[9fans] dealing with spam

[9fans] dealing with spam

[John Floren]

Starting today, my account on my Plan 9 server has been getting tons
of "free coupons", "free Dell XPS", "Student loans!" spam, apparently
from one operator, since every domainname is in the form
<adjective><noun>.com or <noun><adjective>, like eggnavajo.com,
rosydeer.com, etc. It's so annoying that I may shut down my server for
a bit until I figure out what's up.

What are my options for getting rid of this? People who run Plan 9
mail servers, what do you do?
Thanks

John
--
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn

Re: [9fans] dealing with spam

[erik quanstrom]

On Thu Jan  8 14:59:57 EST 2009, slawmaster@gmail.com wrote:
> Starting today, my account on my Plan 9 server has been getting tons
> of "free coupons", "free Dell XPS", "Student loans!" spam, apparently
> from one operator, since every domainname is in the form
> <adjective><noun>.com or <noun><adjective>, like eggnavajo.com,
> rosydeer.com, etc. It's so annoying that I may shut down my server for
> a bit until I figure out what's up.
>
> What are my options for getting rid of this? People who run Plan 9
> mail servers, what do you do?
> Thanks

i have had trouble in the past, but my defensive measures
are now working better than the appliance that coraid uses,
at least with the current configuration.

this isn't ment to start a flame war, but my opinion is that
content-based spam filtering doesn't appear to work very
well.  my dad's email always gets flagged.  silly vendor spam
gets through just fine.

i've got a number of defensive measures.
1. -D.  just waiting for 10 seconds before doing anything
does a lot to slow spam down.  >50% of connectors to my
machine give up

2. i also use a nupas smtpd which is quite strict
about helo.  the flags i use are "fqDn".  about 80%
of spam has a helo line with an invalid domain or
"localhost" or some such nonsense.  dropping this
mail helps alot.

3. spf.  included in nupas is moderately helpful.
nupas includes the hooks for this in validatesender.

4. i sometimes cheat by using the -k option.  only
works with nupas smtpd.  this just drops connections
coming from certain ip addresses.  sometimes a range
will be too much trouble.

you can use the nupas smtpd without using the rest
of nupas, though you will need to use the nupas
validatesender.

- erik

Re: [9fans] dealing with spam

[Francisco J Ballesteros]

Quite similar here.
Also, use the first MX in DNS as a trap for those
that do not use the secondary, as sugested by Geoff, IIRC.


On Thu, Jan 8, 2009 at 9:23 PM, erik quanstrom <quanstro@coraid.com> wrote:
> On Thu Jan  8 14:59:57 EST 2009, slawmaster@gmail.com wrote:
>> Starting today, my account on my Plan 9 server has been getting tons
>> of "free coupons", "free Dell XPS", "Student loans!" spam, apparently
>> from one operator, since every domainname is in the form
>> <adjective><noun>.com or <noun><adjective>, like eggnavajo.com,
>> rosydeer.com, etc. It's so annoying that I may shut down my server for
>> a bit until I figure out what's up.
>>
>> What are my options for getting rid of this? People who run Plan 9
>> mail servers, what do you do?
>> Thanks
>
> i have had trouble in the past, but my defensive measures
> are now working better than the appliance that coraid uses,
> at least with the current configuration.
>
> this isn't ment to start a flame war, but my opinion is that
> content-based spam filtering doesn't appear to work very
> well.  my dad's email always gets flagged.  silly vendor spam
> gets through just fine.
>
> i've got a number of defensive measures.
> 1. -D.  just waiting for 10 seconds before doing anything
> does a lot to slow spam down.  >50% of connectors to my
> machine give up
>
> 2. i also use a nupas smtpd which is quite strict
> about helo.  the flags i use are "fqDn".  about 80%
> of spam has a helo line with an invalid domain or
> "localhost" or some such nonsense.  dropping this
> mail helps alot.
>
> 3. spf.  included in nupas is moderately helpful.
> nupas includes the hooks for this in validatesender.
>
> 4. i sometimes cheat by using the -k option.  only
> works with nupas smtpd.  this just drops connections
> coming from certain ip addresses.  sometimes a range
> will be too much trouble.
>
> you can use the nupas smtpd without using the rest
> of nupas, though you will need to use the nupas
> validatesender.
>
> - erik
>
>

Re: [9fans] dealing with spam

[erik quanstrom]

On Thu Jan  8 15:28:26 EST 2009, nemo@lsub.org wrote:
> Quite similar here.
> Also, use the first MX in DNS as a trap for those
> that do not use the secondary, as sugested by Geoff, IIRC.
>
>

lots of spammers used to prefer the secondary.
this is because it's hard to check email on a secondary
server.  i wonder if this is still the case.

- erik

Re: [9fans] dealing with spam

[Steve Simon]

I will go with erik on this.

I am using the standard smtpd with -D and the greylisting,
and also a modified validateserder which probably qualifies as an
earlier incarnation of erik's (he sent me the code before nupas
was finished and I hacked it a bit).

I get 1 or 2 spams a day.

