[Fwd: Some highlights about BarricadeMX]

Steve Freegard steve.freegard at fsl.com
Thu Jun 14 20:48:47 IST 2007


Cross posting Anthony's reply to Rob as Anthony is not a member of this 
list.

-------- Original Message --------
Subject: 	Some highlights about BarricadeMX

Date: 	Thu, 14 Jun 2007 21:16:02 +0200
From: 	Anthony Howe <achowe at snert.com>
To: 	Steve Freegard <steve.freegard at fsl.com>
CC: 	barricademx at snertsoft.info


Steve, please forward my reply to the MailScanner list. I'm posting to 
the BarricadeMX list as it might be of some interest there too.

Rob Poe (from the MailScanner list) wrote:
> So, I understand that Fort and Snert have partnered up to stop spam
> at the MTA ...... and obviously it will be a proprietary method, but
> inquiring minds still want to know .. Anyone have any kind of idea on
> the techniques?

The usual suspects. BarricadeMX blends many of the SnertSoft milters 
into one comprehensive package.

a) Enhanced grey-listing which applies two optimisations (one to address 
mail server pools sharing a common queue ie. gmail.com; the other, once 
a message from a host passes greylisting messages from that host/domain 
for all subsequent messages will pass, ie. pay the grey-list delay ONCE 
only); see

http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html#smtpf_grey_list

b) Enhanced Message-ID as Email Watermark, which can be used to filter 
backscatter and skip content filtering if a message is identified as 
reply to previously sent mail.

http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html#smtpf_emew

MailScanner had a patch applied to take advantage of EMEW. If combined 
with dns-gl it would be possible to by-pass both pre and post-DATA 
filtering. Of course we have dns-bl and dns-wl support too.

c) Some other interesting tests are "client is MX" to softens PTR 
requirements and IP-in-PTR ie. looks like dynamic IP tests.

http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html#smtpf_client_is_mx

d) Another interesting combination is multiline welcome banner combined 
with 500ms or 1s command-pause will catch out

e) The multicast/unicast cache deals with the problem of sharing 
call-ahead, grey-listing, and other global data between MXes. It is fast 
and effective.

f) Client Rate Throttling, Global Rate Throttle, & Client Concurrency. 
Nothing particularly spectacular there, sendmail already has this and 
ours is similar, though we apply ours in the accept() loop.

g) URLBL application to HELO and MAIL FROM:. Not a new idea, but not 
widely used either.

h) Tar-pitting of negatives SMTP responses. Handy for dictionary like 
probing during a SMTP session.

i) EHLO no HELO and schizophrenic HELO checks. By disabling ESMTP you 
catch some spamware that assume EHLO and fail to fall back on HELO when 
rejected. Also if they EHLO/HELO with one name, but fail to EHLO/HELO 
with the same name on the next or subsequent attempts you can reject 
too. Note that RFC 2821 HELO/EHLO is equivalent to RSET once the first 
HELO is accepted.

http://www.snertsoft.com/smtp/smtpf/smtpf-cf.html#smtpf_smtp (last 
paragraph)

There is more. So much I forget what is novel and what has been done 
before. You have to read the documentation to get see for yourself.

> I have 2 clients.  One is a trucking firm.  They get a lot of trade
> industry magazines (which SpamAssassin hates) and a lot of people in
> the trucking industry who think it fine that they have a 400x400
> inline .gif with their signature and other misc. stuff, in an email
> with a "Hey give me a call if you want me to service your loads" ...
> yeah SA hates that too..

BarricadeMX can do some real-time content filtering such as clamav, 
spamassassin, and uribl tests in which it will reject or discard. 
However, it is limited by the proxy design in that it cannot tag nor 
quarantine messages based on content (we don't use temp. or queue 
files). milter-spamc, MailScanner, or similar is still required for that 
level of functionality. So things like inline images and their like will 
require tweaking of SpamAssassin as with MailScanner.

> The other is a law firm.  They want Artificial Intelligence for their
> spam filter.  Everything that ISN'T SPAM gets delivered and
> everything that IS SPAM doesn't  -- no errors.

No anti-spam technique is perfect. Expectations of such are unrealistic. 
 We just don't have enough good AI for such yet. (I'll note it as an 
enhancement request though; insert Spock's brain.)

