De-spamming Your Inbox The Hard Way

ajain writes "Even after using precautions like dummy email address in public forums, I have been plagued by the spam mails for long time now. Accidentally, I hit upon a not-so-elegant but effective solution recently: Ever thought of shutting down the mail server temporarily to stop spam to your inbox permanently? Well, it seems to work. In my case, a two-day shutdown resulted in 97.5% decrease in spam traffic! Here are the details and a step-by-step guide to this desperate-method of spam reduction. I think I'll model, simulate and then optimize the amount of shut-down time required for spam levels to drop to zero!"

Re:Another approach...

[Steepe]

I personally use alternate email aliases on my mail server that forward to my real account. then, once every couple of months, I delete those aliases and create new ones to post to websites, or use when I sign up for something. Only close personal friends get my real address, and if spam ever does show up directly at that address, I attack the spammer in every way possible. (spamcop, the spam fcc email address, etc)

Seems to work fine for me, and I can keep my mail server up 24/7.

Re:Sure, that's fine...

[jxyama]

>...if you don't mind missing potentially important emails.

exactly. if this method is an option for you and you don't want to get pissed off at spam, simply don't check your email for a few days... you'll forget all about spam after a while.

of course, when you check the email after a few days, you'll have greater number of spam to go through and get even more pissed.

i'd like to call it the "serenity now!" method. :P

Other option..

[Coleco]

..perhaps won't slow the flow of spam but will let you know who that bastards are that are selling your email in the first place. Buy a domain name then use a different email address of every site that asks for an email.. for example 'amazon_email@yourdomain.com' if you fill in a form at amazon.com.

You'd be suprised at the sites that promise to protect privacy and don't.

Re:Sure, that's fine...

[spuke4000]

How about modifying your mailserver, such that when an email message is marked as spam it sends a message to the sender saying it bounced. That way you don't drop any valid emails, and at best you get dropped from the spammer's list, at worst you make it so spammers have to keep long lists of invalid email addresses in case they are implementing this filter.

Just a thought.

Re:Another approach...

[finnw]

A method that works well for addresses posted to newsgroups: Require the subject line to start with "Don't buy this: "
Spammers aren't going to put that in their subject lines.

Re:Another approach...

[gcaseye6677]

Speaking of attacking in every way possible, I'm surprised some group of "white hat hackers" hasn't come up with a DDOS spammer attack bot, kind of like the Lycos screensaver. This is something that couldn't be done by a corporation for liability reasons, but I doubt the FBI or other law enforcement groups are going to care if people are DDOSing known spamming networks. Even better, the spammers can't sue anyone unless they want a class action countersuit on behalf of those spammed.

Yes, like greylisting. (ie, Postgrey for Postfix)

[kriegsman]

Our Postfix mail server uses Postgrey [ee.ethz.ch] (click link for graph showing effectiveness), and it's as close to 'magic' as I've seen yet in the antispam category.

-Mark

"Bounce"ing Mail

[Salvo]

Mac OSX Mail has a feature which lets you "Bounce" Mail, which essentially mimics the Server Response to an invalid Email Address.
I was recently shocked to find that neither Outlook Express or Outlook have this feature.

Very useful for Spammers and Annoying Ex-Girlfriends.

Check your mail client

[Anonymous Coward]

I got about 65% reduction by turning off HTML in my email. Spammers include images about 4 pixels square that are loaded from their servers. That lets them know that the email address is active. If you turn off HTML, yout email client stops reporting to the spammers that it is active. Big reduction in 4 - 6 weeks.

--Alma

Re:Reinstall Windows for E-mail

[friedmud]

I would have to agree with the Gmail spam filter.... it really does kick some major ass.

I have had a couple of "personal spam" (messages that are from legitimate people - but are SPAM to me - on college campuses this happens all the time) get through - but after Reporting those as spam it hasn't messed up since. On average it has been eating about 30 spam emails a day.

I used Mozilla Mail's spam filter for the last year or so - and just completely switched to Gmail last week - and have found it to be superior in all regards (Filters and Labels are AWESOME!).

Ok - enough Gmail love...

Friedmud

Logically shut it down!

[telemonster]

Come up with a white list of good addresses, and then reject all others. This way you loose a good amount of mail for the 2 days your shut down, but some important stuff would still get thru. Allow whitelist on border router or host firewall, deny everyone else.

mxlogic.com

[dj42]

I use www.mxlogic.com to deny all medium-high risk spam completely. It intercepts it before it even hits my mail server. I like it.

Or delay delivery, and check again ...

[theblackdeer]

Our ISP has set up a slightly more elegant way to fliter out lots and lots of spam. They call it DoubleVerify.

