Perverse Access Memory: Blackholing Spam
bq. We’ve started using realtime blackhole lists (RBLs) to stop some of the spam that whiterose mail users are seeing.
My SPAM escalation:
* some homegrown procmail filters. That lasted a couple of years, but was too hard to keep up-to-date.
* “junkfilter”:http://junkfilter.zer0.org/ was quite good, but I still had problems keeping it up-to-date.
* I now use “spambayes”:http://www.spambayes.org/. It is available as a procmail filter, as a POP/IMAP proxy, and as an Outlook plugin. I’m now using this everywhere. It uses statistical techniques to learn the characteristics of your incoming mail, and filters accordingly. It is surprisingly accurate :-)
* In parallel with spambayes, I switched cfrq.net from sendmail to postfix, which has a whole bunch of useful anti-spam technology built into the SMTP listener; the theory is that it is better to reject SPAM during the SMTP session than it is to deal with it later.
* Sadly, I had to disable some of postfix’s filters, because it was trapping too much legitimate e-mail :-) Many of my correspondents work for companies that can’t seem to configure their DNS or their SMTP servers properly, and educating / whitelisting them was taking too much time :-)
* I have now given up, and started testing some (conservative) RBLs, with reasonably good results; they’re now installed fulltime. I’m currently evaluating bl.spamcop.net, but I’m getting too many false positives (for me), because they tend to pick up the MTAs of large companies and ISPs.
Every time I’ve tried SpamAssassin I’ve had trouble with it; but naturally, your mileage may vary :-)
We’re in a war, and the spammers are as smart as we are. I’m already seeing SPAM specifically designed to foil statistical filtering. As with all escalations, the solution seems to be to make my host less attractive to spammers than someone else’s…
posted at 4:28 pm on Monday, May 19, 2003 in Site News | Comments (6)
Several webloggers who use “cornerhost”:http://www.cornerhost.com/ found themselves “suddenly relocated”:http://inessential.com/?comments=1&postid=2473 over the weekend (“for the record”:http://cornerhost.blogspot.com/, it wasn’t really cornerhost’s fault).
cornerhost’s policy is that users are responsible for their own backups. Naturally, some people found out that this was true :-)
As part of the ensuing chaos, someone pointed out Mike Rubel’s article “Easy Automated Snapshot-Style Backups with Linux and Rsync”:http://www.mikerubel.org/computers/rsync_snapshots/.
I’ve been a sysadmin for over 15 years. I’m a *big* fan of backups. (I’m _very_ unhappy that my tape drive is broken right now. :-) I’ve been doing nightly full backups of my servers using rsync for a long time, but the technique Mike uses for incrementals never occured to me (blush). A minor change to a couple of scripts was all it took for me to have a week’s worth of snapshots on the backup hosts. Fabulous!
Thanks, “Mike”:http://www.mikerubel.org/!
posted at 9:32 am on Wednesday, April 30, 2003 in Site News | Comments Off on Backups
“Greg”:http://www.third-bit.com/ has a few new students starting this summer. Time to update the default user profiles and “create new account” software to make this easier, since I do it so seldom and keep forgetting all of the steps. I’m thinking of either using LDAP or MySQL for authentication, or finding an /etc/passwd based auth module for Apache and samba; either would let me use the same passwords everywhere on the system.
I recently converted from “uw-imap”:http://www.washington.edu/imap/ to “courier-imap”:http://www.inter7.com/courierimap/INSTALL.html. Courier uses maildir instead of mbox format. Webmail is now much faster, since IMAPD does not lock and parse the entire mail spool for every web-click! OTOH, this means no more mail(1) or pine; aw, shucks.
I’ve been cleaning up the “main CFRQ page”:http://www.cfrq.net/ and the top-level stylesheet a bit. Not really sure why, or where I’m going with that-which-loosely-qualifies-as-a-design. I also finally got the default “VirtualHost”:http://httpd.apache.org/docs/mod/core.html#virtualhost (“persephone.cfrq.net”:http://persephone.cfrq.net/) working again, so I think I’m going to move all of the local stuff (and that installed by “RedHat”:http://www.redhat.com/) back to that page, and then replicate it to “hermione”:http://hermione.cfrq.net/.
posted at 2:48 pm on Sunday, April 13, 2003 in Site News | Comments (2)
“persephone.cfrq.net”:http://www.cfrq.net/ is also “herne.third-bit.com”:http://www.third-bit.com/, hosting a couple of “UofT”:http://www.utoronto.ca/ “Computer Science”:http://www.cs.toronto.edu/DCS/index.html “project courses”:http://www.artsandscience.utoronto.ca/ofr/calendar/crs_CSC.htm#CSC494H1. The students are in the final crunch of developing a servlet-based application.
The students have set things up so that they are sandboxed from each other (a good idea). Unfortuantely, this means that tomcat is loading separate copies of all of the support classes, one for each student.
The net result is that tomcat wants twice as much memory as is available on the box, causing aggressive paging activity. Expect both the webserver and e-mail to be a little slow for the next couple of weeks, until they’re done…
posted at 4:19 pm on Thursday, March 13, 2003 in Site News | Comments Off on Slow response for the next week
Well, everyone else is doing it….
“MovableType 2.6”:http://www.movabletype.org/ has been released. The upgrade was quite painless; the only major thing I’ve done so far is to update my comments form a little bit, and install “Brad Choate’s(Brad Choate)”:http://www.bradchoate.com/ new “MT-Textile(MT-Textile)”:http://www.bradchoate.com/past/mttextile.php plugin. (This entry is formatted using it :-).
