[conspire] Mailing list servers and the spam problem

Scott DuBois rhcom.linux at gmail.com
Wed Feb 25 09:54:29 PST 2015 

On Tue, Feb 24, 2015 at 02:45:39PM -0800, Rick Moen wrote:
> Quoting Scott DuBois (rhcom.linux at gmail.com):
> 
> > The reality being I don't have a place that is donating server time so I'm
> > paying $5/mo out of my _own_ pocket just to have the VPS at DigitalOcean which
> > also serves my uses as a SOCKS5. So outside of personal accomplishment and port
> > forwarding anonymity, there isn't a lot of motivation to press on with building
> > a mailing list that will only produce a level of "spam recepticle" headache I
> > _don't_ need. This isn't to say "no" mailing list, just not on a VPS.
> 
> My home server in Menlo Park, the SVLUG mailing list server in the
> Via.net colo in Palo Alto, and the BALUG mailing list server at
> Dreamhost all _receive_ lots of spam delivery attempts (as shown in the
> MTA logs), but of course a massive percentage of that gets refused as
> being obviously spammy or not addresed to a valid local user.  So, that
> much of it is essentially network noise that you never even notice
> unless you go plowing through logfiles.

I understand. When set up correctly, I'm not expecting to have to spend a
couple of hours _every_ day filtering through what's spam and what's not. I do
realize that _some_ level of maintenance is going to be required and _I_ alone
am going to have to be the one to do it.

So I have to ask myself, is this something I'm really willing to commit to?

Knowing "full well" that the odds of someone _ever_ coming forward to offer
their time to take over the responsibility being "slim and none". As well as the
consideration that even once it _is_ set up and running, it really needs to be
moved to a location more affordable (free). Donating my time is one thing,
footing a financial obligation on a recurring bill is another.

Like other LUGs, EBLUG has _no_ treasury and _no_ coffers. Therefore, if I need
to discontinue financial support to the operation, it dies. Unless we deploy a
free service such as Mailchimp or something similar.

> if your project with Postfix hasn't gotten very far, maybe you should 
> consider scrapping that approach and starting over with the following
> MTA-related Debian packages:
> 
> exim4-daemon-heavy
> spamassasin
> sa-exim
> spf-tools-perl
> libmail-spf-perl 
> 
> Those are the ones listed in the requirement of J.P. Boggis's page,
> http://www.jcdigita.com/eximconfig/ (with the last three being optional
> and used for vetting arriving mail's envelope headers against SPF DNS
> records).

I've been listening to everything you've been saying and I can tell that you are
strongly suggesting we go this route instead of forging something out of
Postfix on our own. 

With the amount of listadmin work you've done over the years, I'm confident
you're right and if you believe our (my) life will be much easier handling a
mailing list by deploying such a configuration, I'm not arguing.

This will also help me, help you, in getting the SVLUG mailing list moved as
well so it will serve two benefits in my learning from this technique.

> The advantage of J.P. Boggis's approach is that he provides a canned
> tarball of well-thought-out configuration files for Exim4, that
> implement many antispam ideas without you needing to do any work.
> You just follow the README's instructions, and it Just Works[tm] to
> give you not just a Linux MTA but one that does smart antispam right out
> of the gate.

Sounds promising and worth traveling a well paved road. =)

> > As I understand it, that $5/mo doesn't include traffic rates which
> > will add to the cost should the thing go "live" and start receiving
> > spam that would have to be dealt with.
> 
> Here's the thing:  Every IP that's live on the Internet has _attempted_
> SMTP delivery of spam attempted against it.  Every.  IP.  That's because
> the spammers are all about volume, volume, volume.  There's very little
> intelligence ever applied to anything.  They don't need to be smart:
> They have stolen firepower (mostly, virus-compromised Windows desktop
> boxes around the world).  They can just blast spam at every findable
> public IP, all the time.

Hmmm.....good point. We'll see. I'd like to simply finish the project then save
the config files and notes then decide from there whether it "lives" or "dies".
This has pretty much been my thought process since starting the project.

> > Well, I deployed that as it was "quick and dirty" which I figured was
> > better than nothing.
> 
> No question.  In fact, I think I suggested it, too.

Yes, you did in fact. My apologies for forgetting that detail.

-- 
Scott DuBois           "If you can't explain it simply, you
BSIT/SE	                don't understand it well enough."
EFF ID: 1731778                                 -- Einstein



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20150225/95d51151/attachment.pgp>

More information about the conspire mailing list