[Mailscanner] SpamCop IP's

Matt hciss at HCIWS.COM
Wed Sep 25 15:33:30 IST 2002 

> Most of this has migrated into a discussion about DNS server setups. I
> would advise use of a local caching DNS server as this will increase the
> speed of repeated lookups considerably. The DNS system already has
positive
> and negative result cache timeouts in it, and if you aren't caching

Thats right, there are TTL settings and stuff, forgot.  I just never
realized that blackhole lookups used one's own DNS servers to do the lookup
and did not always go directly to the blackhole.  I have a caching DNS
server sitting right next to my Raq4i.  I guess I should use it for the Raq
as well as my Internet users.

> yourself, then the next DNS server upstream from you will be caching
> anyway. So you might as well do it on your own net and speed things up.
>
> For the reasons highlighted before (e.g. use of the DUL list, which is a
> list of all known IP addresses allocated to dialup lines around the
world),
> MailScanner only uses the last hop. Anything before the last hop can be
> trivially faked, so there's absolutely no point wasting CPU on extracting

Fake IP's can be added to the headers but there is no way to keep your own
out of it that I know of.  Unless you own the server and if you do that it
should be black listed anyway.  I still think doing the last 2 hops would be
a great option.  Think if a DSL user from a large Dsl provider for example
were to send a bunch of SPAM using mail.dsl-provider.com.  Since SPAMcop
looks at legitimate mail to SPAM ratio(I think) it would be a long while
before mail.dsl-provider.com would be listed but the end users IP would be
listed quite quickly.  Sure the Dsl provider should terminate the users
account but that takes time and by that time many pieces of SPAM have been
pumped out.

I guess what it comes down too is checking the last couple hops would catch
a lot more spam with SPAMCOP.  I am pretty sure of that after looking at
some messages that slipped through.  It would likely not do much more good
if any with Ordb.org or other balck lists though.

Thanks for the info.

Matthew

> the IP addresses from the headers and testing them. Any professional
> spammer will fake them anyway.
>
> At 01:28 25/09/2002, you wrote:
> >True, if the lookup has not been cached, it would go to the server
> >authoritative for the zone.  You should be able to control the
> >length of time the cache is valid for though.  For the most part, I have
> >added entries to my /etc/mail/access file to allow servers
> >that I know have been blacklisted, but for one reason or another, I must
> >allow mail to flow from.  On a very rare occasion, I have
> >to add an entry, but it's on the order of once a month or less.

More information about the MailScanner mailing list