific time: early in the life of the Internet, back when only a comparative handful of powerful institutions (the government, military, higher education, or big businesses that were connected to government, military, and education) were allowed in. Not only that, but the systems themselves were big and complicated enough to have full-time administrators. Those admins didn't just handle the technical side either; they were also responsible for controlling their users and ensuring they abided by the "gentlemen's club" rules. Since access to the systems was tied to employment or enrollment in a University, the admins had a lot of power to enforce the rules. Of course this was true of all of Internet access, not just email.
The system wasn't perfect. For one thing, it was reactive rather than proactive, and someone could cause a lot of damage before their admin figured out what was going on and reined them in. The Morris Worm was a good example of how much damage a single incident could cause. More importantly, it completely failed in the face of commercial ISPs. The ISPs were being paid by their users rather than employing them, so they lacked the same kind of leverage in the face of bad behavior by their users. The big ISPs got big so fast the traditional Internet group really didn't have a chance to respond before their nice gentlemen's club was destroyed. We've spent the past 30+ years patching all the flaws in the original Internet infrastructure that were papered over by the power of traditional admins.
Posted Sep 3, 2024 5:03 UTC (Tue)
by marcH (subscriber, #57642)
[Link]
You just put a smile on my face by reminding me of the admin in my college who was totally out of his depth when the Internet arrived and ridiculed by the gang of l33t students. The only way he managed to get back some level of control was by... allying with them in the end.
But these were college kids == "gentlemen thieves" so your point very much stands.
Posted Aug 31, 2024 11:13 UTC (Sat)
by ms (subscriber, #41272)
[Link] (3 responses)
It turns out that Spamhaus had started blocking open resolvers a while ago (2022), but presumably the level of traffic it was getting from the one I use was under some threshold and so it continued working... until it didn't. The solution is the same -- you can sign up for a free account and then tweak your configuration so that some key gets included in the requests.
Posted Sep 1, 2024 7:12 UTC (Sun)
by ceplm (subscriber, #41334)
[Link] (2 responses)
Could you point me to URL, where one can get such account?
Posted Sep 1, 2024 10:29 UTC (Sun)
by ms (subscriber, #41272)
[Link] (1 responses)
Yes of course. The spamhaus docs are a bit of a mess, but you want to their "DQS" (Data Query Service). Sign up from https://www.spamhaus.com/product/data-query-service/ (I believe the "trial" aspect of "free trial" only applies if you're above certain thresholds - certainly they seem happy with me and I'm not paying them); and the configuration docs eg for Postfix are https://docs.spamhaus.com/datasets/docs/source/40-real-wo...
Posted Sep 1, 2024 11:10 UTC (Sun)
by knewt (subscriber, #32124)
[Link]
Taking a look, there is indeed a "Free DQS" offering, for "a non-commercial entity or a small business with low query volumes". It's linked to on the page you referenced, but you have to scroll about half-way down to find it! Can be found at https://www.spamhaus.com/free-trial/sign-up-for-a-free-da...
From the comparison table, you get most of what's in the paid version. Glancing at the terms of use, the query volume thresholds are admittedly rather...... nebulous :)
Posted Aug 31, 2024 13:24 UTC (Sat)
by mtthu (subscriber, #123091)
[Link]
Posted Aug 31, 2024 18:53 UTC (Sat)
by NYKevin (subscriber, #129325)
[Link] (1 responses)
> For example, a name server may not wish to provide the information to the particular requester, [...]
Of course, when it's a free service, the most you can reasonably expect is a full refund of the $0 you paid for it, but it would still be nice if people made a slightly greater effort to comply with standards.
Posted Sep 5, 2024 13:29 UTC (Thu)
by grifferz (subscriber, #62128)
[Link]
There are actually informal standards for DNSBL return codes to signify thinsg like permissions error or that the DNSBL has shut down. This is necessary because a usual failure mode of a domain is to expire and gain a wildcard DNS for a web landing page, which would otherwise result in the world being listed. Validity did/does use these codes. Unfortunately the tests in SpamAssassin did not check for these and three months of notice wasn't enough time to get the tests modified and into the hands of users.
https://github.com/apache/spamassassin/commit/37f0cf7591d...
