[unisog] Changes to the administration of the Unisog list.

Gene Rackow rackow at mcs.anl.gov
Mon Jan 8 15:37:00 GMT 2007


I agree, I've run a few large mailing lists, and the amount of spam
you get is just amazing.

I haven't seen the 100 to 1 ration that has been reported here,
but long before it would have gotten to that I've tried to cut
back the cruft.

I moved my mailing list server to a different machine than
regular users mailboxes.  This allows me to be much more 
agressive on various blocking methods.

Greylisting on the mail server did wonders.  It's starting to
show some signs that spammers are learning how to get around that,
but it's still blocking over 80% of the junk that is attempting to
get in.

Then using RBLs on the server.  Of what was left after greylist,
this is dropping about 30% of the remaining traffic.  This is 
mailing list traffic, so you don't need to worry about some 
important business/funding related mail being sent to it.  The
mail would get rejected, so the sender (if real) should be
alerted to the fact the mail got bounced and why.

The next step is to run things through amavis-new where it
hits various AV products and spamassassin.  I commend the
clamav folk for their various phishing scam signatures.
These sigs really do a good job on reducing the amount of
junk that gets through.  SpamAssasasin just tags things
at this point, but I've considered moving that to a reject
as well.  This also rejects various attackment types such
as double extentions of exe, pif, scr, etc.

As a final pass before the mailing list software, I have a set
of procmail rules that it goes through BEFORE it gets to the
mailing list software.  Some of these rules include handling of
spamassassin tagged email.  I also prevent most attachment types
from going out to the lists.   There is a set that it will allow
through to the mailing list software, but not all.  If someone needs
to post that data, they can put the file up on their web server
and post a link to it.  Yes, this is a bit draconian, but
it really cuts down on the stuff sent to a list.  Mail that
gets blocked here is put into a seperate holding area per
list or list admin.  They need to deal with this stuff, but
tend to be able to do so in bulk and not worry about the mix
of ham/spam quite as much.

Things that make it through all of that are now passed off
to the mailing list software which handles the rest of the
restrictions.  This is per list managed. Some allow attachement
types, others don't. (One does not allow HTML based email ;-)
List member's only postings vs open lists. etc.  
Anything that gets blocked, at this point is handled by
the mailing list software such as mailman to put the mail
into the review area for the admins.

It's still not perfect, but it is managable at this point.

--Gene





Peter Van Epp made the following keystrokes:
 >On Sat, Jan 06, 2007 at 11:04:05PM -0500, Valdis.Kletnieks at vt.edu wrote:
 >> On Sat, 06 Jan 2007 15:36:45 PST, Saqib Ali said:
 >> 
 >> > But there is still people who subscribes to the list and then send the
 >> > spam message, unfortunately.
 >> 
 >> It might be enlightening to look at the Received: headers in more detail -
 >> remember that very little spam is actually from the address listed in the
 >> From: field (except on rare occasions, totally accidentally).
 >> 
 >	
 >	It is worth noting that we aren't stopping list moderation (which 
 >hopefully will catch spam from subscribed addresses), only automatically 
 >discarding posts from non subscribers before it hits the moderators. To
 >approve Mr Ali's reply (which should be along soon) I had to read the subject
 >lines of 29 obvious spam messages (and then bulk delete them), and sometimes 
 >have to fetch and read the contents to see if the message is spam or a legit 
 >post if the subject line isn't obviously spam (and we may miss legit posts 
 >by accident if the subject looks like spam). This is what we are trying to 
 >eliminate not moderation. 
 >
 >Peter Van Epp / Operations and Technical Support 
 >Simon Fraser University, Burnaby, B.C. Canada
 >_______________________________________________
 >unisog mailing list
 >unisog at lists.dshield.org
 >https://lists.sans.org/mailman/listinfo/unisog
 >


More information about the unisog mailing list