Archive-name: mail/anti-ube-pointer
URL: ftp://cs.uta.fi/pub/ssjaaa/pm-tips.html
Maintainer: Jari Aalto <jari(_dot_)aalto(_at_)poboxes(_dot_)com>
Announcement: "Anti-UBE pointers"
This is an excerpt from a bigger document. There is only one
software pointer in this announcement: `rblcheck' which has
proven to be very efficient, fast and system load friendly
for ISPs that filter mail at MTA level. See at the end of
this message. Other Spam tools like "SpamGuard, Spam Be Gone"
are listed in the full document.
You can also order the text version from file server with,
but note that the size of the file is big (over 450K)
To: <jari(_dot_)aalto(_at_)poboxes(_dot_)com>
Subject: send pm-tips.txt (try also "send help")
2.0 UBE in Internet (Unsolicited Bulk Email)
[...zap...]
2.5 Is one or two UBE messages acceptable
Ray Everett-Church <ray(_at_)everett(_dot_)org>, Attorney/Online
Consultant
Co-Founder & Congressional Liaison <http://www.everett.org>
Coalition Against Unsolicited Commercial Email; article 1997-12
in remailer politics mailing list
In developing what eventually became the Smith Bill, CAUCE
discussed this rather extensively among our drafting committee. The
bill gives a cause of action againts the advertiser, not any of the
pathways taken between you and them. This is consistent with the
interpretation of the fax law (and many other laws for that matter)
wherein the advertiser -- not the advertiser's agent -- is
responsible for the act committed.
As for the single UCE versus bulk issue, the general concensus has
been that while a single piece of spam does not do much damage, it
is fundamentally no less a cost shift than 10 identical messages,
or 100, or 1000, or a million. The only difference is that the
costs being shifted are greater and greater. We discussed many cut
off points... would 50 spams be acceptable? 25? 10? One really well
crafted, hand written, heartfelt and personalized spam be
permissable? And in the end we felt like we were discussion angels
on the heads of pins.
While virtually nobody's system will crash because of one piece of
spam (although George Nemeyer had trouble with three or four pieces
as I recall), what is the ultimate difference if you only get one
piece from each of 15 different advertisers a day? If one spam is
ok, but two are bad, what is the interval... a day, a week?
Enforcement depends on knowing when the threshold is crossed.
So here's a scenario: you receive three spams from what is,
unbeknownst to you, the same person (one advertising weightloss
pills from WeightLoss Associates at PO Box 1, one for an MLM from
MLM Company at PO Box 2, and Bee Pollen from Pollen Partnership at
PO Box 3). Each were individually crafted and appeared to be mailed
only to you.
Under the scenario above, if the law permits one spam, will you
sue?
Would you risk suing one or all of them, gambling that they sent
the spam to anyone other than you (or whatever the threshold is...
10, 25, 50)? Would you risk suing one or all of them on the chance
that they were somehow related? What if there was a chance that
you'd find out that the three companies were really different? What
if you did sue and found that they were owned by the same person,
but were legally organized seperate entities and were therefore
each entitled to one spam a piece?
In short... if one spam is permitted, it could make enforcement
incredibly cumbersome, difficult and unlikely, and would present
spammers with many reasons to violate the law knowing the odds of a
suit and successful enforcement are greatly reduced. While bulk
spam is really bad on many levels, whether it's parsed out in very
small volumes makes little or no difference to the ultimate
recipients as far as the diminished utility, cost, and annoyance.
We need a clear, bright line. And the Smith Bill is that.
3.0 Anti-UBE pointers
3.1 NoCEM, CAUCE and others
"NoCEM"
http://www.cm.org/
"Dougal's NoCeM-E"
http://advicom.net/~dougal/antispam/
... Dougal is sysadm for an ISP. His page has wealth of information
about Anti-SPAM Tools. You also find his mailing list for NoCeM-E.
"The Coalition Against Unsolicited Commercial Email (CAUCE)"
http://www.cauce.org/faq.html
...The Problem: Unsolicited commercial email, more commonly known as
"spam", is a growing problem on the Internet. If you've used the
Internet for any length of time, you've probably received
solicitations via email to purchase products or services.
A Solution: A group of Internet users who are fed up with spam have
formed a coalition whose purpose is to amend 47 USC 227, the
section of U.S. law that bans "junk faxing", so that it will cover
electronic mail as well.
"Teergrubing against Spam"
http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html
...`Teergrubing' It's German and means Tar-Pit. Once you have been
stuck you can't get out. ...slow down internet connections in order
to stop UBE abuse. Several hundred teergrubes are able to block
spamming worldwide without blocking any e-mail. How do I start: If
you are the admin of a MX host, install a teergrube.