From the FAQ (http://www.olympus.net/doubleVerifyNL):

DoubleVerify gets two chances to automatically identify mail. When mail arrives at our mail server the first time our server requests the sending mail server to send it a second time. Spammers rarely comply. Legitimate mail servers typically resend the mail about fifteen minutes later. Once OlympusNet receives mail the second time, it immediately delivers that mail and continues to immediately deliver mail from that sender. The DoubleVerify process works invisibly and is handled automatically by the mail servers.

You can whitelist entire domains (like your company, for example), too. It's worked pretty well for us.

Re:Another approach...

[m50d]

Then use a better email service. Really. Just because you have to be invited or because it's google doesn't make it the best.

Re:Another approach...

[Anonymous Coward]

Actually if you own a domain. Simply use abuse@yourdomainhere.com as your e-mail address. You will never receive any spam. I know this is not practical for most people but it works flawlessly.

Here's MY answer and it works 100%

[beacher]

So far Ive had my setup email address (based on our account name) and I created one just for me. My email address is in the format blahblah_nospam@mindspring.com - Note: There actually is _nospam in my email address.

Account based email box ~ 25 spams/week over the past year.
My email account : 0!

Reasoning : spammers do s/nospam//ig; on their email addresses.

I really feel for that blahblah_@mindspring.com - They're getting my spam ;)

(For the pedantic yes I know mindspring whitelists - mindspring.com is used as an example)

-B

What about grey lists?

[Anonymous Coward]

I've found that 90% of spam can be gotten rid of by their use alone. When an email is recieved for the first time it is put onto a grey list and a request for it to be resent is made. Most spam software is of the fire and forget type so don't resend when requested.

Those who don't understand technology are ...

[Obfuscant]

doomed to repeat it. From the article:

During that time, all the mails sent to my mail account were of course bouncing.

Of course they were NOT. During that time, emails sent to your account were being held at the sending server, or, in the case of spammers who aren't using open relays, there was a timeout during the connection to port 25 on your server. Neither results in a bounce. Most intelligent email systems are set up with a 5 day queue.

In other words, it will take 5 days for bounces to start being sent. That's for real email. For the spam, the bounces will be sent to fake addresses and the spammers will never see them.

I've had systems in place on many of my accounts for YEARS that bounce (reject with "unknown user" errors) spam and the same spammers keep sending the same shit over and over again. I've waatched the mail logs on my domain's servers where 99% of the incoming email is undeliverable spam (it ALL bounces) and the same spammers keep sending the same shit over and over again. Spammers simply either DO NOT CARE if they get a bounce, or do not see the bounces anyway.

There must be a different explanation for the reduction in spam. A new spam filter on the server, for example. Spammers seeing bounces and stopping is patently ridiculous.

Re:Another approach...

[MalaclypseTheYounger]

Spammers don't want to send their outgoing emails to 'abuse' @ anything.com. They should know that abuse@whatever would be monitored by an IT Admin of some sort, and would use their spam to block them.

Nice little trick, I like it.

Re:you mean greylisting?

[kasperd]

That sounds to be like a really inefficient form of greylisting.

It sure does. A greylistning is a better approach. And with greylistning you lose no legitimate emails (unless the sender use a seriously broken mail server). Before greylistning was introduced on our mail server approximately 90% of all incoming mail was removed by spamassassin. And that is even with a very high threshold, so a lot of spam still made it past the filter.

Once greylistning was introduced the amount of incoming mail dropped by a factor of about ten. And those are still filtered by spamassassin, though only 40% are filtered and 60% let through. In total that means 90% stopped by greylistning, 4% blocked by spamassassin, and 6% let through. And in my experience about half of those let through both filters are spam. I don't want to think about what my Inbox would look like without spam filtering.

Dumb article

[fimbulvetr]

This guy has no clue what's going on. His knee jerk reaction is that it must have been because they shut the system off.

Never, not once, did he consider the fact that his admins *upgraded* the exchange server. The probably went from 5.5/2000 to 2003.
By no means am I an M$ guru, but I know for a fact that 2003 comes with a large amount of internal things to help control and minimize spam.
In fact, anyone upgrading to 2003 sees drammatically better spam controls.

Someone revoke this guys geek license, as he just failed the critical thinking test.

Re:Another approach...

[muixA]

Often times a bounced message is useuless in dealing with spam, since they often do not have valid return paths. Or worse, they return to sources not the orginator, but a hijacted address.

If you've ever gotten a virus warning for a message you didn't send, you'll know what I mean.

You need to stop them at the IP/SMTP level if you really want to make sure they get the point. It's also a lot more satisfiying to think of a poor spambot getting a reject code.

Re:That only works for smart spammers

[soliptic]

Too true. I had an initials.surname@uni.ac.uk email address when I was a student. It died when I graduated. Almost 18 months later I got a job at the same uni, my account was created with the same mailname, and voila - 2 or 3 spanish language spams every hour. (and as a student i dont remember getting very much spam at all!)