Validity did also consult the mailop community about what there were going to do and were advised to return A records in the 127.255.255.0/24 space as is the convention here.
https://www.mail-archive.com/mailop@mailop.org/msg20711.html
The free limit for Validity by the way is 10,000 queries per 30 days. You can easily exceed that if you've left your system using a public resolver (or your local resolvers forward to a public resolver, which is the same result).
I should imagine that LWN does quite a high volume of email and so does need to keep on top of this sort of thing more than an individual or most other small businesses would.
Posted Aug 31, 2024 19:07 UTC (Sat)
by fredex (subscriber, #11727)
[Link] (5 responses)
http://hcpnet.free.fr/milter-greylist/#downloads
Fredex
Posted Aug 31, 2024 22:05 UTC (Sat)
by dskoll (subscriber, #1630)
[Link] (4 responses)
In my experience, greylisting is no longer useful for stopping much spam. And it really annoys users who are expecting an email containing a password reset code or some other sort of time-sensitive information. I used it back in ~2008 or so, but haven't used it for at least a decade and a half.
Posted Sep 1, 2024 9:38 UTC (Sun)
by farnz (subscriber, #17727)
[Link] (2 responses)
I've found, experimentally, that greylisting is most effective against marginal spam; I refuse things that are "obviously" spam from the machine's point of view (SpamAssassin score on my setup of -10 or lower), accept all things that are "obviously" ham (SpamAssassin score of 0 or more), and use greylisting for the things that are in the middle. This results in about 50% of the "marginal" category failing to appear in my inbox because it's been greylisted; and having that mail queued to a separate inbox for a time showed me that everything that was not delivered thanks to greylisting was, in fact, spam.
I wouldn't recommend it on its own, but as a way of handling things that might not be spam, it does a good job; and password reset codes etc come through just fine, because they tend not to score below 0.
Posted Sep 24, 2024 9:56 UTC (Tue)
by mgedmin (subscriber, #34497)
[Link] (1 responses)
I'm currently using postfix + postgrey + amavis for spamassassin/clamav, and I don't quite see a way of making the postgrey conditional on spamassassin's results, given my understanding on how these all are hooked up together.
Posted Sep 24, 2024 10:36 UTC (Tue)
by farnz (subscriber, #17727)
[Link]
I'm using exim, not postfix, in part because exim's ACLs are more capable than postfix's filtering options. I use the acl_smtp_data ACL to do my decision about greylisting.
Downside is that you've paid the full cost of receiving the mail by the time you get here; upside is that I can base the decision to greylist on the contents of the mail, not just hosts and headers. And it's important if you're doing this that you record which mails are retried from a different IP, and whitelist the original sender, not just the new IP - otherwise you're creating pain for yourself later. I find that this exim config snippet is a good example of how to start doing this.
Posted Sep 4, 2024 8:55 UTC (Wed)
by philh (subscriber, #14797)
[Link]
On the mail server, one can setup user-specific handling under '~/.avenger/'.
The script that deals with my most spam-targeted addresses includes the line:
match -q "*Windows*" "$CLIENT_SYNOS" && greylist
CLIENT_SYNOS is a variable that's populated with mailavenger's guess at what the remote client's OS seems to be, based on SYN packet analysis, so this line results in me only greylisting people who appear to be running windows, which covers approximately all of the spambots, and none of the people I actually want to get mail from.
I've got a lot of other complicated things going on with my own mail scripting (including spamassassin , crm-114, and issuing different addresses to different correspondents etc.), but other users on the system almost all have a very simple setup, and don't have much of an issue with spam AFAIK, while having the chance to tune their anti-spam response if the need were ever to arise for them.