Depending on your paranoia and the set of BarricadeMX options you apply, 
you can tone down the filtering or make it really strict. The FSL web 
user interface for BarricadeMX provides three default levels of 
strength, after which you can customise.

Regardless of the options you apply, a MailScanner or SpamAssassin 
installation will still benefit as the machine will see less system 
load. In your example, you turn on only those tests you are happy with 
and then let a second level filter like MailScanner have its turn. 
BarricadeMX was originally intended as a pre-filter for MailScanner to 
reduce system load by catching the low hanging fruit. What we found with 
BarricadeMX in beta testing, was it would catch the low hanging fruit on 
really tall trees :-)

> Of course, if you go too strict on filtering you can lose emails, and
> if you go too lose you end up with horse sex in your inbox ... how
> does this product compare to current methods?
> 
> Greylisting has helped tremendously, but there are still some
> seriously BRAIN DEAD admins running some seriously BRAIN DEAD email
> apps that don't ever retry.. So for the two above clients, it didn't
> work so well.

There is no suitable solution for brain dead brokeness that fails to 
follow RFC 2821 recommended mail delievery strategies. If a customer 
chooses to use broken software and the developer won't fix it, then all 
you can do is white list them if you like them enough.

> (oh, and why do people make 10 outbound mail gateways, so a message
> that retries goes between the 10 different hosts, getting a greylist
> deny every time, but te delivery retry is > 1 minute) ???

We can fix ignorance, we can't fix stupidity. Really short retry times 
less than 5 minutes are IMHO are just stupid and the result of pointy 
clickity type mentalities performing system administration tasks in 
which they are not competent in. However, rate throttling and the 
multicast/unicast cache does help some aspects of this problem.

Another feature of BarricadeMX are the runtime and hourly stats (version 
1.1 will have rolling 60 minutes stats too). Below is an example from a 
test machine.

