Double Irony! (was Re: [linux-elitists] ruben's stupid filter)

Karsten M. Self kmself@ix.netcom.com
Sun Mar 17 03:08:15 PST 2002


on Sun, Mar 10, 2002, Mr. Bad (mr.bad@pigdog.org) wrote:
> >>>>> "KMS" == Karsten M Self <kmself@ix.netcom.com> writes:
> 
>     KMS> SA tagged the message as spam and my procmail autoreporting
>     KMS> rules (set to trigger at a threshold of 10, not SA's default
>     KMS> "5 and you're spam" threshold) sent the mail to his
>     KMS> employer's NOC.
> 
> So, I got to say, I really, really, really hate this auto-reporting
> white-list challenging crap. It's goddamned rude to your absolutely
> legitimate correspondents.

There are different objectives for antispam measures.

  - For most people, it's probably to minimize the amount of spam that
    sneaks into their inbox (or other filtered mailboxes).  This is one
    of my objectives.

  - A second, and IMO more ultimately effective objective, is to change
    the economics of sending (or hosting or otherwise supporting) spam.
    This is where my autoresponders come in.

In approximately two months' use, I've received somewhat more than 2,000
spam messages between work and home.  I've had issues with:

  - debian mailing lists (neglected to add debian.org to a reporting
    skip list).
  - svlug mailing list.
  - sas-l mailing list.
  - personal mail (previously described).
  - sourceforge.net email account.

...the first three issues surfaced within the first 24 hours of using
the new filter/response rules.  The last occured last week, as the
result of a mailing to an (infrequently used) sourceforge account.

The problems have largely concerned not identifying spam, but
identifying related/associated systems.  "Ricochet" is a good tool, but
does require some tuning.  Spamassassin simply rocks.  Its false
negative rate is low, its false positve rate lower.  Using a higher
threshold for automated reporting means I largely don't have to deal
with the issue of dealing with falsely reported spam, just getting the
reports to the right place.

The result:  I have a well-known, publicly available, searchable email
address.  People can find me.  I don't have to hide behind mutated email
addresses, double-act reply mechanisms (I was just hit by one of these
when reporting a security issue to a mainstream GNU/Linux distribution,
sad...), or other crud.

At the same time, anyone who spams me has < 2 minutes (my email poll
interval) to get their list out on the 'Net before they're reported by
me.  That's a 2 minute TTL.  Even qmail and postfix can only crank so
many messages an hour, and if the ISPs start getting into the act to
shut down relays or upstreams on the influx of a massive (or trusted)
alert, much of the economics of spam will disappear.  As it is, users of
distributed reporting schemes such as Razor are assured that their
filtering database is being updated realtime.



> The problem is that any auto-reply or challenge makes me jump through
> some kind of hoop just because *your* spam filters are not smart
> enough to tell the difference between my worthwhile mail and some
> UCE. 

Um.  If you're saying what I think you're saying, you're not reading
what I think I'm writing.

My autoresponder is a system that *cans spam* by sending notifications
to upstream providers, reporting systems (e.g.:  Razor), and our
everlovin' freely bought government.

Everything else gets filtered through to where it should go.  The odd
<1% false positive spams usually get dug out pretty quickly.  There's
**no** additional cost to the vast majority of my correspondants.

The people who *do* get an additional load are upstreams who pass spam
through their systems.  I've conceded that mailing lists should probably
be excepted, and add them to my skip list.  But I'm coming to the point
of feeling that the excuses for _not_ running SA on such services are
going to be wearing thin in the not-to-distant future, and the costs of
doing so (and avoiding dealing with recipient spam backlash) is likely
lower than the cost of processing spam complaints from listmembers.

I'm impresssed that most mainstream ISPs seem to have pretty decent
automated spam mitigation in place.  I'm not saying they're solving the
problem, but I tend to see a pattern of responses:

  - Automated "we recieved your message and are investigating, don't
    expect any further response" messages from majors (Yahoo, MSN,
    UUNET, etc.).

  - Action summaries, generally from smaller ISPs (e.g.:  we've
    terminated the account).

  - "Thank you" messages, also generally from smaller ISPs.

  - Variations on "undeliverable/failed mail", often from Asian ISPs,
    though far too common elsewhere, for abuse@ and postmaster@
    addresses.  These get manually forwarded to
    submit-abuse@rfc-ignorant.org submit-postmaster@rfc-ignorant.org, as
    appropriate (http://www.rfc-ignorant.org/).  I've updated the
    rant-o-matic / vfam with an "rfc-ignorant" message that's also
    forwarded to a functioning (if any) address at the domain, though
    this update hasn't yet been uploaded to:

        http://kmself.home.netcom.com/Download/rant-o-matic.tar.gz

  - Occasionally, mail suggesting that spam from a domain is my problem,
    not theirs, and unless I jump through various hoops (modifications,
    additions, or removals of header formatting, attachment formats, GPG
    signatures, etc.), my mail won't be addressed.  I respond that if
    they won't handle my mail, I won't handle theirs, and I believe that
    leaves us even.  The sites also get reported to appropriate listing
    services corresponding to their spam policies or access to
    RFC-required addresses.



> Admittedly, the kind of language recognition that would be able
> decisively and without fail to detect spam is astronomically hard. But
> that still doesn't make it right for *me* to have to pay the price for
> their failure or indecision.

Try spamassassin, MrBad.

Digression.

I've picked a number of tools up over time.  GNU/Linux.  Mutt.  Bash.
SSH.  Debian.  WindowMaker.  Exim.  W3M.  Galeon.  Screen.
Spamassassin.

Each of these shares a common trait:  they replaced another solution
with which I'd previously been quite familiar and relatively satisfied
with.  Well, except for GNU/Linux (I'd been running WinNT4.0WS).  But
despite that, each of these is tool that I tried out, realized it
_didn't_  suck, and really rocked my world.

  - GNU/Linux replace WinNT and a patchwork of 'Nix-on-NT products I'd
    tried but been unsatisfied with.

  - Mutt replaced Netscape mail.

  - Bash replaced Korn shell (replaced csh, replaced sh...).

  - SSH replaced, well, I'm embarassed to say.

  - Debian replace Redhat.

  - WindowMaker replaced fvwm2 (after trying pretty damned much
    everything else, from twm to mwm to VUE to CDE to GNOME and KDE,
    Blackbox, Sawfish, E, etc., etc....).

  - Exim.  Sendmail.

  - W3M:  Lynx.

  - Galeon:  Netscape (PoS) and Mozilla (great guts, but I hate its
    face).

  - Screen:  didn't really replace anything, but I couldn't live without
    it now.

  - Spamassassin:  my own procmail antispam recipies carefully crafted
    over years.



> It's asinine of you to put the time cost that your spam incurs into
> *my* ledger. 

I don't.  I agree with your sentiment.  However, don't accuse me of what
I'm not doing.


> It'd be much, much better for you just to flag suspicious messages and
> put them in a slops bucket folder that gets checked and cleared out
> once a week. 

See "Objectives", above.

> P.S. I apologize to anyone who's already seen this rant in one form or
> the other. I've sent it out like 6 times this week. Half the time I
> get back messages that completely miss the point, saying, "But spam is
> really bad!" No shit, sherlock@holmes.com. So is being a rude asshole
> to everyone who's writing email to you.

You can replace it with the far more succinct:

    $ apt-get install spamassassin

;-)

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>    http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?       There is no K5 cabal
  http://gestalt-system.sourceforge.net/         http://www.kuro5hin.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20020317/a2e7637d/attachment.pgp 


More information about the linux-elitists mailing list