![](https://secure.gravatar.com/avatar/9edcb608a75e597938e3901ba0d6fbbc.jpg?s=120&d=mm&r=g)
Jim,
You're getting solid advice - wish I had such insights (and wish such tools existed) way back when I got started running my own servers a bit over 25 years ago...
A SMALL bit more:
On Sat, 16 Dec 2023, Dmitri Maziuk wrote:
...snip...
I don't think centos existed back iptables didn't. ;)
It didn't exist before iptables.
Firewalld is an attempt to add a "windows defender"-type UI to iptables, it's a wrong tool for this job.
FWIW, when firewalld first came out it was claimed it was going to replace IP Tables. But it was abysmal and it's still clunky with inconsistent command syntax that's absolutely confusing to a native English speaker and you just have to memorize the quirks or look up the syntax. ... However it's telling that I STILL have iptables on my systems AND firewalld - as default installation packages! ...I think the firewalld people gave up trying to replace iptables. But I'd never before heard that it was an attempt to add a "windows defender" UI to Linux... Hmmm...
More substantively, I use Fail2Ban and have long done. I also use a set of firewall systemss (that we here call "servers") that are separate from my servers that run mailing lists and our mail server (Postfix). There are quite a few advantages to this. I hope they're fairly obvious.
I agree that dropping the packets is the best bet. It's simple and painless. Beyond that, consider the following:
Another simple technique is to install and configure Spam Assassin and have it catch your inbound messages before they go to any mailing list. You can have a listing of questionable accounts - because they're new - and it can bump their potential spam score because they're on that list.
How to configure this is a little beyond the time I have available right now but it's not that hard, Spam Assassin has a list like this one, the docs are good and the people friendly.
And lets not forget list moderation for newbies, too, though that takes human time to deal with it, so maybe you're not liking that option.
I have concluded that captcha type systems are no longer viable as they once were, based both on my experience as a user of these where they can be infuriating (for example, I was once tasked with picking out the motorcycles and when it showed me mopeds, I didn't pick those and the experience was infuriating because there were genuine motorcycles in the images, too. So, that was an example of mistaken labeling, and who knows how Captcha got that one wrong (perhaps in India or southeast Asia they call mopeds motorcycles?! IDK. Not anywhere I've lived!). But anyway, I've also had issues as someone who has used Captcha on my systems (I no longer do). And it's only going to get worse.
Let us recall that there's a built-in propaganda - "good advertising" - built in to the very name "Artificial intelligence." It gets you thinking there's a genuine intelligence there even if it is artificial. It's pertinent to point out that, well, that's wrong; there's no genuine intelligence present! "Smart" as those bots are, there's no genuine intelligence at work - not yet anyway - and they can be trained but don't learn; unless someone trains an AI engine specificaly for this task, it's unlikely we'll see really good bots for this purpose.
So, a simple way to deal with these attacks is to provide a simple problem a human can, first, recognize is something they need to address to be successful, and secondly do instantly. Make it something that a very simple web-served script can automate for you. For example, it could post a simple math problem that's given in words and require a correct answer. Perhaps you state, "five times three is the simple key, just tell it to me!" A human will get it, a bot won't. (I have seen quite a handful of variants of this including a message made up of a few images, each of which has a part of it - whatever works!)
If they're going to spend personal time cracking your system, at least it's costing them something one would presume is valuable to them - their personal time.
One final thought; put em on a fake list first! Observe posting behavior! Analyze, let pass through the non-spam. Think of it as ... uh... pergatory I guess. Quarantine. You can perhaps automate then moving them to a real list. ...If I had your problem I'd be thinking of things like this.
Best of luck, Richard.
![](https://secure.gravatar.com/avatar/e2371bef92eb40cd7c586e9f2cc75cd8.jpg?s=120&d=mm&r=g)
Richard writes:
I have concluded that captcha type systems are no longer viable as they once were,
If the bot operator wanted it bad enough, within months "better than human" ability has been available for every captcha version for a decade now. I think Google's recaptcha held on for quite a while, though.
Pragmatically this isn't true. No, I don't think anybody is going to train an LLM to detect spam (all the companies with the money to do this want to kill mailing lists and Usenet anyway!) However, the OG AI, machine learning or ML, can be retrained "on the fly" if the site operator is willing to make the effort (spambayes is pretty successful).
I have use variants of "speak friend and enter" with some success. That does require a Tolkien-adjacent readership, but fools bots. :-)
One final thought; put em on a fake list first! Observe posting behavior!
The problem here is more deep-rooted than that. The simplest and guaranteed valid way to determine if an entity has read access to a mailbox is to send them a secret by email, and ask them to send it back to you. This is really the only sane way for a public mailing list to validate mailbox ownership. What the miscreants in question are doing is DoS-ing mailboxes by trying to sign them up to thousands of such mailing lists, which then send thousands of confirmation request emails to the unfortunate target.
This is *really* hard to block if the felon is sufficiently determined to abuse your list.
We regularly get people who are clearly asshats themselves very aggressively writing to our security list demanding that we stop sending them the confirmation emails. It's pretty clear how they got themselves on the wrong side of a confirmation bomb! But even they don't deserve it.
Steve
![](https://secure.gravatar.com/avatar/e2371bef92eb40cd7c586e9f2cc75cd8.jpg?s=120&d=mm&r=g)
Richard writes:
I have concluded that captcha type systems are no longer viable as they once were,
If the bot operator wanted it bad enough, within months "better than human" ability has been available for every captcha version for a decade now. I think Google's recaptcha held on for quite a while, though.
Pragmatically this isn't true. No, I don't think anybody is going to train an LLM to detect spam (all the companies with the money to do this want to kill mailing lists and Usenet anyway!) However, the OG AI, machine learning or ML, can be retrained "on the fly" if the site operator is willing to make the effort (spambayes is pretty successful).
I have use variants of "speak friend and enter" with some success. That does require a Tolkien-adjacent readership, but fools bots. :-)
One final thought; put em on a fake list first! Observe posting behavior!
The problem here is more deep-rooted than that. The simplest and guaranteed valid way to determine if an entity has read access to a mailbox is to send them a secret by email, and ask them to send it back to you. This is really the only sane way for a public mailing list to validate mailbox ownership. What the miscreants in question are doing is DoS-ing mailboxes by trying to sign them up to thousands of such mailing lists, which then send thousands of confirmation request emails to the unfortunate target.
This is *really* hard to block if the felon is sufficiently determined to abuse your list.
We regularly get people who are clearly asshats themselves very aggressively writing to our security list demanding that we stop sending them the confirmation emails. It's pretty clear how they got themselves on the wrong side of a confirmation bomb! But even they don't deserve it.
Steve
participants (2)
-
Richard
-
Stephen J. Turnbull