"Lot of good articles about spam"
http://www.sun.com/sunworldonline/swol-12-1997/swol-12-spam.html
"(anti-spam Law) US Representative Chris Smith's statement on junk
e-mail"
http://www.sun.com/sunworldonline/swol-08-1997/swol-08-junkemail.html
...considerable variation in the approaches at the federal level,
and state legislation varies widely as well. Professor David Sorkin
of John Marshall Law School, who summarized and provided links to
the major spam-related lawsuits noted above, also provides status
summaries and links to state and federal legislation
...State of Washington just passed an anti-spambill
http://www.leg.wa.gov/cgi-bin/print_hit_bold.pl/pub/billinfo/house/2750-2774/2752-s_pl_030798?unsolicited
"Select email court cases -- Lots of them"
http://www.jmls.edu/cyber/cases/spam.html
America Online, Inc. v. Cyber Promotions, Inc.,
Compuserve Inc. v. Cyber Promotions, Inc., etc.
3.2 General Filtering pages (more than procmail)
"Nancy McGough's Mail Filtering FAQ"
http://ssil.uoregon.edu/~trenton/autopage/page7547.html
http://www.ii.com/internet/faqs/launchers/mail/filtering-faq/
"Information Filtering Resources"
http://www.ee.umd.edu/medlab/filter/ Doug Oard
<oard(_at_)glue(_dot_)umd(_dot_)edu>
...This page lists all known internet-accessible information
filtering resources.
3.3 Junk email and spam
"Spam FAQ"
ftp://rtfm.mit.edu/pub/usenet/alt.spam/
http://www.cs.ruu.nl/wais/html/na-dir/net-abuse-faq/spam-faq.html
"The email abuse FAQ"
http://members.aol.com/emailfaq/emailfaq.html
What is UBE, UCE, EMP, MMF, MLM, Spam, it is all explained here.
"Against Spam -- The garbage collecting."
http://www.spam-archive.org/
To support this archive please forward email spam to
<spam-list(_at_)toby(_dot_)han(_dot_)de>. Everybody is invited to
bounce Mail-Spam
he/she has got to this list. This is a mailinglist to distribute
actual spam-eMail. All incoming mail will be checked by subject and
from/sender-address wether it has already been distributed or not.
No discussions in this list. To discuss about this list please
subscribe to <spam-list-d(_at_)hiss(_dot_)org>.
To subscribe to _blacklist-update_ mailing list
TO: <Majordomo(_at_)hiss(_dot_)han(_dot_)de>
BODY: subscribe blacklist-update you(_at_)somewhere(_dot_)com
Mail <postmaster(_at_)spam-archive(_dot_)org> to discuss about
blacklist if
your name is on it. (maintained by Axel Zinser
<fifi(_at_)sis(_dot_)han(_dot_)de>)
Get the updated blacklist from
ftp://ftp.spam-archive.org/spam/blacklist/
"Doug Muth Page"
http://bounce.to/dmuth
... "The SPAM-L FAQ" - A FAQ for SPAM-L, an anti-spam mailing list.
This FAQ discusses how to join the list and what to post there, AND
it also delves into the technical aspects of spam. For instance,
the various kinds of forgeries seen in spams are discussed here,
along with information on how to recognise them. If you hate spam,
this is something worth checking out... "TheGoodsites List" - I
maintain this list, which is part of the Spam Boycott, to show
which Internet providers out there act responsibly when dealing
with spam. If you're looking for an ISP and want to know where they
stand on spam, this is the list for you.
Send an email message to
<LISTSERV(_at_)peach(_dot_)ease(_dot_)lsoft(_dot_)com>
with the words "subscribe SPAM-L <First name> <Last name>" in the
body of the message (no quotes). f you would like to contact the
owner, the convention is the same as with all LISTSERV lists. Just
send e-mail to
<spam-l-request(_at_)peach(_dot_)ease(_dot_)lsoft(_dot_)com>
"Dealing with Junk Email"
...What you should do (and not do) when you have been victimized by
a junk emailer. This document teaches you how to read headers in
order to trace the origin of junk email, and includes detailed
examples to show you how it is done. Headers are designed for
computers to read, not people, so they can be a little hard to
follow. Therefore, I hereby grant permission to print or
electronically save a copy of this page on your local machine for
your personal use while tracing junk email. Please check back for
updates and corrections, though.
o What Not To Do: Stuff that doesn't work
o What to do: effective techniques, including how to trace junk
email back to its source
o Stay Calm (take a deep breath...)
o Stay Mad (don't get discouraged)
o How to identify the sender and who gives them Internet access
o Who to complain to, abuse addresses, online services
o What to say and how to say it, effective complaining
http://www.mcs.com/~jcr/junkemaildeal.html
"How to fight back."
http://www.oeonline.com/~edog/spamstop.html
. Look at the header of the advertising message. Find the
"Message-ID" line. (You might have to tell your e-mail program to
display this.)
