headers
Adrian 'Dagurashibanipal' von Bidder | 1 May 2003 08:53
Picon

Re: spam sent to debian.org addresses

On Wednesday 30 April 2003 22:50, Matt Zimmerman wrote:
> On Tue, Apr 29, 2003 at 08:50:43PM +0200, Marco d'Itri wrote:
> > What's wrong with our mail system? Why can't the debian admins blacklist
> > a well known spammer, or even better use a reputable DNSBL like SBL?
> > I asked the same questions to the debian admins but nobody ever replied,
> > I'm sick of receiving every few days the same spam from the same
> > professional spammer which could be trivially filtered.
>
> If it can be so trivially filtered, just filter it on your end and forget
> about it.

A big part of the spam can be trivially blocked at the point where it enters 
the Debian servers, using DNSRBLs and other sensible restrictions. When it 
enters my mailer, it can not be trivially blocked as it comes from 
murphy.debian.org which is a mail server I want to accept mail from.

Note that I have no problem with the spam coming through the Debian list, they 
get tagged by spamassassin and moved into my spam folder where they get 
spamcopped. But nevertheless, Debian and the pgp-keyserver-folk mailing lists 
produce the majority of the spam I get on my system. Spam delivered directly 
to me mostly does not come through these days.

Note also that I know that I can afford to block very aggressively because 
it's my personal mailserver with only few users while the Debian mailserver 
can't block that aggressively (like, blocking on the whole of China and Korea 
is probably not a good idea...).

cheers
-- vbi
(Continue reading)

Permalink | Reply | 8 comments |
headers
Matt Zimmerman | 1 May 2003 15:36
Picon
Favicon

Re: spam sent to debian.org addresses

On Thu, May 01, 2003 at 08:53:31AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:

> A big part of the spam can be trivially blocked at the point where it enters 
> the Debian servers, using DNSRBLs and other sensible restrictions. When it 
> enters my mailer, it can not be trivially blocked as it comes from 
> murphy.debian.org which is a mail server I want to accept mail from.

A lot of legitimate mail can be trivially blocked this way, as well, which
is why it doesn't make sense to drop it on the server side.

> Note also that I know that I can afford to block very aggressively because 
> it's my personal mailserver with only few users while the Debian mailserver 
> can't block that aggressively (like, blocking on the whole of China and Korea 
> is probably not a good idea...).

Agreed.

--

-- 
 - mdz
Permalink | Reply | 7 comments |
headers
Martin Schulze | 1 May 2003 17:59
Favicon

Re: spam sent to debian.org addresses

Matt Zimmerman wrote:
> On Thu, May 01, 2003 at 08:53:31AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:
> 
> > A big part of the spam can be trivially blocked at the point where it enters 
> > the Debian servers, using DNSRBLs and other sensible restrictions. When it 
> > enters my mailer, it can not be trivially blocked as it comes from 
> > murphy.debian.org which is a mail server I want to accept mail from.
> 
> A lot of legitimate mail can be trivially blocked this way, as well, which
> is why it doesn't make sense to drop it on the server side.

Which is also a reason dialup-rbl lists are not enabled by default.
Even if it would reduce the amount of spam, it would close Debian
for certain people, which is not acceptable for/by Debian.

Regards,

	Joey

--

-- 
Life is too short to run proprietary software.  -- Bdale Garbee
Permalink | Reply | 0 comments |
headers
Adrian 'Dagurashibanipal' von Bidder | 1 May 2003 18:29
Picon

Re: spam sent to debian.org addresses

On Thursday 01 May 2003 15:36, Matt Zimmerman wrote:
> On Thu, May 01, 2003 at 08:53:31AM +0200, Adrian 'Dagurashibanipal' von 
Bidder wrote:
> > A big part of the spam can be trivially blocked at the point where it
> > enters the Debian servers, using DNSRBLs and other sensible restrictions.
> > When it enters my mailer, it can not be trivially blocked as it comes
> > from murphy.debian.org which is a mail server I want to accept mail from.
>
> A lot of legitimate mail can be trivially blocked this way, as well, which
> is why it doesn't make sense to drop it on the server side.

For some arbitrary definition of 'a lot'. There is a wide range of dnsrbls 
available, with different goals. Blocking on the more conservative lists, 
like the spamhaus one, and on the open relay lists will hardly block any 
legitimate mail. Using lists like SPEWS or even spamcop will guarantee quite 
a bit of mail blocked (IIRC murphy has been in and out the spamcop list in 
the past, and I know that the AOL mailservers are in the spamcop list quite 
frequently). In the special case of an international project like Debian, 
blocking country level cannot be done for obvious reasons, whereas the same 
can easily be done even for a relatively large company with few foreign 
contacts.

Hmmm. Has anybody done statistcs about how many first-time/one-time posters 
there are on the Debian lists every week (particularly on *-users-*)? One 
thing that could be feasible is to use an automatic whitelist, with first 
time posters needing a much lower spamassassin score than regulars (those who 
are above the score would need to be approved - personally I'd think doing an 
email ping pong with those would not be a rude thing to do on a mailing list, 
as opposed to a private email address, but iirc I am in the minority with 
that opinion).
(Continue reading)

Permalink | Reply | 0 comments |
headers
Neil Schemenauer | 1 May 2003 18:49
Picon

Re: spam sent to debian.org addresses

Matt Zimmerman wrote:
> Adrian 'Dagurashibanipal' von Bidder wrote:
> 
> > A big part of the spam can be trivially blocked at the point where
> > it enters the Debian servers, using DNSRBLs and other sensible
> > restrictions. When it enters my mailer, it can not be trivially
> > blocked as it comes from murphy.debian.org which is a mail server I
> > want to accept mail from.
> 
> A lot of legitimate mail can be trivially blocked this way, as well,
> which is why it doesn't make sense to drop it on the server side.

