RANT: Spam and Sonic.net

[thulsa_doom]

John, I just checked about a dozen spam messages that have come in in recent days, and only one of them even had anything in the "X-Sonic-SB-IP_RBLs" field. Like your example, it said, "IP RBLs sorbs-spam." I see 11 different SORBS lists on the configuration page; does this field entry mean that the spam could have been blocked by one of those 11, but we don't know which one?

"sorbs-spam" specifically refers to the one labeled "spam.dnsbl.sorbs.net"

Most of my mail doesn't have any X-Sonic-SB-IP_RBLs listing, either. But from conversations on this forum and elsewhere, I have an abnormally low spam load for somebody who's had the same address for sixteen years.

[tensigh]

John, I agree that there is a difference between "unwanted" email and spam. Spam emails are from completely illegitimate sources who got my email address without my permission and the senders do not comply with opt-out laws (not that I send opt-out messages to those kind of sources). If a company got my email address legitimately then I just unsubscribe. It's the ones that illegally obtained my address that get me angry.

I'll try what you suggested with fairly non-restrictive settings at first.

[patty1]

"sorbs-spam" specifically refers to the one labeled "spam.dnsbl.sorbs.net"

I changed that from "0" to "5," but then thought I should check my legitimate mail to make sure that the same header wasn't showing up there. Turns out that SORBS has Yahoo's mail servers on its list. Since I belong to a few Yahoo groups and get mail from friends and relatives who use Yahoo, I can't block those servers. Oh well...

[lr]

I hate to be contrarian, but I get less spam on Sonic than on my office e-mail (and my employer is the world's largest computer company, which probably has more employees in its spam filtering department than all of Sonic). And my personal e-mail has been quite visible, as I have run several political campaigns, sending e-mails to tens of thousands of people at times.

At a previous ISP, I ran spamassassin myself (they allowed everyone to use their main mail gateway machine as a shell machine, so I just configured procmail to run my own copy of SA). That was a lot of work, and didn't actually function terribly well, since I didn't have enough time to tune and tweak.

What did I have to do for that? To begin with, tune settings: I left the limit score at 5, but tweak quite a few scores: Much more weight for Razor, DCC and the other blacklists, much more weight for fuzzy things involving mortgage and refinance (I think someone maliciously signed me up for a mortgage search service, probably a political campaign revenge), all scores for dynamic IP addresses are over 5, and HTML, remote images and multipart mime encoding are so high (in particular HTML_ONLY) that they nearly trigger the limit even if everything else is perfect.

I think the fact that Sonic staff pre-adjusts the SA scores, and adds a few sonic-specific tests gives SA a good enough base to work reasonably well, and then my nasty tuning brings it to the 99% one needs.

With that, I get maybe 2 or 3 spams in my regular inbox per day. Unfortunately, it also means that of the about 50-100 graymails per day, there is about a real (ham) message per week that goes into graymail. I fix that by whitelisting those senders (things like Vanguard, Fidelity and PG&E are real bad in sending e-mails that are so fancy and decorated, they look like spam). This means that my whitelist is very long, but that just wastes a little bit of CPU time.

Total time to tweak this? Maybe 10 or 20 times i had to spent 10 minutes or half hour adjusting something, in the last 5 years. Not a big deal. Less work than running my own spamassassin, and orders of magnitude less work than running my own mail server (which I used to do too).

[tensigh]

I'm glad to hear other stories and hear about other users' experiences. I do get few spam myself it's just that the number has been slowly creeping up. Following the advice here I'm going to tweak my blacklist settings up, whitelist more regular users and tweak some of the DNS settings. This should help.

[jneal]

I've had my Sonic email address for almost 10 years now and have been receiving more spam in the past few months than ever. Checking the forums here confirmed my suspicion that its not just me.

The thing that really scares me about whats getting thru is that most of them have virus attachments. Its either report.zip, receipt.zip, duty_report.zip or other zip files with viruses/trojans inside. I just got one sent from jmos@sonic.net which is very close (alphabetically) to my very own address. I don't know if jmos@sonic.net is a real address or not.

I use the black/white lists and have gone so far as to blacklist entire domains such as *@yahoo.com, *@hotmail.com, *@linkedin.com, etc and then whitelist just those yahoo, hotmail, etc of friends, family, associates with yahoo, hotmail, etc addresses. I've even blacklisted entire countries like *@*.in

My question, however, is... why isn't SpamAss smart enough to catch virus attachments (even inside zip archives) despite any other scoring metric???

[lr]

My question, however, is... why isn't SpamAss smart enough to catch virus attachments (even inside zip archives) despite any other scoring metric???

Your question can be restates as follows: Why does SpamAssassin not contain an anti-virus program? You seem to say that it should.

While I have no problem with someone adding anti-virus capability to SA, I personally don't see it as necessary. That's because all our machines that handle e-mail are either various Unix flavors (usually *BSD), which are nearly completely immune from viruses, or Macs, which are mostly immune from the common viruses that come in a .zip file. I would suggest that if someone wants or needs to protect against viruses, they should do that at the point where the vulnerability occurs.

[thulsa_doom]

My question, however, is... why isn't SpamAss smart enough to catch virus attachments (even inside zip archives) despite any other scoring metric???

That would be a function of ClamAV, but you really shouldn't count on us to keep your system clear of malicious code.

[tensigh]

Your question can be restates as follows: Why does SpamAssassin not contain an anti-virus program? You seem to say that it should.

While I have no problem with someone adding anti-virus capability to SA, I personally don't see it as necessary. That's because all our machines that handle e-mail are either various Unix flavors (usually *BSD), which are nearly completely immune from viruses, or Macs, which are mostly immune from the common viruses that come in a .zip file. I would suggest that if someone wants or needs to protect against viruses, they should do that at the point where the vulnerability occurs.

I disagree. If the majority of users run Windows (surprise, surprise, this is still true) there should be some anti-virus protection at the system level.

Second, you're wrong if you think Unix or Mac systems are "completely immune from viruses". There are all types of vulnerabilities out there where systems get compromised. Heartbleed wasn't a "virus" but it was a vulnerability and since it was open source it was ironically more Linux systems that needed patching. A few years back a lot of Sonic users had their servers hacked when SSH v 1.0 had a major vulnerability that got exploited. In South Korea 1-2 years ago several systems of all types got completely wiped out by malware that affected not only Windows but also Linux and Unix systems as well (I don't know for certain if Macs were affected but it's quite possible).

It is true that Windows systems are generally more vulnerable but if you think in black and white terms of "Non-Windows = safe from malware", you are going to get attacked.

[lr]

Yes, I know, having been root-kitted on a Linux system once. But: With a well-managed *BSD system (in particular OpenBSD), the risk of that is very small. All the attack vectors you are describing come over the network, so carefully minimizing the exposure surface (fire walling, closing ports, running servers in jails) will solve most of the problems.

But: None of these issues come over e-mail. Non-windows systems are mostly (not completely) immune to viruses that come as .zip file attachments to e-mail. Checking e-mail attachments for executable viruses, while sensible for windows clients, does little or nothing for other platforms.

Just to make it clear: I'm not opposed to this being implemented, I just don't see it as a high priority for my use pattern.