. The words after the @ sign are the sender's real--not
faked--Internet Service Provider, or ISP. (Spammers often try to
disguise their address, but the Message-ID is a good clue.)
. Write a complaint to the postmaster of that ISP, similar to the
one below. (If the ISP is junkmail.com, then let
postmaster(_at_)junkmail(_dot_)com hear from you.)
"Practical Tools to Boycott Spam"
...We have been actively engaged in fighting spam for years. Recent
events, including pending court battles, prompt us to present this
page to the public. Fight spam to keep the Internet useful for
everyone. We have been actively engaged in fighting spam for
years. Recent events, including pending court battles, prompt us
to present this page to the public
o Filtering mail to your personal account
o Blocking spam email for an entire site
o Blocking Usenet spam for an entire site
o Blocking IP connectivity from spam sites
o Other tools and techniques for limiting spam
o Sample Acceptable Use Policy statements for ISPs
http://spam.abuse.net/spam/
"Spam -- stop that!"
http://www.accessnt.com.au/faqs/spam.htm
http://com.primenet.com/spamking/buyerbeware.html
"The Campaign to stop junk email web site"
http://www.mcs.com/~jcr/junkmail.html
...we will attempt to teach victims and potential victims (that's
everyone with an email address) the most effective methods of
prevention and retribution.
"news.admin.net-abuse.* Homepage"
http://www.math.uiuc.edu/~tskirvin/home/nana/
"The automated spamhandler beta information heap."
http://www.halcyon.com/natew/
"Ian Leicht"
http://www.nags.org/spamfilter.html
http://www.junkbusters.com/
http://www.well.com/~jbremson/spam
"Anti-Spam Provisions in Sendmail 8.8"
URL: http://www.sendmail.org/antispam.html
o Preventing relaying through your SMTP port
o Refuse mail from selected hosts
o Restrict mail acceptance from certain users to avoid mailbombing
"Blocking Email"
http://www.nepean.uws.edu.au/users/david/pe/blockmail.html
o Do you or your users, receive "junk email" (aka., "spam")
o Do you have Sendmail R8.8.5 running at your site?
o Would you like to block known "junk email" senders' addresses?
Now you can - and there's no need to patch any source code, either.
Take advantage of Sendmail's check_mail rule, to see if the
sender's address is a member of a nominated "class" - drawn from
the contents of the named file. Additional information and links:
o Prospective Addresses/Domains to Block
o Limiting Unsolicited Commercial Email
o EFF "Net Abuse and Spamming" Archive
o [U.S.] Court Lets AOL Block Email
o Anti-Spam HOWTO
o Net Abuse FAQ
o Figuring out Fake Email & Posts
o Fight Unwanted Email
o Unsolicited Junk Email - Bad for Business
o Fight Unsolicited Email and Mailing
o Yahoo's Junk Email Resources
o jmfilter
o Complaints Addresses at U.S. ISPs
o news.admin.net-abuse.* Homepage
o Processing Mail With ProcMail
o Panix's rc.shared ProcMail Configuration
o ProcMail Workshop
o Email Self Defence
o The SPAM-L mailing list
"How to chase Usenet spammer."
http://super.zippo.com/~sputum/sputools.htm
Comprehensive list of spammers
[Lars Kellogg-Stedman <lars(_at_)bu(_dot_)edu> 1998-03-25 PM-L] Panix
maintains an excellent spam-catching recipe at:
http://www.panix.com/rc.shared
I take this and run it through perl to produce my own local
spam-handling recipes. Aol publishes their 'preferred mail' list,
which is easy to turn into a procmail filter. You can find that at:
http://www.idot.aol.com/preferredmail
And finally, there is another set of filters based on the panix
filter at:
http://alcor.concordia.ca/topics/email/auto/procmail/spam/tag.html
[...zap...]
3.9 Software: RBL lookup tool
4 Dec 1997 4 Dec 1997, Edward S. Marshall
<emarshal(_at_)logic(_dot_)net> in
prcomail mailing list.
rblcheck is a lightweight C program for doing checks against Paul
Vixie's Blackhole List. It works well in conjunction with
Procmail for filtering unwanted bulk email (under QMail, for
example, you can invoke it with the value of the environment
variable TCPREMOTEIP). rblcheck is extremely simple:
% rblcheck 1.2.3.4
where 1.2.3.4 is the IP address you want to check.
