[Maia-users] I know how it works, but...

[Robert LeBlanc]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt Buff wrote:

>> It's probably also worth noting that even if one of your users does
>> release some quarantined spam and decides to forward it along to a
>> co-worker, the mail will more than likely just end up in the 
>> receivers'
>> spam quarantines, so the problem your bosses are trying to 
>> solve may not
>> really exist after all.
> 
> How would this work? The MM machine is a gateway to our Exchange server -
> once MM has passed judgement on the email, and it's been released from
> quarantine, it'll never see the MM box again.

Ah, in that case you're right--unless the mail is getting processed
through Maia again it won't get quarantined again.  Many sites have Maia
installed on the organization's mail server itself, in which case
internal mail gets routed through Maia as usual, but in your case (where
Maia is run on a separate gateway server, with an internal mail server
handling internal-only email) that benefit won't be available.


> Unless you mean that there are
> rules in Outlook that pay attention to the headers, and pass emails with
> spam markup from MM to a folder, and that such markup isn't stripped when an
> email is released from quarantine.

That's another possibility, of course, though it would require you to
configure some rules on the Exchange Server to look for indications in
the mail headers of internally-circulated email.  Not really advisable
as a solution, though--you don't want to be asking Exchange Server to do
its own quarantining in addition to Maia's upstream quarantining.


> I just had a thought, and wondered how much merit it has. I haven't trolled
> through my current spam quarantine (on an older system using amavisd-new and
> spamassassin), but it seems to me that the most offensive porn spam doesn't
> actually contain the images as gifs/jpegs, but that instead they are using
> urls that load offsite images.
> 
> Is this the case?

In many cases, yes.  Doing so has a couple of benefits for the spammer:

(1) It reduces the size of the mailing, so he can pump out more copies
of the spam in less time, and

(2) It provides a tracking mechanism (so-called "web bugs") that allows
the spammer to tell whether a given recipient opened the email, by
correlating the URL with the hits in his web server logs when the
recipient's mail client sends the request to load those images.  This
tells him not only what percentage of the recipients actually saw the ad
images, it also tells him which email addresses those were.  These
"eager prospects" then become more valuable addresses for repeat
targeting, demographic profiling, and eventual resale to other spammers.


> Would it be possible in such a case to simply rewrite mails that score high
> on the porn scores so that those urls are defanged (and the emails are still
> quarantined as spam?)

Well, there are some issues with respect to defanging that make me
hesitant to do anything like this.  The main concern is a technical
one--defanging implies modifying the mail contents, and that breaks
signature and encryption schemes that are designed specifically to
/prevent/ tampering with the contents.  This mailing list posting, for
instance, bears my digital signature as an assurance that the mail was
written by me, and that no one along the way between here and there did
anything to edit my words.  With my public key, you--the recipient--can
verify that the contents of this mail are just the same as they were
when I sent it.

Altering the mail contents--whether to remove/neuter offensive URLs, add
policy/disclaimer footers, or censor profanity--is necessarily a messy
business, and one that invites criticism on a number of levels.  The
least-offensive policy for dealing with offensive content is to flag
and/or quarantine it in its entirety--which is precisely what Maia does.
 Mail viewed through Maia's web-based mail viewer /is/ defanged in its
"decoded" view, and the "raw" view doesn't follow any URLs anyway (it
just displays the raw message source).  If you choose to release the
item from the quarantine, though, what you receive will be the original
email with all of its offensiveness intact.

- --
Robert LeBlanc <rjl at renaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamailguard.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGJv3RGmqOER2NHewRArMxAJ0W+SVhVE5N3xkO/P7JzJm+pqqSmACfYsiL
eAFgW+JnL873QIebL2LhW90=
=oQ8D
-----END PGP SIGNATURE-----