From owner-freebsd-questions Sun Apr 6 22:03:40 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA22115 for questions-outgoing; Sun, 6 Apr 1997 22:03:40 -0700 (PDT) Received: from gw.research.megasoft.com (gw.research.megasoft.com [206.230.35.93]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA22107 for ; Sun, 6 Apr 1997 22:03:36 -0700 (PDT) Received: (from uucp@localhost) by gw.research.megasoft.com (8.7.5/8.7.3-cmcurtin) id BAA09146; Mon, 7 Apr 1997 01:02:18 -0400 (EDT) Received: from goffette.research.megasoft.com(192.168.1.2) by gw.research.megasoft.com via smap (V2.0) id xma009138; Mon, 7 Apr 97 01:01:54 -0400 Received: (from cmcurtin@localhost) by goffette.research.megasoft.com (8.8.5/8.8.5) id BAA22111; Mon, 7 Apr 1997 01:02:27 -0400 (EDT) Date: Mon, 7 Apr 1997 01:02:27 -0400 (EDT) Message-Id: <199704070502.BAA22111@goffette.research.megasoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: C Matthew Curtin To: Rob Hartill Cc: questions@freebsd.org Subject: Re: ipfw config to block sp@m In-Reply-To: References: X-Mailer: VM 6.22 under 19.15 XEmacs Lucid X-Face: "&>g(&eGr?u^F:nFihL%BsyS1[tCqG7}I2rGk4{aKJ5I_5A\*6RYn4"N.`1pPF9LO!Fa<(gj:12)?=uP2l01e10Gij"7j&-)torL^iBrNf\s7PDLm=rf[PjxtSbZ{J(@@j"q2/iV9^Mx>>>> "Rob" == Rob Hartill writes: Rob> Does anyone out there have/keep a set of config lines for ipfw to Rob> block sp@mmers ? This approach has a number of problems. * Spammers often don't come from the same place. Some bozo goes and gets a $20 account at an ISP, gets their machine on the 'net, and out goes the spam. The account gets killed, and they don't care. They go out to another ISP and do the same thing. * You'll need to have all of your MXers (if you've got any) implement the same filtering rules to their mailhosts. There are some better ways to filter the stuff out. My (current) favorite is to use procmail either as a local delivery agent for the MTA, or to have users pipe their mail to procmail, and let their own procmailrc files deal with it. In addition to the ability to filter things into different folders, certain telltale signs of spam can be scanned for. If the pattern is matched, redirect the stuff to /dev/null. * A number of spam packages are now identifying themselves in the X-Mailer header. If you know the name of any of these stupid things, you can look for the pattern ^X-Mailer:.*spam-warez-name. Other possibilities including scanning the top and/or bottom n lines for something that looks like one of those "just reply with the word remove in the subject, blah blah blah" notices, looking for things with symmetrical symbols in the subject, especially three or more $, >, or * characters... For the last few months, I've been saving all of the spam that I get into a folder. I plan on doing some analysis of the stuff to see what other patterns I can find, and things like that to help write some more intelligent rules for throwing the junk away. Has anyone else been saving these things? It might be useful to compare notes... -- Matt Curtin Chief Scientist Megasoft, Inc. cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself Death to small keys. Crack DES NOW! http://www.frii.com/~rcv/deschall.htm