This is a quick note to announce the availability of a new tool for
using Paul Vixie's RBL blacklist (see http://maps.vix.com/rbl/ for
more information about the blacklist itself, if you don't already
know). Most tools which use the blacklist block email on a
site-wide basis. For many networks, this treads on both the ideals
of the administration, and on the perceived freedoms of the end
user.
Personally, I don't care either way. :-)
This tool was to fill the need I had to reject mail personally,
since one of the systems I receive mail through cannot, for various
political reasons, implement the available RBL filters on a
site-wide basis.
"rblcheck" is a simple tool meant to be used from procmail and
other personal filtering systems under UNIX in the absense of a
site-wide filter, as an alternative to imposing site-wide
restrictions, or as a means of imposing restrictions on systems
that cannot support the existing RBL filter patches.
Simply put: you hand it an IP address, and it determines if the IP
is in the RBL filter, providing the caller with a positive or
negative response. With the package, a sample procmail recipe is
provided, and examples of using it under QMail and Sendmail are
given.
.http://maps.vix.com/rbl/
.http://www.isc.org/bind.html The official home page
.http://www.xnet.com/~emarshal/rblcheck/
It is only tested under Linux 2.x and Solaris 2.5.1. Success
stories, patches, questions, suggestions, and flames can be
directed to me at "emarshal(_at_)logic(_dot_)net".
[Aaron Schrab <aaron+procmail(_at_)schrab(_dot_)com>] Here is my rbl
setup, but, this depends both upon the format of the Received:
lines, and the way that mail passes through your mail system.
I currently grab the IP address from the first Received: header
inserted by my ISP (I'm a sysadmin at the ISP, so I have a good
knowledge of how mail gets passed around internally). Here's the
recipe that I use.
# if there's a Received: header from one of these servers, it's
# (probably) the right one
BACKUPSERVER = "([yz]\.mx\.execpc\.com)"
VIRTSERVER = "(vm[0-9]+\.mx\.execpc\.com)"
LOCALSERVER = "([abc]\.mx\.execpc\.com)"
# Match a header containing:
# Received: <anything> [<ip address>]) by <local server>
:0
* $ 9876543210^0 ^Received:.*\[\/[0-9.]+\]\)$s+by$s+${BACKUPSERVER}
* $ 9876543210^0 ^Received:.*\[\/[0-9.]+\]\)$s+by$s+${VIRTSERVER}
* $ 9876543210^0 ^Received:.*\[\/[0-9.]+\]\)$s+by$s+${LOCALSERVER}
{
IP = $MATCH
# trim it down to just the IP address
#
:0
* IP ?? ^^\/[0-9.]+
{
IP = $MATCH
:0 W
* ! ? /home/aarons/bin/rblcheck -q $IP
{ SPAM = "$SPAM $IP is rbl'd$NL" }
}
}
It seems to be a procmail issue with letting the IP info
from sendmail pass through to the rblcheck program. I have not
been able to find anyone using rblcheck successfully with
procmail as a delivery agent...
[Edward S. Marshall <emarshal(_at_)logic(_dot_)net> 1998-03-26 PM-L]
This is a
standard problem; you should be able to change the invocation of
procmail the same way as the example (run env, which in turn runs
procmail). Make sure that there is a '-p' argument passed to
procmail; this preserves the environment you're constructing with
env (newer sendmail revisions sanitize the environment for you, so
that's not really an issue).
If you're still having troubles, make sure you're using the latest
incarnation of rblcheck, with the latest supplied procmail recipe;
earlier revisions had rather insidious bugs.
[Xavier Beaudouin (kiwi) <kiwi(_at_)oav(_dot_)net> 1998-03-26 PM-L]
Also it
seems that sendmail 8.9.0Beta3 have builtins rules for
rbl.maps.vix.com. This is somewhat really efficient. I use it with
sendmail 8.8.8 and tcpwrapper every days and there is about 80%
spam rejected. Sounds very good. In your /etc/hosts.allow just add
the following lines :
sendmail: ALL: spawn /usr/local/bin/rblcheck -q %a && \
exec /usr/sbin/sendmail -bs || /bin/echo \\
"469 Connection refused. You are in my Black List
!!!\r\b\r\n"
&& \
(safe_finger -l @%h 2>&1 | /bin/mail -s "%d-%h %u" root)
In your /etc/inetd.conf just add this line :
smtp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sendmail -bs
And check that your sendmail is _not_ working as a daemon. That's
all Also if you have huge queue you can add a /usr/sbin/sendmail -q
in the root crontab... This should help to send some waiting
messages. It think we can use this to wait for official 8.9.0
sendmail since there is some cf/feature/rbl.m4 there.