Re:NO, don't bounce, reject at MTA level ONLY

[hyc]

Yes. My badDNS milter for sendmail does exactly this. Handling the spam after your mail server has already accepted it is too late, my milter sends a reject code after receiving the envelope headers.

It also does a 20 second delay before sending the reject code, to slow down the spammer from moving on to their next target.

Read about it and download the source code on my web page.
http://highlandsun.com/hyc/

I've been using it for over a year and my spam-to-mail ratio dropped from 95% spam to 5% spam.

Re:Another approach...

[prell]

Apple's Mail program has a "Bounce" feature which I have used, but I don't think it has ever worked to this effect. I think what supposedly worked in this case is that the spammers were not even able to connect to the mail server; being able to connect and receiving a bounce message doesn't seem to "cut the cord" as it were.

Re:Another approach...

[eric76]

What I've thought about doing is selectively refusing to accept e-mails for those users who wish to particpate in an experiment.

The logic is that a if a spam zombie is the source, they would just react to a problem by going to the next victim. A legitimate server will store the e-mail and try again.

Very few ISPs are so clueless that they don't queue and retry when they get a 4xx response (indicating a tempory failure). There are a few, but not many.

So if you refused all incoming e-mails the first attempt (or the first two attempts) with a mailbox full type message and then accept the e-mail on the next retry. You'd also want some minimum retry period, say 30 minutes. That way a spammer couldn't just try the same address two or three times in a row and reach it.

I'd bet that you could cut the number of spams you receive and the bandwidth eaten by it by 90% or more.

Of course, if everyone did this, the spammers would adapt. But then they'd at least have to store all the information so they could retry.

My suggestion is to match on the ip address of the sending host, the host name in the helo/ehlo, the mail from e-mail address, and the rcpt to e-mail address. If the spam zombie tries again but with a different ehlo or a different mail from, it would count as a first attempt. And entries would need to be deleted when reaching some maximum age.

It could also be coupled with a white-list apprach. Keep a white-list of the various helo/ehlo, mail from, and rcpt to items to determine which e-mail the user has indicated to pass through without refusing the first time or two.

Even if you just randomly refused an e-mail with a temporary problem, you'd cut down on the problem some. For example, 2/3 of the time, you might refuse to accept an e-mail with a mailbox full message. That way, you wouldn't have to keep track of anything. But spammers would be able to get through by just trying several times in a row when they got a 4xx message.

Re:That only works for smart spammers

[Feanturi]

That's a variation of the usual joke I hear when I tell of my plight, however, that's entirely not the case. Real geeks don't use the web for pr0n or warez anyhow. The spams aren't porn-related most of the time, just the usual fare, but not in english. I suspect it somehow has something to do with my username, which I have used consistantly through the years on the net, and have often been mistaken for someone else as a result. Feanturi, the way I came upon it, is an elvish word, meaning spirit masters, although I have since learned that it is also a common first name in Finland. So some people think I'm Finnish, but I'm not.

For the spanish connection, I don't know but something really really weird happened to me one day on ICQ years ago. I was using the same username, and somebody approached me in random chat, and asked me some question in spanish. I replied that I didn't speak spanish and so, didn't understand them. The person wrote back, something long, with lots of exclamation points in it. I continued to protest that I didn't understand. 'No habla espanol' is about all I know. They switched to a larger font, restated their little rant, I protested again, so they switched to using all caps, and a still-larger font. They seemed to be getting very angry, and once they ran out of font sizes (for this continued for several more lines) they finally broke off the chat. And I was like, WTF??? Maybe Feanturi in spanish means something like baby-raper or somesuch, I have no idea.

Don't use the FROM, just ban open relays

[aws910]

The program should recognize which server it came from("received" in full headers), and blackhole that server because it's obviously an open relay, at the very least.

On a related note, I find it amazing that various antivirus/antispam vendors are still using the "From" line to report abuses. Do viruses or spam ever come from real email addresses? Not usually. I'm pretty much the victim of a "joe-job" on a regular basis because of this.

Re:Another approach...

[GimmeFuel]

Now that Thunderbird 1.0 [mozilla.org] is out, who wants to volunteer to turn that functionality into a TB extension?

Occum'on

[PeterHammer]

All technical considerations aside (3 day retry periods, no central spam DB etc.........) let's just read up on Exchange 2003 marketing literature (not that we should normally trust Microsoft marketing literature, but it suffices that they cannot outright lie about it). They claim to have all sort of *new* spam block features. Perhaps the author may have considered the hypothesis that his IT dept made the switch with these features in mind. At the very least it would be nice if he did a little due diligence (or if he did do some, that he would note that fact) to rule out simpler explanations? Why on earth would spammer's care about keeping lists clean anyway? It's not like they all of a sudden grew a conscience?

