Double Irony! (was Re: [linux-elitists] ruben's stupid filter)

Marc MERLIN marc@merlins.org
Sun Mar 24 07:17:01 PST 2002


On Sun, Mar 10, 2002 at 11:51:30AM -0600, Mr. Bad wrote:
>     KMS> SA tagged the message as spam and my procmail autoreporting
>     KMS> rules (set to trigger at a threshold of 10, not SA's default
>     KMS> "5 and you're spam" threshold) sent the mail to his
>     KMS> employer's NOC.
> 
> So, I got to say, I really, really, really hate this auto-reporting
> white-list challenging crap. It's goddamned rude to your absolutely
> legitimate correspondents.
(...) 
 
Yep, I definitely agree with you here.
Challenging, I *could* maybe deal with depending on the situation (who I'm
Emailing and so forth).
Auto-reporting or semi-auto reporting, I'm getting really tired of.

For that matter,  Karsten and I have had this  dicussion twice already, even
though he usually knows what he's  doing he's already twice reported spam to
me (through svlug and sourceforge) because the machines were in the received
headers (mailing list)
Karsten has some clue, so that tells you about people who don't have one,
and still try to use auto-reporting tools.
I'm getting very tired of auto reporting  because it accuses _me_ and I have
to spend my time to say/prove that I'm innocent. Fuck that!
 
On Wed, Mar 13, 2002 at 07:57:07PM -0800, Dan Wilder wrote:
> If only somebody could somehow get the clue-by-four to the head
> of Seattle consultant Julian Haight * and his spamcop.net effort **
> including its regrettable presence on sourceforge ***.  Or better
> yet, his users.  Sad to say, the clueless responses you describe
> below, to your own writings on related matters, seem to carry
> the day.
 
Ahah, spamcop. The  system isn't all that  bad, but enough of  its users are
definitely.
I've had  to deal with  them countless times,  and they already  have marked
sourceforge.net as a  domain that should never get  reports anymore, because
we were getting just too many errors.

The  part  that annoys  me  the  most  is  that their  "spamvertised  sites"
checkboxes are  enabled by default, which  means that any moron  that send a
spam with a URL pointing to  sourceforge.net, or slashdot, or whatever, ends
up as a report in my mailbox.

I've complained  loudly to the spamcop  folks about this, and  at least they
are listening and have made some changes to severely limit the amount of bad
reports I  get, but those  spamvertised website  boxes are still  checked by
default unfortunately.
 
> Complaints may also go to all of your listed contacts and the
> listed contacts of your upstream provider.  At least they have
> for us, for example in response to the mention of our "spamvertised 
> website www.linuxjournal.com" in the (obviously abusive) traffic of
> one California LUG.
 
Yep, yep, my  point exactly. Please Email Julian and tell  him that it's not
acceptable  that  you  have  to  set  www.linuxjournal.com  as  an  innocent
bystander, even once.
Enough people have to tell him that.

If you respond  to spamcop complaints, also  make sure to reply  to the spam
and Cc  appeals@spamcop.net, if you should  never have gotten the  report in
the first place,  tell them why, and ask  them to fix their shit  so that it
doesn't happen in  the future, on this  domain or one of the  other ones you
own.
 
On Sun, Mar 17, 2002 at 03:08:15AM -0800, Karsten M. Self wrote:
> There are different objectives for antispam measures.
> 
>   - For most people, it's probably to minimize the amount of spam that
>     sneaks into their inbox (or other filtered mailboxes).  This is one
>     of my objectives.
 
I'd like to believe that.
Not sure how true it is anymore. People who still read their abuse mail are
largely people who hardly ever spam, if at all.

> The problems have largely concerned not identifying spam, but
> identifying related/associated systems.  "Ricochet" is a good tool, but
> does require some tuning.  Spamassassin simply rocks.  Its false
> negative rate is low, its false positve rate lower.  Using a higher
> threshold for automated reporting means I largely don't have to deal
> with the issue of dealing with falsely reported spam, just getting the
> reports to the right place.
 
That's the problem. You should review  your reports carefully before sending
them, especially for every new domain you add to your report list.
In 2  of your 5  examples, it ended  up in my  mailbox, and I  wasn't happy,
because there are two many of you already.
 
If  you are  not willing  to  carefully inspect  the reports  you send,  you
shouldn't send any.
 
> I'm impresssed that most mainstream ISPs seem to have pretty decent
> automated spam mitigation in place.  I'm not saying they're solving the
> problem, but I tend to see a pattern of responses:
> 
>   - Automated "we recieved your message and are investigating, don't
>     expect any further response" messages from majors (Yahoo, MSN,
>     UUNET, etc.).
 
Can be translated as:
"We receive lots of reports, 3/4th aren't  for us and were sent to us anyway
damnit! so  we don't bother  answering anymore. We may quickly  eyeball your
report, and should it actually be correct,  we may have a look, but we can't
spend our time answering all these useless reports anymore"
 
>   - Variations on "undeliverable/failed mail", often from Asian ISPs,
>     though far too common elsewhere, for abuse@ and postmaster@
>     addresses.  These get manually forwarded to

My exim callbacks on sourceforge.net simply refuse mail from any domain that
isn't willing to accept mail back for  postmaster@ (I can't tell if the mail
would actually get accepted, but at least I took care of basic bounces)

>   - Occasionally, mail suggesting that spam from a domain is my problem,
>     not theirs, and unless I jump through various hoops (modifications,
>     additions, or removals of header formatting, attachment formats, GPG
>     signatures, etc.), my mail won't be addressed.  I respond that if

Ah, so people have to go through your challenges, but you won't go through
theirs. I see.


On Sun, Mar 10, 2002 at 03:49:37PM -0800, Dan Wilder wrote:
> On the other hand, autoreporting can (and does) get out of hand.
> 
> Autoreporting is much more likely to affect stable organizations,
> where it troubles honest postmasters with false positives,

Yes, thank you.

> I have in the past blacklisted sites which originate excessive 
> false or frivolous autoreports.  I will do so in the future.
> Such nuisance mail is itself little better than spam.  
 
Amen brother.
 
All that said, because sourceforge.net has been spammed a lot lately, and we
(admins) are getting a lot of flak from our users, even though we're not the
people who sent  the spam (it was  simply relayed through a  mailing list or
your users.sf.net alias), I'm really considering putting spamassassin in the
MTA, and bouncing at SMTP time messages with scores of 8 or more.
I think the bounce will contain instructions  on how to add a special header
to resubmit the message if it really wasn't spam. Not perfect, but it's true
that it's a balance and a game of numbers.

Marc
-- 
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
  
Home page: http://marc.merlins.org/   |   Finger marc_f@merlins.org for PGP key



More information about the linux-elitists mailing list