My solution to this problem is to temporary reject the message but also
keep a cookie identifing it.  If the message is still being retried
after a certain amount of time (e.g. 24 hours) then it is allowed.

This technique has been very effective for me.  A lot of spam is sent
directly and is not retried.  Open relays are often fixed before the
time is reached.  Spammers that connect directly cannot keep retrying
for a long time.  They need to hit and run otherwise the IP address they
are using will be blackholed.

  Neil
Permalink | Reply | 0 comments |
headers
Remi Perrot | 1 May 2003 22:04
Picon
Favicon

Debian reliability growth


I want, with this mail, to start a campaign on improving Debian
reliability.

Policy on improving stable release are, in my humble opinion, too
restrictive and don't give the opportunity to improve Debian quality out
of security fix. I think that as release cycle is very long we have to
accept fix on all bugs in Stable.

I know of two reasons why we are not doing this:

The first one is that when we are working on Stable, we are not working
on Unstable/Testing and this way we make the release cycle longer.

Of course I don't agree, as unfortunately few of us do work on Release
Critical Bugs of other packages and even fewer can work on
debian-installer. As they are the most critical issues we need to solve
for a new release, improving stable will not slow so much Sarge release.

The second reason is that it may result more damage than improvement
from changing something in Stable. Saying it like this is right, as many
things may happen, but by using a good process we may reduce the risk.
In the other hand being to much restrictive on improving Stable means
that we don't trust ourselves and that there is no alternative between
no change at all and being out off control.

Can we continue to tell Debian users "thanks for reporting bug on Woody
but even if this bug is annoying and fixable it will never be fixed
before the next stable release" ?  Can we continue to say that the bug
is fix in Unstable/Testing but of course theses distribution are known
(Continue reading)

Permalink | Reply | 13 comments |
headers
Marco d'Itri | 1 May 2003 22:27

Re: spam sent to debian.org addresses

mdz <at> debian.org wrote:

>A lot of legitimate mail can be trivially blocked this way, as well, which
>is why it doesn't make sense to drop it on the server side.
No. Using SBL definitely does not block "a lot" of legitimate mail.

--

-- 
ciao,
Marco
Permalink | Reply | 3 comments |
headers
Martin Schulze | 2 May 2003 07:46
Favicon

Re: Debian reliability growth

Remi Perrot wrote:
> I want, with this mail, to start a campaign on improving Debian
> reliability.
> 
> Policy on improving stable release are, in my humble opinion, too
> restrictive and don't give the opportunity to improve Debian quality out
> of security fix. I think that as release cycle is very long we have to
> accept fix on all bugs in Stable.

If you install a Debian stable system, you are (more or less)
guaranteed the system doesn't change its behaviour during its
lifetime, except for security updates, corrections for severe problems
and license violations.

This is quite important if you want to use a system or base a project
on it, but don't want to check every month if the system, after an
update, still behaves as it should.  Even worse, if you have to expect
that the system changes, people may not install security updates since
this would retroactively creep in other changes that they would not
want, hence, leaving their system vulnerable to more problems than it
should.

>From a technical point, we don't have the infrastructure to build and
largely test updates for stable as we have for unstable.  Sometimes
this badly affects security as well, unfortunately.

(Quoted from <http://www.debian.org/security/faq#oldversion>)

Our users and developers are relying on the exact behaviour of a
release once it is made, so any change we make can possibly break
(Continue reading)

Permalink | Reply | 12 comments |
headers
Robert Lemmen | 2 May 2003 11:56

Re: spam sent to debian.org addresses

On Thu, May 01, 2003 at 08:27:42PM +0000, Marco d'Itri wrote:
> >A lot of legitimate mail can be trivially blocked this way, as well, which
> >is why it doesn't make sense to drop it on the server side.
> No. Using SBL definitely does not block "a lot" of legitimate mail.

in some cases it does. using SPEWS for example would lead to all of my
mails being dropped because there is an online casino somewhere in my
providers netblock... (btw, does anybody know whats the problem with an
online casino???)

cu  robertle
Permalink | Reply | 2 comments |
headers
Bob Hilliard | 2 May 2003 12:53
Picon
Favicon

Re: Debian reliability growth

Martin Schulze <joey <at> infodrom.org> writes:

               .         .         .

> If you install a Debian stable system, you are (more or less)
> guaranteed the system doesn't change its behaviour during its
> lifetime, except for security updates, corrections for severe problems
> and license violations.
>
> This is quite important if you want to use a system or base a project
> on it, but don't want to check every month if the system, after an
> update, still behaves as it should.  Even worse, if you have to expect
> that the system changes, people may not install security updates since
> this would retroactively creep in other changes that they would not
> want, hence, leaving their system vulnerable to more problems than it
> should.

               .         .         .

     Joey, this (the whole message, not just the bits I've quoted) 1s
the best explanation and justification of the Debian position on
upgrading stable that I have seen.  Thank you for taking the time to
compose it.

     Since this question comes up so frequently, I think it would be
useful to include this (with the bits that are specific to Remi's post
excluded) somewhere on the website or in a FAQ that people could be
referred to.

Regards,
(Continue reading)

Permalink | Reply | 0 comments |

Gmane