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220-XXX.XXX.XXX ESMTP Welcome to smtpf
220 Copyright 2006, 2007 by SnertSoft. All rights reserved.
stats
214-2.0.0 smtpf/1.0.146 (runtime)
214-2.0.0 start-time=Thu, 14 Jun 2007 11:57:12 -0400
214-2.0.0 age=10493
214-2.0.0 active-connections=11
214-2.0.0 high-connections=23 (100.00%)
214-2.0.0 high-connections-per-second=5 (100.00%)
214-2.0.0 high-session-time=350 (100.00%)
214-2.0.0 total-KB=973 (100.00%)
214-2.0.0 CLIENTS=5724 (100.00%)
214-2.0.0 dropped=4422 (77.25%)
214-2.0.0 data-354=76 (1.33%)
214-2.0.0 client-io-error=1076 (18.80%)
214-2.0.0 client-timeout=11 (0.19%)
214-2.0.0 server-io-error=113 (1.97%)
214-2.0.0 admin-commands=75 (1.31%)
214-2.0.0 auth-pass=0 (0.00%)
214-2.0.0 auth-fail=0 (0.00%)
214-2.0.0 bogus-helo=2 (0.03%)
214-2.0.0 concurrent=0 (0.00%)
214-2.0.0 connect-bl=12 (0.21%)
214-2.0.0 connect-lan=0 (0.00%)
214-2.0.0 connect-localhost=76 (1.33%)
214-2.0.0 connect-relay=76 (1.33%)
214-2.0.0 connect-wl=0 (0.00%)
214-2.0.0 dns-bl=2750 (48.04%)
214-2.0.0 dns-gl=38 (0.66%)
214-2.0.0 dns-wl=0 (0.00%)
214-2.0.0 ehlo-no-helo=1508 (26.35%)
214-2.0.0 helo-claims-us=0 (0.00%)
214-2.0.0 helo-ip-mismatch=110 (1.92%)
214-2.0.0 helo-schizophrenic=7 (0.12%)
214-2.0.0 idle-retest-timer=0 (0.00%)
214-2.0.0 rate-client=51 (0.89%)
214-2.0.0 rate-throttle=0 (0.00%)
214-2.0.0 client-ip-in-ptr=0 (0.00%)
214-2.0.0 client-ptr-required=873 (15.25%)
214-2.0.0 client-ptr-required-error=60 (1.05%)
214-2.0.0 rfc2821-strict-helo=30 (0.52%)
214-2.0.0 smtp-command-non-ascii=0 (0.00%)
214-2.0.0 smtp-command-pause=51 (0.89%)
214-2.0.0 smtp-drop-after=0 (0.00%)
214-2.0.0 smtp-drop-unknown=6 (0.10%)
214-2.0.0 smtp-enable-esmtp=2813 (49.14%)
214-2.0.0 smtp-greet-pause=65 (1.14%)
214-2.0.0 smtp-reject-delay=0 (0.00%)
214-2.0.0 uri-bl-helo=34 (0.59%)
214-2.0.0 uri-bl-ptr=206 (3.60%)
214-2.0.0 SENDERS=3411 (100.00%)
214-2.0.0 null-sender=18 (0.53%)
214-2.0.0 call-back-cache=0 (0.00%)
214-2.0.0 call-back-made=0 (0.00%)
214-2.0.0 cli-envelope=0 (0.00%)
214-2.0.0 client-is-mx=130 (3.81%)
214-2.0.0 grey-continue=40 (1.17%)
214-2.0.0 grey-tempfail=171 (5.01%)
214-2.0.0 mail-bl=1 (0.03%)
214-2.0.0 mail-wl=0 (0.00%)
214-2.0.0 mail-parse=4 (0.12%)
214-2.0.0 require-sender-mx=0 (0.00%)
214-2.0.0 require-sender-mx-error=0 (0.00%)
214-2.0.0 siq-query-cache=0 (0.00%)
214-2.0.0 siq-query-made=0 (0.00%)
214-2.0.0 siq-score-reject=0 (0.00%)
214-2.0.0 siq-score-tag=0 (0.00%)
214-2.0.0 spf-pass=97 (2.84%)
214-2.0.0 spf-fail=9 (0.26%)
214-2.0.0 spf-none=220 (6.45%)
214-2.0.0 spf-neutral=1 (0.03%)
214-2.0.0 spf-softfail=7 (0.21%)
214-2.0.0 spf-perm-error=0 (0.00%)
214-2.0.0 spf-temp-error=0 (0.00%)
214-2.0.0 uri-bl-mail=64 (1.88%)
214-2.0.0 RECIPIENTS=257 (100.00%)
214-2.0.0 rcpt-reject=9 (3.50%)
214-2.0.0 one-rcpt-per-null=0 (0.00%)
214-2.0.0 rcpt-bl=0 (0.00%)
214-2.0.0 rcpt-wl=0 (0.00%)
214-2.0.0 rcpt-parse=0 (0.00%)
214-2.0.0 MESSAGES=80 (100.00%)
214-2.0.0 msg-accept=60 (75.00%)
214-2.0.0 msg-discard=0 (0.00%)
214-2.0.0 msg-drop=0 (0.00%)
214-2.0.0 msg-reject=20 (25.00%)
214-2.0.0 dsn-sent=0 (0.00%)
214-2.0.0 7bit-headers=0 (0.00%)
214-2.0.0 cli-content=0 (0.00%)
214-2.0.0 infected=0 (0.00%)
214-2.0.0 junk-mail=0 (0.00%)
214-2.0.0 line-length=0 (0.00%)
214-2.0.0 message-limit=0 (0.00%)
214-2.0.0 message-size=0 (0.00%)
214-2.0.0 ret-pass=0 (0.00%)
214-2.0.0 ret-fail=11 (13.75%)
214-2.0.0 ret-ttl=0 (0.00%)
214-2.0.0 strict-dot=0 (0.00%)
214-2.0.0 uri-bl=9 (11.25%)
214-2.0.0 uri-max-limit=0 (0.00%)
214-2.0.0 uri-max-test=4 (5.00%)
214 2.0.0 End.

-- 
Anthony C Howe          Skype: SirWumpus                    SnertSoft
+33 6 11 89 73 78         ICQ: 7116561      Sendmail Milter Solutions
http://www.snert.com/                       http://www.snertsoft.com/



More information about the MailScanner mailing list