[tlug] antispam tricks

["Stephen J. Turnbull" <turnbull@example.com>]

Botond Botyanszki writes:

 >   I need a script or some SA or exim extension that will blacklist that
 >   IP (add a REJECT rule to iptables) if a mail is identified as spam.

You need to be more careful than that if you have secondary MXes that
ever pass you spam.  Of course by the same token you will filter what
they send you, but you don't want to REJECT them.

Note that if you are rejecting spammers, this may increase the load on
your secondaries.  Ditto greylisting.

 >  * I thought of using greylisting, but I think eventually spammers will
 >   lean towards becoming rfc compliant and come back later with the mail.

Some already are, obviously, since spam does get through greylists.
But the ones who simply blast out a billion copies to a billion
unconfirmed addresses won't, so greylisting will help for quite a
while yet.

 >  * Recently spammers are trying to fool text based classifiers such as
 >   bayes with a totally irrelevant text message body where the real info
 >   is in a .gif attachment.

This is already there for HTML messages (I guess that's a pretty safe
bet), although they allow any image/* to trigger, I think.  See the
html_tests.cf file.

I think SpamAssassin is already stretched to the limit, though.

I've heard good things about a program called popfile:
http://popfile.sourceforge.net/.  It's basically a perl script AIUI,
so you could probably integrate it into exim with embedded perl.
Haven't tried it myself yet, though.

You may wish to consider changing MUAs.  The most effective and
bullet-proof programs are likely to end up as Sendmail milters.
Postfix implements the milter interface, so you can have your milter
and avoid Sendmail, too.  Exim pretty clearly is not going implement
milters since it has two filtering languages (its own and the RFC
standard Sieve language) and embedded Perl, too.  This isn't a
recommendation, I work with both Exim and Postfix and I'm happy with
both.