I plan to try nupas as soon as I get a timeslot.

-Steve

Re: [9fans] dealing with spam

[erik quanstrom]

> I am using the standard smtpd with -D and the greylisting,
> and also a modified validateserder which probably qualifies as an
> earlier incarnation of erik's (he sent me the code before nupas
> was finished and I hacked it a bit).

/n/sources/contrib/quanstro/src/nupas/bits/validatesender

- erik

Re: [9fans] dealing with spam

[Kenji Arisawa]

Hello,

I am using this one: http://plan9.aichi-u.ac.jp/spamfilter/
which is working quite comfortably for me.

Kenji Arisawa

On 2009/01/09, at 5:49, erik quanstrom wrote:

>> I am using the standard smtpd with -D and the greylisting,
>> and also a modified validateserder which probably qualifies as an
>> earlier incarnation of erik's (he sent me the code before nupas
>> was finished and I hacked it a bit).
>
> /n/sources/contrib/quanstro/src/nupas/bits/validatesender
>
> - erik
>

Re: [9fans] dealing with spam

[erik quanstrom]

> I am using this one: http://plan9.aichi-u.ac.jp/spamfilter/
> which is working quite comfortably for me.

i found this bit interesting:

	Some mail server's IPs are a little different from the IPs obtained
	using DNS query. For example, I observed

 	   Received: from coraid.com ([12.51.113.4]) by ar; Sat Nov 22 07:55:40 JST 2008

	However

	ar% ndb/dnsquery
	> coraid.com
	coraid.com ip   12.51.113.3

/lib/rfc/rfc2821 §3.6 says that EHLO domains must be resolvable.
i don't think it says that the EHLO domain must match
the reverse lookup of the connecting machine's ip.  in fact
the examples given seem to use a domain where one would
expect a host within the domain.

on the other hand, from this perspective saying "coraid.com"
when in fact you are baron.coraid.com is a bit fishy.

is there some concrete reason this is wrong or is it really
a grey area?

- erik

Re: [9fans] dealing with spam

[john]

> On Thu Jan  8 14:59:57 EST 2009, slawmaster@gmail.com wrote:
>> Starting today, my account on my Plan 9 server has been getting tons
>> of "free coupons", "free Dell XPS", "Student loans!" spam, apparently
>> from one operator, since every domainname is in the form
>> <adjective><noun>.com or <noun><adjective>, like eggnavajo.com,
>> rosydeer.com, etc. It's so annoying that I may shut down my server for
>> a bit until I figure out what's up.
>>
>> What are my options for getting rid of this? People who run Plan 9
>> mail servers, what do you do?
>> Thanks
>
> i have had trouble in the past, but my defensive measures
> are now working better than the appliance that coraid uses,
> at least with the current configuration.
>
> this isn't ment to start a flame war, but my opinion is that
> content-based spam filtering doesn't appear to work very
> well.  my dad's email always gets flagged.  silly vendor spam
> gets through just fine.
>
> i've got a number of defensive measures.
> 1. -D.  just waiting for 10 seconds before doing anything
> does a lot to slow spam down.  >50% of connectors to my
> machine give up
>
> 2. i also use a nupas smtpd which is quite strict
> about helo.  the flags i use are "fqDn".  about 80%
> of spam has a helo line with an invalid domain or
> "localhost" or some such nonsense.  dropping this
> mail helps alot.
>
> 3. spf.  included in nupas is moderately helpful.
> nupas includes the hooks for this in validatesender.
>
> 4. i sometimes cheat by using the -k option.  only
> works with nupas smtpd.  this just drops connections
> coming from certain ip addresses.  sometimes a range
> will be too much trouble.
>
> you can use the nupas smtpd without using the rest
> of nupas, though you will need to use the nupas
> validatesender.
>
> - erik


Ok, so a couple questions:

1.  What do I need to do in order to drop nupas into my system?

2.  If I update /mail/lib/blocked, do I have to restart smtpd in order
to get the changes?

3.  What's the best way to restart smtpd?



John

Re: [9fans] dealing with spam

[erik quanstrom]

> 2.  If I update /mail/lib/blocked, do I have to restart smtpd in order
> to get the changes?
>
> 3.  What's the best way to restart smtpd?

smtpd is not a daemon.  smtpd is started from listen.
so what you do is ... nothing.

> 1.  What do I need to do in order to drop nupas into my system?

1.  copy /n/sources/contrib/quanstro/src/nupas to your system.
at coraid, this source lives at /sys/src/cmd/upas.
2.  "mk install". this will install into /$objtype/bin/nupas by default.
there's a stub mkfile (mkupas) at the top level that you can edit to
install it elsewhere.
3.  take a look at the files in nupas/bits.  you'll want to update
validatesender.

i went to a lot of trouble to be as compatable as possible with the
old system.  so there's this wild theory that everything should
"just work".  ☺

- erik

Re: [9fans] dealing with spam

[john]

>> 2.  If I update /mail/lib/blocked, do I have to restart smtpd in order
>> to get the changes?
>>
>> 3.  What's the best way to restart smtpd?
>
> smtpd is not a daemon.  smtpd is started from listen.
> so what you do is ... nothing.

