- To: eskimo-announce@eskimo.com
- Subject: Spam Filtering
- From: Robert Dinse <nanook@eskimo.com>
- Date: Sun, 12 Mar 2000 15:58:34 -0800 (PST)
- cc: ericj@eskimo.com, evol@eskimo.com, snocat@eskimo.com, irish@eskimo.com
- Newsgroups: lobby, announcements
- Resent-Date: Sun, 12 Mar 2000 15:58:44 -0800
- Resent-From: eskimo-announce@eskimo.com
- Resent-Message-ID: <"WW1bi2.0.Ks7.oy2pu"@mx1>
- Resent-Sender: eskimo-announce-request@eskimo.com
- Prev by Date: 56k, Dual-56k, and ISDN Dial Access in Tokyo, Japan
- Next by Date: Mail Server Performance
- Prev by thread: Spam Filtering
- Next by thread: User Meeting this Sunday - Ballard Godfathers 2:30PM
- Index(es):
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Spam Filtering
A while back I implimented a spam filter based upon the ORBS RBL that
blocks mail from servers which allow promiscuous relaying.
Unfortunately, we received over 100 telephone complaints in the first four
hours (I do wonder if we would have received any had I not announced it but
that's moot at this point), from people concerned they might lose mail from one
of these sites.
I took them out but said I would work on a way people can enable or
disable this spam filtering individually.
I've got a way you can do that now though it's still rough. We'll put
together a script to create an appropriate .procmailrc and .forward but right
now you can do so and use these programs to block spam.
There are two new programs in /usr/local/bin, origip.pl which takes a
message and extracts the IP address of the server it arrived from, and
'rblcheck' which checks to see if that IP address is listed in either the ORBS
or the MAPS RBL database.
Together these programs can be used in a procmail recipe to either discard
or put the spam in a separate spambox. I've got this working on my account and
I'm not very procmail literate, so for those of you would would like to discard
this spam, you can do something similar.
Here is what I have in my .procmailrc for this to work:
PATH=/bin:/usr/bin:/usr/local/bin
MAILDIR=$HOME/mail
DEFAULT=/var/spool/mail/nanook
LOGFILE=$HOME/.procmail.log
SHELL=/bin/sh
#First, get the originating IP using the origip.cgi script
TCPREMOTEIP=`origip.pl || echo 127.0.0.1`
:0
* ! ? if [ -n "$TCPREMOTEIP" ]; then rblcheck -q "$TCPREMOTEIP"; fi
{
:0:
spambox
}
That's ALL! This drops any messages that are from servers in the RBL
databases into a folder called 'spambox'. You could change that to /dev/null
if you want to drop it altogether. If you just have nothing there it drops it
into your regular mailbox essentially accomplishing nothing.
Then you need a ".forward" to send your incoming mail to procmail for
processing:
"|procmail_wrapper -f- #nanook"
Obviously in both the .procmailrc and the .forward, substitute your login
for 'nanook'.
Although more complex, this actually has some significant advantages over
the original implimentation in that you can do ANYTHING with this spam you want
to as you can use procmail to do any processing that you want.
I think it would be a cool thing if someone developed a ruleset that would
take the IP of spam, do a lookup in the ARIN database (whois.arin.net) and get
the netblock owner, and automatically forward a letter to the netblock owner
that they have an open mail server in their netblock, with the actual spam that
was relayed through it accompanying the letter.
If enough people did this, anytime an open relay was used to relay spam,
the site would be deluged with automatic complaints and I bet we'd see them get
closed down a lot faster.
At any rate, you now have the tools to block significant sources of spam,
although I have noticed a trend more recently towards direct origination again.
I do however make an effort to contact those sites and if I don't get a
reasonable response, shut them down.
Also, a note on rblcheck, if you want to include other RBL services, you
can do so with the optional argument rbl -s <service> where <service> is the
DNS site for the RBL in question.