__/ [ ed ] on Sunday 26 November 2006 13:24 \__
> On Sun, 26 Nov 2006 08:53:24 +0000
> Mark Kent <mark.kent@xxxxxxxxxxx> wrote:
>
>> begin oe_protect.scr
>> ed <ed@xxxxxxxxxxx> espoused:
>> > On Fri, 24 Nov 2006 17:43:08 +0000
>> > Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> wrote:
>> >
>> >> > A 'software' isn't a real firewall in that it can be disabled by
>> >> > opening an attachment or clicking on a web link.
>> >>
>> >> Very ture. I seem to forget this until I look more closely at SPAM
>> >> with attachments and/or links. Has anybody else been hit by fake
>> >> greeting cards on Thanksgiving? Here's the body of one that's in my
>> >> trash. Thunderbird is set to force plain-text and avoid HTML, so
>> >the > tareget of the URL is shown quite explicitly.
>> >
>> > hardware firewalls do not prevent against social engineer attacks
>> > like this.
>> >
>> > a hardware firewall can indeed block emails... but the hardware
>> > variety does not check the email body. i know there are these
>> > so-called 'active' firewalls that do indeed look at the body of the
>> > message, but that's just freaking nuts. it's not the firewalls job
>> > to inspect things above layer3. looking at the body is just
>> > something that a mail server should do.
>> >
>>
>> Why should a mail server do it? The body of the email, it's contents,
>> are well above layer3. The conversation here is going on between the
>> mail client which sent the mail and the mail client which received it.
>> The rest of the network should be transparent at this layer.
>
> why "shouldn't it".
>
> i disagree with having that sort of crap going on at the firewall. but
> some people supply that sort of thing. it just proxies all mail
> conversations, bad as that is.
>
> mailservers often do check message body content, take a look at
> bogofilter and spamassassin.
Ed,
You seem to be like an anti-SPAM expert, so I have a little question/problem
that maybe you can help me with. I put a BoxTrapper on one of my boxes,
where SpamAssassin managed to keep the BoxTrapper's activity very low.
Recently, however, many messages have been getting through. At first I
thought it was because the "from" field contained my domain (deliberately
so). I looked at a small sample to reinforce this assumption. I then created
some filters, but it turns out that only about 20% of the messages can
penetrate owing to this particular trick. This means that the remainder have
got some automated mechanism that verifies the identity of the sender with
BoxTrapper... or perhaps it fools Apache's BoxTrapper somehow. What can I do
to handle this?
Last week I received an E-mail from a stranger who said that the ISP can
prevent (forged headers-saturated) messages from being sent with my domain
inserted. I'm not sure it can help in this circumstance. Have the spammers
just cracked SpamAssassin with their GIF's and beat BoxTrapper with some new
trick that they increasingly get up and out of their sleeves? The volume is
increasing all the time and I'm getting worried...
Thanks for listening...
Roy
|
|