Looks like I just wasn't thinking about how listen works. This makes sense.

>
>> 1.  What do I need to do in order to drop nupas into my system?
>
> 1.  copy /n/sources/contrib/quanstro/src/nupas to your system.
> at coraid, this source lives at /sys/src/cmd/upas.
> 2.  "mk install". this will install into /$objtype/bin/nupas by default.
> there's a stub mkfile (mkupas) at the top level that you can edit to
> install it elsewhere.
> 3.  take a look at the files in nupas/bits.  you'll want to update
> validatesender.
>
> i went to a lot of trouble to be as compatable as possible with the
> old system.  so there's this wild theory that everything should
> "just work".  ☺
>
> - erik

If nupas gets installed to /$objtype/bin/nupas, what files will I need
to update to make sure everything uses nupas rather than the old
upas? I'm assuming stuff in the listen scripts, any references in my
profile, but anything else?

Thanks


John Floren

Re: [9fans] dealing with spam

[erik quanstrom]

> If nupas gets installed to /$objtype/bin/nupas, what files will I need
> to update to make sure everything uses nupas rather than the old
> upas? I'm assuming stuff in the listen scripts, any references in my
> profile, but anything else?

i didn't put this on sources because i thought it would be easier
for folks other than me to cut over cold-turkey.  i have a special
requirement to support both for a while.  this is what i use as
a ugly little shim for everything but listen:

	minooka; cat /bin/usenupas
	#!/bin/rc

	bind /$objtype/bin/nupas /bin/upas
	bind -b /$objtype/bin/nupas /acme/bin/$objtype

this is called from lib/profile.

instead of fighting with /rc/bin/service*/tcp25 and remotemail,
i copied the newsmtp* to /$objtype/bin/upas.  i didn't want to
have a large pile of things to undo later.

if you use imap4d, you'll also need to make arrangements for
it in /rc/bin/service*/tcp^(143 993).

this is what i use:
	#!/bin/rc

	switch($sysname){
	case *
		l=imap4
		im=(/bin/nupas/imap4d -b /bin/nupas -vl$l)
		d=coraid.com
	}
	exec tlssrv -c/sys/lib/ssl/imap.pem -limap4d.tls -r`{cat $3/remote} \
		$im -pd$d -r`{cat $3/remote}>[2]/sys/log/$l


- erik

Re: [9fans] dealing with spam

[John Floren]

On Thu, Jan 8, 2009 at 2:55 PM, John Floren <slawmaster@gmail.com> wrote:
> Starting today, my account on my Plan 9 server has been getting tons
> of "free coupons", "free Dell XPS", "Student loans!" spam, apparently
> from one operator, since every domainname is in the form
> <adjective><noun>.com or <noun><adjective>, like eggnavajo.com,
> rosydeer.com, etc. It's so annoying that I may shut down my server for
> a bit until I figure out what's up.
>
> What are my options for getting rid of this? People who run Plan 9
> mail servers, what do you do?
> Thanks
>
> John
> --
> Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn
>

I have not yet gotten around to setting up nupas, but I figured I'd
try populating /mail/lib/blocked a bit since it is easy, and a lot of
the spam seems to come from erewards@<foo>
However, after putting the line "*block	*!erewards*" into blocked, I
still keep getting spam from "erewards" at various servers. What's up?


John
--
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn

Re: [9fans] dealing with spam

[erik quanstrom]

> I have not yet gotten around to setting up nupas, but I figured I'd
> try populating /mail/lib/blocked a bit since it is easy, and a lot of
> the spam seems to come from erewards@<foo>
> However, after putting the line "*block	*!erewards*" into blocked, I
> still keep getting spam from "erewards" at various servers. What's up?

blocked is called before the address is rewritten from @
style to ! style — directly from smtpd.y -> sender() -> blocked().

i've never had success dropping spam by domain.

it's easy to run the nupas smtpd with the old upas
setup.  so you might find doing that more fruitful.

- erik

Re: [9fans] dealing with spam

[John Floren]

I feel a bit silly now... just discovered upas/spam etc. This seems to
be catching all of my spam with just the default set of rules, while
allowing non-spam through.

On Thu, Jan 8, 2009 at 2:55 PM, John Floren <slawmaster@gmail.com> wrote:
> Starting today, my account on my Plan 9 server has been getting tons
> of "free coupons", "free Dell XPS", "Student loans!" spam, apparently
> from one operator, since every domainname is in the form
> <adjective><noun>.com or <noun><adjective>, like eggnavajo.com,
> rosydeer.com, etc. It's so annoying that I may shut down my server for
> a bit until I figure out what's up.
>
> What are my options for getting rid of this? People who run Plan 9
> mail servers, what do you do?
> Thanks
>
> John
> --
> Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn
>



--
"I've tried programming Ruby on Rails, following TechCrunch in my RSS
reader, and drinking absinthe. It doesn't work. I'm going back to C,
Hunter S. Thompson, and cheap whiskey." -- Ted Dziuba