Re: [vps-mail] update

[Scott Wiersdorf <scott@xxxxxxxxxxxx>]

On Tue, Oct 07, 2003 at 02:04:41PM -0700, Abigail Marshall wrote:
> SW> At least three of you on the list reported vps-mail@xxxxxxxxxxxx to
> SW> spamcop.net, which promptly blacklisted my server. I have no way of
> SW> knowing who did it, but I'm guessing it was an automated submission of
> SW> some kind. I don't think anyone here would knowingly submit this list
> SW> as a spammer.
> 
> Scott, I checked spamcop, and the email that was submitted
> as spam was indeed a mortgage lender spam that apparently
> came through this list. (I didn't see it, but most likely it
> was caught by another filter used by one of my ISPs).

Oh, it certainly was spam. I never questioned that. Read on.

> (I don't do automated reporting myself - so this certainly
> didn't come from me -- but without automated reporting,
> services like Spamcop or Razor would quickly become useless.

Not so--they only rely on quick reporting by users, not automated
reporting. For example, this mailing list is highly susceptible to
high spam scores. Were I to attach my procmailrc file--something we've
done before on this list--my message would score *20.70* in SA 2.54.

If those who autosubmitted on this list continued to do so, the list
would be blacklisted again. Human intervention is the *only* way to
ensure that non-spam does not get sent inadvertently to an RBL. The
second best way, if you're bent on automating, is whitelist everything
legitimate (hope you don't miss anything!) and then do your scoring
and autosubmissions.

> So I don't think you should condemn those who are doing
> their part to help stop the flow of spam to the rest of us).

Well, the way I understand it, and how most services recommend you
submit spam, is to trap all your own spam somehow (e.g., SA is fine,
or just keeping it in your inbox is fine too) and then manually (i.e.,
bouncing, or running a "submit this" script, etc.) forward spam to the
appropriate RBL. Only spamtraps should be autoforwarding spam to RBLs.
Even spamcop.net and razor themselves discourage non-human reviewed
spam submission.

> SW> 1) automated submission of spam to spamcop or any RBL is dangerous and
> SW>    can result in inadvertent blacklisting of legitimate or harmless IP
> SW>    ranges.
> 
> As noted, the email that was reported WAS spam. It wasn't a
> mistake, any more than it would be a mistake if I had an
> open relay on my system which allowed spam to get through.

I guess I was hoping folks would bother to look at the Received
headers first, seeing that those had been already stripped. The list
was configured as a relay for privacy reasons, but I've since changed
my mind on that and left all headers intact in case of future
"accidents" (spam happens).

> Or, in other words - it WAS a mistake, but it was YOUR
> mistake in list configuration rather than the mistake of the
> people reporting the spam.

Blame fully accepted (and problem fixed, of course). I made a mistake
by allowing non-list posts. I think I admitted that fairly frankly,
but will do so again. The point of my original plea was to stop
autosubmitting if it's going on. If it's not going on here and the
mail was simply not scanned carefully before submitting, then I
forgive the submitters completely. Maybe we can all be more vigilant
in the various fronts of the spam battle.

> SW> 2) I had configured my list to allow non-list postings; I know that
> SW>    for myself I have many "personalities" or email addresses that I
> SW>    use (I've got three work addresses that my client sends alone, and
> SW>    probably a dozen personal addresses I use for different
> SW>    audiences).
> 
> This is NEVER a safe configuration for an email list - it's
> simply an open door waiting to be abused.

Well, that's arguable, depending on the nature of the list. For
example, companies often use lists for accepting public posts and
redistributing the post internally. There isn't any other way to do
it, afaik; I'm on a few of these at Verio and we get NAILED with
spam. We just accept that and do our regular filtering as if the
alias were another one of my own aliases (i.e., I filter it just as I
do the rest of my mail).

For closed discussion lists, such as this one, I agree with you
completely and have changed that configuration setting.

> Mailman 2.1.2 has a feature that allows the moderator to
> permanently approve postings from additional email
> addresses, even if they are not members. So if I get a post
> from a non-member, the first time around I will have to take
> some sort of action.

majordomo has this also. Maybe I'll start using it ;o)

> But if I see that it is clearly a legit
> post using an alternate, unsubscribed email, I have the
> ability to choose add the email to an approved list for
> posting. Similarly, my administrative/moderator options
> allow me to add a new email to a permanent ban list - this
> will prevent repeat instances of me having to deal with spam
> emanating from the same source.
> 
> Mailman 2.1.2 also has some built in content filtering
> options that could be used to prevent some spam from coming
> through the list.

I would think that list-only posts would solve most of that
problem. The rest could be done by prefiltering with something like SA
before it gets to the list aliases to prevent the rare forged-from
case. Still, then, I wouldn't necessarily like to filter our list at
the server because we discuss and share things that would normally be
classified high on spam tests.

> SW> Does anyone have any strong feelings about these changes to the list?
> SW> What should our stance be when a list is spammed (as it was with this
> SW> list)? I hate to lock the list down to members-only posts, since it
> SW> causes delays (I have to now approve a bunch of bounces and repost
> SW> them) and lost mail, but I don't know of another way to stop
> SW> it.
> 
> I do think that despite potential delays, members-only
> posting is absolutely necessary. If you have to "repost"
> anything, then you probably need to change the software
> driving this list, because the process of
> approving/rejecting/discarding held email should be a
> fairly simple check-the-box process via a web interface.

I don't do web interfaces here, but majordomo's bounce interface is
simple enough for me. It's old and crusty but it works fine (and I can
understand how it works!)

Scott
-- 
Scott Wiersdorf
scott@xxxxxxxxxxxx
======================================================================
Technical questions regarding this list may be sent to
<vps-mail-owner@xxxxxxxxxxxx>. You may request an automated help
response by sending an email with the word 'help' (w/o quotes) in the
BODY of the message (subject is ignored) to <vps-mail-request@xxxxxxxxxxxx>.
======================================================================