[unisog] Changes to the administration of the Unisog list.

Kutz, Schley Andrew a.kutz at its.utexas.edu
Mon Jan 8 16:10:37 GMT 2007


Another possibility is to forward all spam-tagged mail to mailbox that
is archived to the web so that members of this list can search if they
think a message they sent was mistakenly tagged as spam.

-- 
-a

"Condensing fact from the vapor of nuance."

ITS at The University of Texas at Austin

name:	Schley Andrew Kutz, MCSD, GCWN, VCP-VI3
mail:	a.kutz at its.utexas.edu
work:	512.475.9246

Please do not hesitate to call or e-mail me if you have any questions or
concerns!


-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Gene Rackow
Sent: Monday, January 08, 2007 9:37 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Changes to the administration of the Unisog list.

I agree, I've run a few large mailing lists, and the amount of spam
you get is just amazing.

I haven't seen the 100 to 1 ration that has been reported here,
but long before it would have gotten to that I've tried to cut
back the cruft.

I moved my mailing list server to a different machine than
regular users mailboxes.  This allows me to be much more 
agressive on various blocking methods.

Greylisting on the mail server did wonders.  It's starting to
show some signs that spammers are learning how to get around that,
but it's still blocking over 80% of the junk that is attempting to
get in.

Then using RBLs on the server.  Of what was left after greylist,
this is dropping about 30% of the remaining traffic.  This is 
mailing list traffic, so you don't need to worry about some 
important business/funding related mail being sent to it.  The
mail would get rejected, so the sender (if real) should be
alerted to the fact the mail got bounced and why.

The next step is to run things through amavis-new where it
hits various AV products and spamassassin.  I commend the
clamav folk for their various phishing scam signatures.
These sigs really do a good job on reducing the amount of
junk that gets through.  SpamAssasasin just tags things
at this point, but I've considered moving that to a reject
as well.  This also rejects various attackment types such
as double extentions of exe, pif, scr, etc.

As a final pass before the mailing list software, I have a set
of procmail rules that it goes through BEFORE it gets to the
mailing list software.  Some of these rules include handling of
spamassassin tagged email.  I also prevent most attachment types
from going out to the lists.   There is a set that it will allow
through to the mailing list software, but not all.  If someone needs
to post that data, they can put the file up on their web server
and post a link to it.  Yes, this is a bit draconian, but
it really cuts down on the stuff sent to a list.  Mail that
gets blocked here is put into a seperate holding area per
list or list admin.  They need to deal with this stuff, but
tend to be able to do so in bulk and not worry about the mix
of ham/spam quite as much.

Things that make it through all of that are now passed off
to the mailing list software which handles the rest of the
restrictions.  This is per list managed. Some allow attachement
types, others don't. (One does not allow HTML based email ;-)
List member's only postings vs open lists. etc.  
Anything that gets blocked, at this point is handled by
the mailing list software such as mailman to put the mail
into the review area for the admins.

It's still not perfect, but it is managable at this point.

--Gene





Peter Van Epp made the following keystrokes:
 >On Sat, Jan 06, 2007 at 11:04:05PM -0500, Valdis.Kletnieks at vt.edu
wrote:
 >> On Sat, 06 Jan 2007 15:36:45 PST, Saqib Ali said:
 >> 
 >> > But there is still people who subscribes to the list and then send
the
 >> > spam message, unfortunately.
 >> 
 >> It might be enlightening to look at the Received: headers in more
detail -
 >> remember that very little spam is actually from the address listed
in the
 >> From: field (except on rare occasions, totally accidentally).
 >> 
 >	
 >	It is worth noting that we aren't stopping list moderation
(which 
 >hopefully will catch spam from subscribed addresses), only
automatically 
 >discarding posts from non subscribers before it hits the moderators.
To
 >approve Mr Ali's reply (which should be along soon) I had to read the
subject
 >lines of 29 obvious spam messages (and then bulk delete them), and
sometimes 
 >have to fetch and read the contents to see if the message is spam or a
legit 
 >post if the subject line isn't obviously spam (and we may miss legit
posts 
 >by accident if the subject looks like spam). This is what we are
trying to 
 >eliminate not moderation. 
 >
 >Peter Van Epp / Operations and Technical Support 
 >Simon Fraser University, Burnaby, B.C. Canada
 >_______________________________________________
 >unisog mailing list
 >unisog at lists.dshield.org
 >https://lists.sans.org/mailman/listinfo/unisog
 >
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list