Major features of interest to me:
* the new formatting plugins, and the fix to the “Convert Line Breaks” HTML formatter that allows blockquotes. These two were my biggest issues with MT. The Textile formatter will make it easier to format entries in “Adanflaen Nights(Adanflaen Nights)”:http://www.cfrq.net/~rolemaster/ , and the HTML exclusions fix means I’ll almost never have to unset “Convert Line Breaks” in my weblog.
* The Sanitize plugin (only because I’m slightly paranoid).
* bug fixes (which are always good).
The other new stuff I can take or leave; they’re not relevant to any of my blogs. Still, nice to have a new release, and even better to have well-supported software like this!
posted at 1:01 pm on Friday, February 14, 2003 in Site News | Comments (1)
I haven’t tripped over many interesting things in BlogSpace lately (everybody’s arguing about the Power Law stuff instead). My thoughts are mundane, like deciding what I’m going to have for lunch, or when I am going to have time to go sample those Reid’s Dairy one-point cheescakes :-).
Seems like a couple of months ago I had too many things to blog about, and now I’ve got too few. Ah well; it’s winter, and time for sitting by the fire[place] with a good book. Come spring the world will quicken again, and by August I’ll be rambling about anything just for an excuse to stay in the air conditioning.
Speaking of which, I just gotta love a climate with a 50°C seasonal temperature swing. Last summer the A/C couldn’t keep up with the 39°C afternoons, and yesterday my son’s ski trip was cancelled because it was -11°C (with a 45-65 km/h wind.!). The new high-efficiency furnace ran for 13 hours yesterday; good thing we replaced the old one in December!
Anyway, I’m off to play with Wiki technolgy some more; I might convert Adanflaen Nights over, and/or use 0xDECAFBAD‘s Wiki + MovableType combination. A Wiki makes more sense for static reference content like the game information pages, while a weblog makes more sense for the campaign notes stuff. Hmm…
posted at 4:49 pm on Thursday, February 13, 2003 in Random Thoughts, Site News | Comments Off on Feast to Famine
TrackBacks are comments. They are comments left on someone else’s site rather than your own, but they are comments nonetheless. Movable Type makes a distinction between entry comments and TrackBacks that seems artificial, and it made more sense to me to have TrackBack ping data appear within the comments portion of a Movable Type site.
I agree, and so I’ve installed the Simple Comments plugin in MovableType, and updated my templates.
While I was at it, I also swiped the format for the comment form from OxDECAFBAD, because it’s smaller and neater (even though I normally dislike using tables for layout).
posted at 3:26 pm on Wednesday, February 05, 2003 in Site News | Comments (2)
In Blatherings
Debbie mentioned that she was experimenting with Trackback. So here’s a ping!
I don’t know why pinging my blog didn’t work for you; I just tried it and it worked fine, and I don’t see anything in my apache logs from you accessing mt-tb.cgi. Strange?
Update: of course I can’t see the ping I just sent, because you don’t have a ‘Ping Template’ defined for blatherings :-)
posted at 1:07 pm on Saturday, January 11, 2003 in Site News | Comments (2)
Debbie says my trackback doesn’t work, but I didn’t see any entries in the apache log, so I’m testing.
The Blog of Harald: Trackback timeouts cause problems with my blog
posted at 1:00 pm on Saturday, January 11, 2003 in Site News | Comments Off on Another trackback test
I like the RBLs from http://blackholes.us/ cn-kr.blackholes.us in particular stops a lot of our spam.
In fact, I need to add more of them. I’m hoping they’ll consolidate more of their lists. asia.blackholes.us would be nice…
I also use
sbl.spamhaus.org – a conservative list recommended by a very knowledgable regular poster to the Stalker SIMS mailing list
dialups.relays.osirusoft.com – known dialup open relays
socks.relays.osirusoft.com – know open socks proxies
To date we haven’t had any good mail caught, but we may. We’ll see.
Also using the new version of Eudora (beta 6) which has a beysean Junk Filter function. I’m really starting to see a lot less of the spam I get sent.
Bayesian would be the other (i.e. correct) spelling. blackholes.us lists several anti-spam products that can use the RBLs…
<laughter> never post before coffee.
I’m going to move on to test spamhaus next; I’ve heard good things about them. I tried relays.osirusoft.com once, but got way too many false positives; I’ve never tried their individual subdomains.
I’m currently using (recommended by the postfix-users list):
(155) proxies.relays.monkeys.com – socks/HTTP proxies
(91) list.dsbl.org – single-stage relays, proxies, and formmail sources
The number is the number of messages rejected by the RBL in the last week. I used to use relays.ordb.org, because they are described as “extremely conservative”, but I didn’t get any rejects from them other than a mailhost that I was forced to whitelist.
I’ve just tested bl.spamcop.net for a week. It rejected 28 messages that no one else did, but it lists all of the servers for groups.msn.com, generating false positives.
I forgot to add: I’ve been using a (postfix specific) log scanner to tell my users when email to them has been rejected by an RBL; I’ve had a couple of false positives reported that way :-)
http://www.roble.com/docs/spamrep_today_byuser
I second the recommendation for Eudora. It’s getting some false positives (mostly via my yahoo account, which classifies some solicited commercial email/mailing lists as spam) but has been excellent about learning from its mistakes.
Can anybody help me in configuring exchange 2003 to check blocklist using sbl.spamhaus.org
Kindly reply at the earliest and oblige by doing the needful.
I possible PLEASE mail at vrbhatt@hotmail.com
Thank you.