Postfix anti-antivirus (was Re: [linux-elitists] procmail recipe for mydoom?)

Karsten M. Self kmself@ix.netcom.com
Tue Feb 10 15:45:27 PST 2004


on Tue, Feb 10, 2004 at 01:13:14AM +0000, Phil Mayers (p.mayers@imperial.ac.uk) wrote:
> On Mon, Feb 09, 2004 at 02:28:34PM -0800, Karsten M. Self wrote:
> > 
> > You can't prevent errors (fail-proof).
> > 
> > You *can* make errors evident, and offer an alternative (fail-safe).
> > 
> > In an environment in which the do-nothing alternative already breaks --
> > your users can't sort through spam, trigger viruses, lose legitimate
> > mail; your mailservers can't handle the load -- then the alternative of
> > taking some really wicked swipes at the problem is preferred.  Look at
> > my recently posted spam-by-ASN plots.  I can kill 25% of my spam, cold,
> > by blocking several major networks from which I personally see zero
> > legitmate traffice, to an arbitrary number of nines.  By several, I mean
> > six to ten.  That's a really cheap first cut at the problem.
> 
> Here here. More to the point, AS numbers and the infrastructure to
> support them are finite and non-trivial resources to deploy. By
> blocking a spammers AS, therefore reducing its value, you directly
> attack the economic reasons for spam i.e. spam is cheap. Getting a
> whole new ASN is cheap, but only so many times. Getting an ISP that
> filters your AS from the AS path is not especially hard, but then that
> ISP finds itself blocked, rather than their evil customer. Moving ISPs
> is only cheap until your business is so troublesome as to have a
> premium.
> 
> The irony is that I can see a business for floating homing coming up
> using e.g. rapidly-rerouted IPSec tunnels and NAT. Packet anonymisers
> - it's Cryptonomicon, but for the *bad guys*...

Any mouse will tell you that having more than one end to your hole is
good.  But you still need an end to your hole.  And it still needs to be
on somebody's network.  And dollars to doughnuts says that that network
is going to be one with a piss-poor abuse response and containment
policy.

I've been reading NANAE closely for the past month and some.
Appearances are that spammers are already doing this -- tunneling spam
through arbitrary networks over arbitrary ports through open proxies and
RATed[1] systems.

But "cyberspace" is still rooted in meatspace.  Those boxes exist
somewhere.  And on someone's network.  An ASN is identified by its
identifier, border routers, and peers.  For a riddled ASN, you firewall
it completely (if it's fully bad traffic), or throttle it half to death
(if you can't lose everything but want to make its abusers' life
difficult) if you can't for business or political reasons.


> I would love to be able to kick illegitimate ASNs from our network
> entirely by firewalling. Sadly, I work in an academic environment,
> where people are rather more vocal about freedoms etc. to use systems,
> which is fair as indirectly they pay my salary (having said that,
> they're pretty vocal about their freedoms to email everyone in the
> address book with a 200kb work document, so maybe I'm cutting them
> more slack than I should be).

s/work/MS Word/  ?

Don't confuse information (DNBLs, spam classifier scores, local white
and blacklists) with disposition.

Use the information regarding an email or network connection to chose an
action.  Make the action fit your needs.  Rejecting the mail / dropping
the link is one option.  Raising spammer costs / disrupting the remote
abusive network by drawing out connections, forcing retransmits, and/or
rate-throttling bits is another.  And these aren't the only options.

If your paymasters require you retain some open links to China, make
those links slow, controlled, and sufficiently pinched as to not
adversely impace the rest of your operations.


> On the other hand, we're upgrading out SpamAssasin shortly and our
> security officer is getting twitchy about newer SA versions querying
> the various DNS BLs.
> 
> "But they're well dodgy! It's all bearded free software freaks."

Rats.  I shaved this morning....



> Politically it's a very interesting point. Paul Vixie was recently
> asked on nanog if he thought a "Fortune 1000" network, the eventual
> result of a "known, trusted sources only" policy like Yahoos stamp
> thing, was good. He replied something to the effect of:
> 
> "Well, we're going to have that anyway, which is fine with me. I don't
> have any friends who use Yahoo."
>
> How uncomfortable do you feel telling people "Oh, you're on Yahoo. I
> won't be able to get email from you because I didn't let the fascist
> overlords of the Commercial Internet co-opt me."
> 

From an "email acceptance policy" from a TMDA user I've been sparring
with:

    http://paradigm-omega.com/email_policy.php


    Email Policy

    - We do not accept email from free web based sources (hotmail,
      yahoo, etc.) except by prior arrangement.

    - We do not accept mail from domains that are frequently forged by
      spammers (AOL, MSN, Earthlink, etc.) except by prior arrangement.

    - We do not accept HTML encoded email.

    - We do not accept any scripting or active content in email.

    - We do not accept any attachments, except gpg/pgp signatures in
      email.

    - We do not accept email from rogue states.

    - We do not accept email from countries where we have determined it
      imprudent to do so.

    - We do not accept mail larger than 100K

    - All email deemed to be unsolicited commercial email is forwarded
      to appropriate block lists and anti-spam organizations for
      processing and to appropriate government agencies.

    - We maintain the standard postmaster and abuse addresses to deal
      with matters concerning the administration of our networks. These
      addresses use a modified challenge response system to prevent UCE
      from being sent to them. Those who respond to the autogenerated
      email, get priority treatment. Mail sent to these addresses must
      be plain text with no attachment(s) other than digital signatures.
    - Should you have any difficulty reaching either postmaster or
      abuse, try [6]paradigmomega@yahoo.com

    - We practice reciprocal address blocking (i.e., addresses blocking
      our email are, in turn, blocked by our domains).

    - We automatically and permanently block confirmed addresses that
      have sent us email containing viruses, trojans, worms and other
      malicious content.

    Our mail is protected by
    TMDA 
    SpamAssassin 

Note that this policy rejects mail from several large sources (Hotmail,
Yahoo, AOL, MSN, Earthlink), on the basis of *forgeries* claiming to
come from these domains.  I've got additional reasons for thinking the
author's a nut, but....


> I'm with Paul Vixie on this - all the people *I* want to talk to have
> co-los or good ISPs :o)

Hrm.  So ELNK's a good ISP?


Peace.

--------------------
Notes:

1.  Remote Access Trojans.  Apparently the preferred mode for
    distributing spam these days.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
  Backgrounder on the Caldera/SCO vs. IBM and Linux dispute.
      http://sco.iwethey.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20040210/fb473240/attachment.pgp 


More information about the linux-elitists mailing list