Re: [PLUG] spamassassin help: create a rule to score by sender TLD

Rich Kulawiec on 21 Oct 2016 13:26:16 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] spamassassin help: create a rule to score by sender TLD

From: Rich Kulawiec <rsk@gsp.org>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] spamassassin help: create a rule to score by sender TLD
Date: Fri, 21 Oct 2016 16:26:10 -0400
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mutt/1.5.23 (2014-03-12)

On Fri, Oct 21, 2016 at 08:33:49PM +0200, ac wrote:
> Where in truth, you do not even consider for a second that you may
> actually be wrong.

Apparently you missed the lengthy explanation of why it's important
to make (the inevitable) mistakes in a way that facilitates their
correction, and the notes about performing due diligence with log files.

> On the Internet and as far as abuse, ddos and bots go, we use all 
> network layers, sometimes null routing /8 for a period - long before
> they even hit any border or puny email server 

I'm aware.  I've been advocating defense-in-depth tactics, starting
at the network perimeter, for a very long time.  I've lost count of
the number of times I've told folks to use the Spamhaus DROP (and now,
EDROP) lists at the perimeter, or advised null-routing hijacked
networks, or pointed folks at BCP 38, or or or.

And part of that is not accepting any traffic that you don't have to,
because every possible outcome of that is bad for you and good for
abusers and attackers.

Go look at today's discussion on NANOG about the DDoS.  Really.  Go read
it.  It's quite instructive.  And then realize that it's possible because
way too many people have way too many systems running way too many services
in default-permit mode, and that allows them to be weaponized against
third parties.  Yeah, some of that would still happen even if they
had the professional diligence to lock everything down as tightly
as possible, but it might cut things down to a dull roar.  It might
give the targets a fighting chance.  It would certainly be an improvement.

But unfortunately, that hasn't happened yet.  Too many people are running
systems like it's still 1986.  I wish it were (in the sense of mutual
cooperation) but it's not, and we're not going back.  Everyone should
be doing detailed analysis of their operational requirements and permitting
only the minimum necessary.  That applies not just to SMTP but to SSH,
HTTP, and every other service/protocol in play.

---rsk

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] spamassassin help: create a rule to score by sender TLD
  - From: ac <ac@main.me>

References:
- [PLUG] spamassassin help: create a rule to score by sender TLD
  - From: Greg Helledy <gregsonh@gra-inc.com>
- Re: [PLUG] spamassassin help: create a rule to score by sender TLD
  - From: Rich Kulawiec <rsk@gsp.org>
- Re: [PLUG] spamassassin help: create a rule to score by sender TLD
  - From: Rich Kulawiec <rsk@gsp.org>

Prev by Date: Re: [PLUG] dns ddos
Next by Date: Re: [PLUG] spamassassin help: create a rule to score by sender TLD
Previous by thread: Re: [PLUG] spamassassin help: create a rule to score by sender TLD
Next by thread: Re: [PLUG] spamassassin help: create a rule to score by sender TLD
Index(es):
- Date
- Thread