The best thing about mailavenger for me is that it means I have no spam folder. If my systems detect something as spam it gets rejected at SMTP time, and the sender gets to deal with it (the baysian-based SMTP rejections include instructions on how to get past the filters, for the occasional real person who manages to provoke a rejection -- only 3 spammers have ever bothered with that extra step, and now they have a couple of lines of script in their honour ;-) ).
(Hmm, I notice that mailavenger has dropped out of Debian -- I guess I need to work out why and see if I can fix it ... )
Posted Sep 1, 2024 22:42 UTC (Sun)
by kvv (subscriber, #5806)
[Link]
It works as follows:
My mail system behaves more or less like any other mail-client. On the perimeter I run fetchmail, every minute, to get the mails from the provider's smarthost and send them by smtp to localhost (perimeter) postfix. Then perimeter postfix forwards these messages to internal postfix, which passes them through rspamd (local spam-filter) and let's dovecot do the delivery to the proper mailbox, where the mail-client picks it up.
The one disadvantage is that postfix cannot bounce mails. Mails are considered "delivered" once they are in the provider's catchall mailbox, any attempt to bounce is in fact back-scatter.
The benefits of this mail systems are that there is full control over the user-side of things: personal-mailboxes, aliases, shared-mailboxes, distribution lists, auto-responders, etcetera. While the internet-facing side of mail is taken care of by the domain hosting provider.
Posted Sep 3, 2024 6:33 UTC (Tue)
by jd (guest, #26381)
[Link]
Posted Sep 5, 2024 12:43 UTC (Thu)
by grifferz (subscriber, #62128)
[Link]
https://forum.spamcop.net/topic/73357-internal-spamcop-ha...
Posted Sep 13, 2024 10:45 UTC (Fri)
by johnjones (guest, #5462)
[Link]
Posted Sep 19, 2024 14:00 UTC (Thu)
by fest3er (guest, #60379)
[Link]
Was it a SA logic error (any response means the addr is OK)? or was it Validity documentation error (no response means not OK, any response means it's OK)? Said differently, did Validity properly document their API?
gmail is the only 'free' email service that allows ClawsMail to function. MS/Yahoo and others allow only their favorites to work. This further deepened my distrust/dislike of companies that offer 'free stuff'. I run my own email server now; blocking IP addrs I want *zero* contact with is a good start.
Recently, I noticed some spam was coming from cloud hosting services like google, digital ocean, censys, microsoft, and others. I also noticed that some of those services run port scanners (with noble-sounding excuses I mean reasons). Alas, some honest servers also run on them, so it gets a little tricky.
My philosophy is that *any* site that probes my network for services I do not make publicly available is nefarious; I do not want my systems to have *any* contact with such sites. Port scan me? You're out. Send me spam? You're out. Fart in my general direction? You're out. Host pron/warez/etc.? You're out.
IMO, this is one of the reasons I truly dislike end-to-end encrytpion: it prevents network owners (mostly SOHO) from examining data to prevent malware/maldata from entering *AND* leaving their networks. Network owners are responsible for the safety of their networks *and* they have a social responsibility to the internet to keep the internet 'clean'.
Posted Nov 15, 2024 15:15 UTC (Fri)
by Klavs (guest, #10563)
[Link]
Before that we've used Kolab - which sadly went unmaintained.. But with Graylisting alone - we've had very little spam come though actually.
To actually work around this...
To actually work around this...
To actually work around this...
better use spamassassin to block the query only if necessary
describe RCVD_IN_VALIDITY_BLOCKED ADMINISTRATOR NOTICE: The query to sa-trusted.bondedsender.org was blocked
tflags RCVD_IN_VALIDITY_BLOCKED net
reuse RCVD_IN_VALIDITY_BLOCKED
dns_block_rule RCVD_IN_VALIDITY_BLOCKED sa-trusted.bondedsender.org
endif
Oct 22 18:06:16.337 [623] dbg: dns: launching rule RCVD_IN_VALIDITY_BLOCKED, set zen-lastexternal, type A, subtest (?^aa:^127.255.255.255$)
Oct 22 18:06:16.337 [623] dbg: async: blocked by dns_block_rule: A/REDACTED.sa-trusted.bondedsender.org, rules: RCVD_IN_VALIDITY_BLOCKED
Conspiracy theories about SpamHaus
Conspiracy theories about SpamHaus
Conspiracy theories about SpamHaus
Conspiracy theories about SpamHaus
Wol
Tangent: EL7->upgrade
Registering with Validity
Outsourcing smtp; crm114
do not run your own email system.