Didn't that Occum guy have something to say about crazy theories like this author's rant?

Re:Not a good idea

[paz5]

I have experianced first hand the repercussions of forged from fields. For a while (and probably still i was getting many message undeliverable emails and people asking to be taken off my list when a random user at my domain was being used as the from address in spam. The hundreds of emails i got a day forced me to turn off the catch all address, and recently i got notified of a complaint about my domain by my school. Has anyone else had this happen, and how can you deal with this?

Re:Another approach...

[jaseuk]

Yeah its called greylisting and it works very well.

You store the connecting IP, sender and recipient address in a database and temporarily reject the first time you see that combination for a configurable time (1 second is currently good enough)

A good greylisting engine will strip the last byte of the subnet incase mail is retried from different hosts in a mail cluster, for this reason its not a good idea to use the HELO address.

Greylisting stops almost all SPAM and pretty much all virus traffic as viruses also have weak SMTP engines that can't deal with temporary failures. In practice the only viruses I've found that make it through greylisting either bounced messages or from some ISPs that transparent proxy outgoing e-mail.

The SPAM that remains is easily handled by blacklists or SPAM Assassin as these SPAMs are sent through properly configured mail servers, so they are likely to be in domain or IP blacklists.

Given that a good proportion of SPAM is sent through zombied windows machines even if a SPAM is re-sent 30 minutes later it'll take a lot more work for a spammer to ensure that the same message is sent out twice by the same zombie.

Its baffling me why greylisting isn't the first line of protection for alot more people, its simple to setup (use postgrey with postfix) and is less prone to error and unobtrusive and higher in performance than virtually any other SPAM detection technique. Setting up and accepting three lines of text and checking against a database is certainly alot less performance overhead than invoking a virus scanner and spam assassin.

Of course spammers will always evolve, repeatedly sending the message from the same host would be enough to get the message through and those not using greylisting would now get twice as much SPAM, but that also means that a spammers throughput has been halved.

If grey listing is combined with a few select blacklists (including the excellent rhs.mailpolice.com URL list), plus SPAM assassin your closer to 100% and there are a great deal less false positives.

Another interesting approach I've used is to use rhs.mailpolice.com on our web cache, so that any URLs requested are checked against the SPAM blocklist. This blocks any inline images which might either offend or used as a call back for address verification, it also means that even if a phishing SPAM makes it through by the time the user reads it they are unable to view the page as its in the blocklist.

Jason.

Re:Blocklists, Teergrubes, Bandwidth Suckers

[Anonymous Coward]

- "bandwidth suckers" - this is just the kind of anarchistic vigilante justice that SHOULD SIMPLY NOT occur! even if it were not for the "collateral damage" to the network infrastructure and "innocent" pages being accidently hit, this is no better than stoning criminal suspects to death without proper trial...

In my experience this, combined with other attacks such as form bombing, are the only proven ways to knock out a spammer.

I guarantee you would see a lot more spam, both from small-timers driven straight, to the loss of business incurred by hardcore spammers who implement countermeasures against us (complex javascript tests, etc) that also drive away legit customers, if this wasn't being done.

Please knock off the sanctimony about "damaging the network infrastructure." Idiot pornsite webmasters using .wmv to deliver video which the average joe cannot save and thus has to continually reload to enjoy, wastes a lot more bandwidth than a couple net cops with spam vampire.

As for innocent sites being hit, the chances are extremely improbable; your bringing up that idea only shows your unfamiliarity with the process.

If idle routers are your goal, I would suggest campaigning against email windows worms, I know I have to delete half a meg of those every day.

Re:Not a good idea ???

[MadAhab]

You gotta be kidding. First of all, if it gets "bounced" back to some non-existent e-mail address, spammers don't get no word 'bout nothin'. Second even if it gets bounced back to spammers, they don't care. Many (most) of them are getting email lists from some spam-address distributor, so they don't see themselves as custodians of the list; they just blast away like drunks with diarrhea.

How do I know this? I've owned my domain since 1996, and I've been administrating the email since 1998. I get spam nearly every single day for beth@ahab.com (no point in cloaking it, really), and it has NEVER been a valid address. It often bounces back to the postmaster (me) after not bouncing back to their forged yahoo address and after NOT getting the word out to a single baby-eating spammer (you do know they eat babies, right?), and I see it when I bother scanning my postmaster folder for anything interesting.

Sure, it's worth my hassle if it bounces back to them, but it's probably not worth it to the poor sucker whose yahoo address they forged.

Get a clue: SPAMMERS DON'T CARE. You're kinda hoping that the guy who lets his dog shit on the sidewalk in front of your house is going to be annoyed by the smell.