From: Joey (JoeyWeb56.Net)
Date: Tue Jul 03 2007 - 09:40:21 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello All,

As I'm sure everyone here does we try to battle the overwhelming spam
situation daily. Now I'm trying to figure out after several years of rules,
filters, lists and other crazy methods to battle the spam what rules have
become stale or what lists are outdated ( inhouse lists ). I do use
pflogsumm and get some information from that, however it's not accurate
enough per say to insure that I'm not just dumping a bunch of cpu cycles in
the garbage.

I know I am aggressive in comparison to some people on the list with my
battle style, and we are pretty successful in blocking a TON of spam.

Our servers are pretty small in comparison to some of the bigger groups here
on the list, but we blocked 4.9 million message last month, delivering about
473K messages which unfortunately still contain spam. My problem is as the
email volume increases filter lists/values grow and create a pretty big
overhead eventually bringing the system to a crawl on a busy day. ( Dual
Xeon 2.4 server).

I have written many small scripts which help me manage and distribute my
filters to our 3 servers, and in that have made efforts to document reject
messages etc.

I have rules like these:

Client_access:

  gdynia.mm.pl 550 SPR-CA2-gdynia.mm.pl

  kabelbw.de 550 SPR-CA2-kabelbw.de

  versanet.de 550 SPR-CA2-versanet.de

 inter.net.il 550 SPR-CA2-inter.net.il

 ( spr for me means spam relay )

Header_checks:

   /^(To|From|Cc|Reply-To):.*uu02\.com/ REJECT Header TFCR 1999

   /^Subject:.*COMPLETE CREDIT CARD/ REJECT SubJect Rejected

   /^X-Mailer: MaxBulk.Mailer/ REJECT Spam Mailer
Program 117

Body_checks:

Gets built from a huge list of domains that advertise in email, we put
multiple domain names on a line in order to make the processing time less,
and we identify each line with a different number so we can figure out what
domain name caused the reject like below.

/\b(?:(?:\=[[:xdigit:]]{2})+|:\/\/||=40|\.)?(?:zzzworldmeds(?:\.|=2e)com)\b
/ REJECT CONTENT REJECTED-LINED1583

At the firewall level:

We use CIDR block lists updated daily which then update small db's. and we
document that like so:

Jul 3 10:30:54 saturn kernel: SPAM-BLOCK-CIDR-ASIAN IN=eth0 OUT=
MAC=00:03:47:c9:87:40:00:e0:1e:cd:e1:23:08:00 SRC=124.160.91.223
DST=108.234.15.17 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=22358 DF PROTO=TCP
SPT=8872 DPT=25 WINDOW=58944 RES=0x00 SYN URGP=0

We do things like freemail_access, versign_hijack and just a ton of stuff.

My delima is how can I measure what's a waste and what's worth keeping.

Though pflogsumm is great, it doesn't really tell me that body_checks works
great for 400 domains but the other 32K domains in the list are a waste or
that header checks is a waste of time etc.

Yes, all of these do get blocks, the combination makes the whole things work
pretty well, but what methods can I use to figure out how to value what I'm
doing?

For those of you that are thinking, all those small scripts and all that
maintenance is a lot of work, and it's some work however once everything is
in place it's not that bad. And yes it's aggressive but imagine that
pflogsumm says 2 out of 3 servers are blocking 89% of the messages and I
personally still get over 20 junk messages a day, and still have clients
complaining about SPAM regularly.

So the main question is still how do I weigh everything I am doing and cut
out the waste, so that we can add newer methods and not crash our server.
I'm sure many of you deal with this as well, and I figured someone would
have some ideas.

THANKS if you have read all the way to here!

Joey

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]