I feel this in my bones! I’ve been DIY for 25 years, mostly through inertia. Only very recently I outsourced a small part of the jigsaw puzzle (smtp submission, to avoid all the ip reputation dance. This isn’t an advert, but to mythic beasts).
In terms of filtering, I’ve been astonished how long and how well crm114 (purely statistical classifier) had worked for me: at least ten years largely untouched.
Outsourcing smtp; crm114
Outsourcing smtp; crm114
Outgoing mail service
Outsourcing smtp; crm114
I feel with you
I feel with you
the amount of times websites use an email provider whitelist that only includes the giants is very annoying.
I feel with you
Yes this is stupid.
I feel with you
Wol
I feel with you
I feel with you
I feel with you
I feel with you
I feel with you
I feel with you
I feel with you
I feel with you
I feel with you
+ is ignored so you may used JoeAverage+shopping@gmail.com on one web site and JoeAverage+work@gmail.com on some other web site (and can use filters to label them differently on the receiving site).I feel with you
Wol
I feel with you
!, /, or even @ are in the original RFC, too. Yet web sites don't support them (or, at least, rarely do).+ is an exception?I feel with you
I feel with you
Badly coded websites
Badly coded websites
Badly coded websites
Badly coded websites
Badly coded websites
Wol
Badly coded websites
Badly coded websites
Badly coded websites
Badly coded websites
Wol
I feel with you
2. Users put abuse@example.com as "their" email address. Obnoxious website spams itself for a bit, then denylists its own addresses.
3. Users use a service that creates temporary email addresses. Obnoxious website figures this out, denylists those addresses.
4. Temporary email address service starts buying various arbitrary domains and setting MX records on them so that its addresses are harder to filter out, rotating domains every so often. Obnoxious website figures this out, sets up an allowlist of the big providers.
5. Somebody who works for obnoxious website internalizes the idea that allowlisting is somehow a best practice, without understanding any of the above context.
I feel with you
I feel with you
I feel with you
I feel with you
I feel with you
Wol
I feel with you
I feel with you
Wol
I feel with you
I feel with you
Wol
I feel with you
I feel with you
I feel with you
I feel with you
I feel with you
I feel with you
Naivety
Naivety
Email was not designed for any specific times: it was designed for a gentlemen's club.
Naivety
spamhaus did similar
spamhaus did similar
spamhaus did similar
spamhaus did similar
> Your Data Query Service query volume must not exceed volumes reasonably expected in circumstances of non-commercial use.
Also a problem with small providers
There's a DNS response code for this...
There's a DNS response code for this...
spam filtering
spam filtering
Effectiveness of greylisting
Effectiveness of greylisting
Effectiveness of greylisting
selective greylisting
Best of both worlds
The provider receives and sends mails for my domain. This is the destination as per mx-record. It means the provider will sign (dkim, spf, etc.) outgoing mails, and deliver incoming messages after spam-filtering to a catchall mailbox. Hence the provider takes care of interfacing with big-tech and their requirements of the day.
Outgoing mail is passed from the mail-client to internal postfix to perimeter postfix to provider smarthost and onto the internet.
This mainly surfaces for mails to a non-existing addressee where it would be helpful to inform a sender, but that is back-scatter, so the mail must be put it in /dev/null and hence we leave the sender in the dark.
While this may not scale to larger sites, it has proven to work fine for smaller setups and it takes away quite some burden of a self-hosted mail system.
The origins of spam
Spamcop was caught out, too
test your email hosting
The problem is greater than just spam
collaborate on email server maintenance/setup?