Re: KOREAN SPAM: HOWTO deal with it???

From: Luke Vogel (luke@bell-bird.com.au)
Date: 09/14/02 

From: Luke Vogel <luke@bell-bird.com.au>
Date: Sat, 14 Sep 2002 09:52:49 +1000

Tim Haynes wrote:

> I'd say you're probably best-off filtering out
> 1) mails with invalid syntax - use `headers_check_syntax' in exim;
> 2) Korean IP#s - dig through APNIC to see what IP blocks the country
> has, and ban them from connecting to your mail-server.
>
> Also, get a proper spam filter such as _ifile_, _spamprobe_ and
> _spamassassin_ (pick one of the first two and definitely the latter), fold
> up your probably-spam folder so you only read it once a week, check your
> rejectlog for relay attempts and dump the perps into the IP#-block
> periodically, see what happens.

All good advice, Tim.

I've been playing around with the following:
grep my procmail logs for spam that spamassassin has dropped.
Add those domains to /etc/mail/access.db typically with a REJECT
directive.
Typically what happens here is that the smtp conversation is terminated
before you are force to accept a *** load of unwanted bandwidth. This
is good.

I have also set up a number of "broad" REJECT's like .co.kr .net.kr
.com.tw .net.tw .com.br .net.br as this is where the majority of UBE
originates, and I have nobody in this domains that need to talk to me
directly.

I have also been playing around with a "553 Recipient Unknown" directive
to see if the spammers actually trim their lists when unknown recipients
are discovered. I've only just started this, so it will be interesting
to see if it has a positive impact or not. 

-- 
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
------