During my last shift on 15 Jan, I did a story on dealing with the image spam that I was getting on the little mail server I run at home. I got quite a few excellent responses to that story, so I wanted to summarize those and share them with our readers. My thanx to Steve, Dave, Tim, Alexander, Joanne, and John (I hope I didn't miss anyone).
dspamSeveral people suggested looking at dspam. Some people said they had given up on SpamAssassin and gone strictly with dspam. I've added dspam to the mix, and mostly get pretty good results. The biggest problem I'm seeing with dspam is that it still is not detecting some of the image spam that takes its text from legit sources on the internet. FuzzyOCR and some of the blacklists seem to catch most of these, but even feeding all the false negatives back through dspam for training, some are still getting through. Having said that, I like dspam and will definitely keep it in the mix. I've had a suggestion (that I haven't tried yet) that I should run dspam outside of amavisd-new rather than from within it which is how I am running it now.
clamavSteve suggested I take a look at the clamav phish and scam rules from sanesecurity.com which can be found here. I haven't tried them out, yet. If you do, let me know what you think.
greylistingI didn't mention it, but I do, in fact, do greylisting using gld (readers also suggested postgrey and sqlgrey) in my postfix setup. Unfortunately, because most of the addresses that receive mail on my server are forwarded from elsewhere, and those other sites have already accepted the e-mail, greylisting is only moderately useful in my personal situation, but I recommend trying it out. I also should note that because I sometimes *want* to get spam and viruses at some of these e-mail addresses (including my isc.sans.org address), I turn off spam and virus filtering at these forwarding services. If your job (or hobby) doesn't include playing with malware, leaving that filtering turned on might save you from some of the problems that I've been seeing.
DNS blacklistsSeveral folks suggested the blacklists such as the Spamhaus sbl+xbl list. I actually have those configured in postfix and I have the DNSBL SpamAssassin rules (25_uribl.cf) enabled. As with greylisting, the postfix use of the blacklists doesn't help if another MTA has already accepted the mail and is forwarding it to me, but the SpamAssassin usage then increases the score if it detects those source IPs in the Received: headers.
block dynamic IPsThis argument tends to take on the tone of religious argument and I'm not going to rehash that all here. Yes, I'm aware that most spambots seem to be infected home machines and that if I rejected all mail from them and/or if ISPs blocked outbound e-mail from them that would greatly reduce the problem. It would also punish people like me who have a domain website and e-mail (very low volume) hosted on my home system connected to the internet via cable modem. Having said that, some of the DNSBLs discussed above, do, in fact, block e-mail from dynamic IP ranges. Also, as noted above, that isn't quite as useful in my particular case as it might be because of the forwarding.
block all gif imagesOne suggestion was to block all gif images (either block e-mail containing them or strip them from the e-mail). This is another suggestion I haven't tried and probably won't in the near future. There can certainly be some backlash and/or collateral damage with this one, but since I'm reading my e-mail as plain text, I wouldn't really miss most of those images. One reader suggested that there was some fallout because of the company logo gifs getting dropped, so this person adjusted the rules to block gifs over a certain size. Of course, if you drop gifs, what about jpegs? other image types? mis-identified image types?
playing with SA scores for mailing listsFinally, another reader commented that they were able to cut out some of the mailing list spam by some judicious playing with the scores assigned by SpamAssassin. This amounts to, giving mail to the mailing list an initial negative score (assume that most mail to the list is not spam) and then giving it an additional higher score if the Bayes tests show it is likely to be spam (e.g., add back another few points if it hits on BAYES_95 or BAYES_99, etc.). As a result of discussions with this reader I joined the spamassassin-users list and have had to tweak some of my own scoring to deal with (half-)false positives on that list. Imagine, a mailing list that deals with a tool from assassinating spam, might actually include samples of spam. Doh!
Jim Clausing, jclausing ++at++ isc dot sans dot orgI will be teaching next: Malware Reverse-Engineering Challenge - Community SANS Seattle FOR610
Feb 6th 2007
1 decade ago