About Jeroen
Contact
FAQ
Status
Todo in my life
His Blog
Articles
Photo Gallery
Outdoor:
  Recumbing
  Running
Software:
  jnitodo
  squidefender
  Wormwarner
Latest books read:
  • Lincoln Child - Deep Storm
  • Lee Child - The Hard Way
  • Mike Lawson - Dead on Arrival
  • Preston & Child - Still Life with Crows
Latest movies seen:
  • Death Race
  • The Objective
  • Deception
  • Hellboy - The Golden Army


23 September 2008

yellowbullet 20:55: Today it is 5 years ago that I registered the jeroen.se domain.
more

25 August 2008

yellowbullet 17:46: Since a few weeks I use the jnitodo todo list manager for managing my todo list. jnitodo was written by myself, so it matches my requirements quite well and it might match yours!
more

13 August 2008

yellowbullet 12:51: Yesterday I ran into a bug in my Samsung S1060 digital camera. If you press the view photos button while the red-eye flash pictogram is flashing white and red it hangs and becomes unresponsive.
more

11 August 2008

yellowbullet 12:59: While migrating my account to another machine which uses openldap authentication I ran into the problem that cron were not working on the new machine. A quick look in the logs revealed the following error:
more

29 July 2008

yellowbullet 17:50: I often get the question how I manage to survive my long commute time during the week. This question is often raised when in a conversation it becomes clear that I travel over 4 hours per day by train. In this blog post I will try to give a small insight in how I manage this.
more

09 July 2008

yellowbullet 13:23: Just a quick blog post about how to run a command like uptime in more than one screen window. Just do crtl-a then
:at "#" stuff "uptime\015"
more

28 June 2008

yellowbullet 21:58: I just reached the 1000 kilometer mark with my recumbent bike. It took me 46 hours and 24 minutes, averaging a 21.55 km/h speed. The last month however my average cycling speed is increasing, so I should do the next 1000 kilometer in less time.
more

Spam filtering at the jeroen.se domain

By Jeroen van Nieuwenhuizen

The jeroen.se spam defense consist of 3 levels:

  • The firewall
  • The MTA Level
  • The User Level

The firewall

The first layer of defense against spam for the jeroen.se network is the passive OS fingerprint capabilities of pf. This is used to make it impossible for windows machines to connect to the primary MX of the jeroen.se network. On average this stops between 600 an 1200 spam and virus messages a day, without losing any legitimate mail. Every legitimate email from windows machines is coming in via the secondary MX.

Below you can see a graph of the amount of spam that is blocked, for 1 emailaddress during a test in september 2004. The firewall blocking was turned of on the 12th in the morning and put back on on the 19th in the afternoon.

firewall blocking effect graph

The MTA level

At the MTA level several methods are applied to stop the incoming spam stream as early as possible.

Client restrictions
The first checks are checks on the IP and hostname of the client and whether what the host claims to be is correct.

First all messages from hosts falsely claiming to be a host in the jeroen.se domain in the HELO command are rejected.

Secondly all messages from hosts that are explicitly blocked, because they do not respond to abuse messages, are rejected.

Also mail to know generated jeroen.se mail addresses is rejected. i.e. spammers came up with the checken.devnull@jeroen.se email address, so mail to that address is rejected.

Finally a check is made against blacklist.jeroen.se, which lists known spam sending hosts. If a host is listed in this blacklist all messages from that host are rejected. We will come back to the issue of filling this blacklist later.

Sender restrictions
After the client based checks, the sending mailaddress is checked. If the domain of the mailaddress has no A or MX record the mail is rejected.

Recipient restrictions
Finally the MTA checks whether mail may be send to the recipient. When no mail is allowed to the given recipient the mail is rejected. This feature is mainly used to stop company's which sell my mailaddress, after I bought something from them.

Connection rate limits
At the MTA level there is also a connection rate limit of 10 connections/5 minutes. This is mainly intended to stop huge amount of viruses from infected machines like this one.

The User level

At the user level the mail is split into three seperate streams with procmail:
  • Mail send to a spamtrap
  • Mail containing a virus
  • The rest

Mail send to a spamtrap
Mail send to a spamtrap is handed over to the spamikaze instance of blacklist.jeroen.se to block the host asap from sending any more mail. A copy of this spam is also send to bogofilter to automatically train bogofilter.

Mail containing a virus
Mail containing a virus is handed over to the spamikaze instance of blacklist.jeroen.se to block the host asap from sending any more mail.

The rest
The rest of the incoming mail is handed over to bogofilter. If bogofilter marks a message as spam it is send to the spam box. Otherwise it is routed to the correct inbox.

Bogofilter training

Once a day bogofilter is retrained on the ham and spam archives to improve the performance.

Picture of me

Everything I say on these pages are opinions, they are not necessarily the truth.
Commercial use of the data on this site without permission is strictly prohibited.
Unique number: fc38fc2c1347a9824cef263d20748ced
7:02AM up 40 days, 21:31, 5 users, load averages: 0.06, 0.02, 0.00 		XML
Powered by FreeBSD Generated by a bunch of M4 macros on Wed Oct 1 03:09:03 CEST 2008
$Id: spamfiltering_jeroen_se.m4 2194 2008-06-27 20:09:03Z jnieuwen $
© 2002 - 2008 Ir. Jeroen van Nieuwenhuizen
I know I'm not perfect but I can smile.