Re: faked from addresses getting through to my lists
On Tue, Jun 15, 2004 at 11:42:57AM -0400, Charlie Summers wrote:
At 10:43 AM -0400 6/15/04, Terry Todd is rumored to have typed:
What I'm wonndering is if anyone has done anything to beef up the dist file or accept file format so it checks for more than just the email address of the subscriber.
You just answered your own question. The stock SmartList contains only email addresses within the dist file (although it allows for some additional information, that information is not captured by the stock SmartList), so you can NOT check for "more." Feel free to code the additiona, but you'll quickly realize you have yet another problem...
a dist file entry something like this
"Senders Name" <email@mydomain.com> 192.168.1.1 (comment)
Which would be impossible to mail _to,_ which is the central purpose of the dist list (have a ball rewriting choplist to deal with stripping out the email address from that line). Also makes no sense at all, since most people on the Net use dynamically-allocated IPs instead of fixed IPs, so your idea of tagging everyone to an IP (even a C or B block) is futile. You'd be rejecting valid submissions routinely, ticking off your subscribers.
I had been thinking of using SmartList as a spam filter
OK forget I ever suggested using smartlist as a spam filter. I've tried many many other spam filtering solutions. None of them work 100%. So I wrote my own that is essentially the same thing as what I suggested here. It is a whitelist of only those I accept email from. It works. The original problem is spam got through to a smartlist mailing list by header information being faked. How can that be prevented? What do others using smartlist do to prevent this from happening? Terry Todd
SmartList is not designed to be a spam filter. It is a mailing list distribution package. If you want a spam filter...use a spam filter. To protect SmartList, pipe the mail from rc.local.s00 to whatever spam filter you choose.
If you run your own mail server, there are hundreds of solutions (RBLs, content filters [yuck], massive blocking of dynamic IPs in the access database, etc., etc). If you are on a shared server and don't control your own mail server, use one (or more) of the many procmail/perl solutions out there. Why would you attempt to rewrite mailing list distribution software to a spam filter, when you could do what you suggest above with a single recipe* in your personal .procmailrc file anyway? It's like using your email client as a word processor to write a novel; you might get it to work, but it'll cause you no end of unnecessary grief when OpenOffice is available to make it more efficient. Right tool for the right job.
Charlie
* A recipe like...
:0 # Yeah, no escapes, I know, I'm in a hurry * ^From.*tlt@badger.tltodd.com * !^Received*192.168.1.1 /path/to/home/possible_spam.txt
_______________________________________________ Smartlist mailing list Smartlist@lists.RWTH-Aachen.DE http://MailMan.RWTH-Aachen.DE/mailman/listinfo/smartlist
On Tue, Jun 15, 2004 at 11:55:24AM -0500, Terry Todd wrote:
OK forget I ever suggested using smartlist as a spam filter. I've tried many many other spam filtering solutions. None of them work 100%. So I wrote my own that is essentially the same thing as what I suggested here. It is a whitelist of only those I accept email from. It works.
The original problem is spam got through to a smartlist mailing list by header information being faked. How can that be prevented? What do others using smartlist do to prevent this from happening?
My spam filter checks for forgeries of my address in the From: field by screening against the small set of comment fields I use. I can do this for myself, but there's no way I could consider this sort of screen for anyone else, for obvious reasons. It sounds as though this approach might work for Terry, and if he's already written a spam filter he's comfortable with, dropping in another recipe should be easy. FWIW, here's mine: # # Fake real name: # :0 * ^()\/(From:[ ]*".*[A-Za-z]+.*"[ ]*<jimo@eskimo\.com>) { FNAME=$MATCH :0 * ^From:[ ]*\/".*[A-Za-z]+.*" * ! MATCH ?? <my-list-of-valid-comment-fields> { XSPAM = "${XSPAM}${XSPAM:+, }FAKENAME" :0 fwh * $!${addheaders:+!} | formail -A "X-Diagnostic: fake real name: $FNAME" } } Good luck, Jim
On Tue, 15 Jun 2004 11:55:24 -0500, Terry Todd wrote
The original problem is spam got through to a smartlist mailing list by header information being faked. How can that be prevented?
It can't be prevented unless you force all your subscribers to send a special "password" header in their email or you moderate the list. The closest you can come is to accept messages from subscribers only but there is no way to be 100% certain that the message is coming from who the From: says it is from.
What do others using smartlist do to prevent this from happening?
You can prevent having your address spoofed by adding special headers as Jim mentioned and then checking for those. Rich
On 15 June 2004 at 14:11, rgball <rgball@ellerbach.com> wrote:
On Tue, 15 Jun 2004 11:55:24 -0500, Terry Todd wrote
The original problem is spam got through to a smartlist mailing list by header information being faked. How can that be prevented?
It can't be prevented unless you force all your subscribers to send a special "password" header in their email or you moderate the list.
The closest you can come is to accept messages from subscribers only but there is no way to be 100% certain that the message is coming from who the From: says it is from.
What do others using smartlist do to prevent this from happening?
You can prevent having your address spoofed by adding special headers as Jim mentioned and then checking for those.
I've toyed with keeping a whitelist of accepted PGP keys and only accepting email from users who provide a valid signature. Is this even someone reasonable? James -- James P. Howard, II -- howardjp@vocito.com http://www.jameshoward.us/ -- 202-390-4933
On Tue, 15 Jun 2004 15:26:00 -0400, James P. Howard, II wrote
I've toyed with keeping a whitelist of accepted PGP keys and only accepting email from users who provide a valid signature. Is this even someone reasonable?
I wouldn't think that'd be to difficult to put together. After I sent my message I thought "what else could Terry do if he was really desperate to implement a screen?" and came up with this (FWIW): (warning: lots of work and hardly worth the effort unless a whole lot of spoofing is going on) 1) go through all the list's archives and match information in the bottom-most Received: line to the subscriber's address. Keep all of this in a database (not the dist file). 2) when a post comes in check to see if the Received:-line information matches any of the stored values for that subscriber -- if so accept the message 3) if it doesn't match but the sender is in the subscriber list then send the message for moderator approval and add the Received:-line info to the database 4) if not approved -- dump the message to a spamfile It's still not going to be proof against a determined spoofer but should eliminate the casual spammers. Rich
On Tue, Jun 15, 2004 at 02:42:32PM -0500, rgball wrote:
1) go through all the list's archives and match information in the bottom-most Received: line to the subscriber's address. Keep all of this in a database (not the dist file).
Can't rely on that. Received: lines can be faked, as long as they're below the point of injection into the system. If there's spoofing going on, the spoofers are presumably motivated to keep it happening. You could just rely on a valid PGP signature before passing on the message. But there are very few lists that do this, in large part because most people find PGP too hard to use.
It's still not going to be proof against a determined spoofer but should eliminate the casual spammers.
I first saw spam with fake Received: header lines some time around 1997. Roger
participants (5)
-
James P. Howard, II -
Jim Osborn -
rgball -
Roger Burton West -
Terry Todd