From: Michael Orlitzky on
On 06/23/2010 11:21 AM, Tom Hendrikx wrote:
>
> Actually, when using a visual browser, people still can use their own
> colouring (again, the visually impaired). What you are suggesting is
> generating browser-specific output. This practise has been tried,
> tested, and discarded in webdesign country for some years now (we're
> getting OT here) as it does not work for all audiences, and in general
> creates an unmaintainable mess.
>
> If you want spam traps advertised, there are numerous better ways.
> Adding a clear ("The following e-mail address is solely targetted at
> catching mail abuse, do not use it for mail interaction:
> foobar(a)example.com") or more cryptic message ("The trapper recommends
> today: foobar(a)example.com") to the e-mail address will stop humans from
> using it, but harvesters will still pick it up.

This is exactly what I do. It fails gracefully even when somebody
overwrites your stylesheet with the version from five years ago that he
has on his laptop.

From: mouss on
Tom Hendrikx a �crit :
> On 23/06/10 16:28, Phil Howard wrote:
>> On Tue, Jun 22, 2010 at 16:46, Michael Orlitzky <michael(a)orlitzky.com> wrote:
>>
>>> A word of caution: don't assume that everyone browses the web using a
>>> graphical web browser. People still browse from the command line, and more
>>> importantly, screen readers for the disabled. If you're going to hide an
>>> address, make sure that there is some indication (for humans) that the
>>> address should not be contacted under any circumstances.
>> Good point. I was thinking that for these, the dummy addresses would
>> just not be sent out. No harm of spammers are doing scans using these
>> methods, too. So I'm thinking just output those addresses when the
>> conditions are such that it appears to be graphical browsing, under
>> the theory that spammers would likely be attempting to look like that,
>> too.
>>
>
> Actually, when using a visual browser, people still can use their own
> colouring (again, the visually impaired). What you are suggesting is
> generating browser-specific output. This practise has been tried,
> tested, and discarded in webdesign country for some years now (we're
> getting OT here) as it does not work for all audiences, and in general
> creates an unmaintainable mess.
>
> If you want spam traps advertised, there are numerous better ways.
> Adding a clear ("The following e-mail address is solely targetted at
> catching mail abuse, do not use it for mail interaction:
> foobar(a)example.com") or more cryptic message ("The trapper recommends
> today: foobar(a)example.com") to the e-mail address will stop humans from
> using it, but harvesters will still pick it up.
>

even that is "risky":
- people don't always read what you think they should read.
- people may use robots.
- miscreants may "force" people to send mail to an address.

Spam traps are a hard thing. here, any /\d+@$domain/ would be a trap,
because "nobody should send mail to such addresses". but heh, such
addresses did receive mail from "legitimate" places.



> Keep in mind: automated harvesters can impersonate regular people (or
> browsers), but they cannot think like one.
>

From: Peter Evans on
On Tue, Jun 22, 2010 at 02:30:40PM -0400, Phil Howard wrote:
> I saw fail2ban discussed in another thread. I was wondering if anyone
> here have used it to block based on spamtraps. I want to set up a
> number of dummy users and splatter their email addresses where
> spammers would get at them (e.g. white on white text on web pages,
> etc). Then ban the IPs that try to send to N or more of those
> addresses, where N is relatively low, like 2.

There are better things to do that seed your spamtrap to billions cd spammers.
It really isn't worth the effort as the spam brigade out there will quite happily
make up addresses on their own if you just have a domain.


If you are bored, you can turn on a catchall, pipe that to a bit
bucket and see how many you get.
In fact, here are some results for you. (no spam filters on the work box due to
manglement fiat "IT COULD BE A SALE!!!!!!", using spamhaus zen would ruin all the
fun.)


Spammers sent spam, usually canadian pharmacy (glavmed whatever it is)
to 298 addresses on a domain I control. This is so far this morning, so
about 6 hours or so since the logs rolled.

Of those 298 addresses, an incredible 25 belonged to REAL PEOPLE. Even accounting
for people that have quit or died, that does not bode well for anyone buying lists
of addresses.

Each of the 298 has received about 10 spam, almost exclusively canadian pharmacy.
(a few fake diplomas, warez ...)



Instead of using fail2ban, you should be able to do something like.

monitor catchall via the mail log, count mails/ip for some sliding window.
At your trigger threshhold, plonk the IP in your postfix access table with the
traditional "550 #2.5.0. Goats ate your spam."

Or you can teach postgrey/postscreen about it.

If you are feeling nice, when you stop seeing attempts, you can remove them
magically after a random period of time.


P

From: Phil Howard on
On Thu, Jun 24, 2010 at 22:18, Peter Evans <peter(a)ixp.jp> wrote:

>        If you are bored, you can turn on a catchall, pipe that to a bit
>        bucket and see how many you get.
>        In fact, here are some results for you. (no spam filters on the work box due to
>        manglement fiat "IT COULD BE A SALE!!!!!!", using spamhaus zen would ruin all the
>        fun.)

I don't think I'd want to do a catchall. That would first require
making sure every common role account is set up so as not to be in the
catchall. But that would then make even more spam for the people
reading the role accounts. We only have a few right now (abuse,
contact, hr, info, postmaster, and resumes) and would rather keep it
that way.