De-spamming Your Inbox The Hard Way 631
ajain writes "Even after using precautions like dummy email address in public forums, I have been plagued by the spam mails for long time now. Accidentally, I hit upon a not-so-elegant but effective solution recently: Ever thought of shutting down the mail server temporarily to stop spam to your inbox permanently? Well, it seems to work. In my case, a two-day shutdown resulted in 97.5% decrease in spam traffic! Here are the details and a step-by-step guide to this desperate-method of spam reduction. I think I'll model, simulate and then optimize the amount of shut-down time required for spam levels to drop to zero!"
Re:Another approach... (Score:3, Interesting)
Seems to work fine for me, and I can keep my mail server up 24/7.
Re:Sure, that's fine... (Score:3, Interesting)
exactly. if this method is an option for you and you don't want to get pissed off at spam, simply don't check your email for a few days... you'll forget all about spam after a while.
of course, when you check the email after a few days, you'll have greater number of spam to go through and get even more pissed.
i'd like to call it the "serenity now!" method. :P
Other option.. (Score:3, Interesting)
You'd be suprised at the sites that promise to protect privacy and don't.
Re:Sure, that's fine... (Score:3, Interesting)
Just a thought.
Re:Another approach... (Score:1, Interesting)
Spammers aren't going to put that in their subject lines.
Re:Another approach... (Score:4, Interesting)
Yes, like greylisting. (ie, Postgrey for Postfix) (Score:5, Interesting)
-Mark
"Bounce"ing Mail (Score:2, Interesting)
I was recently shocked to find that neither Outlook Express or Outlook have this feature.
Very useful for Spammers and Annoying Ex-Girlfriends.
Check your mail client (Score:1, Interesting)
--Alma
Re:Reinstall Windows for E-mail (Score:3, Interesting)
I have had a couple of "personal spam" (messages that are from legitimate people - but are SPAM to me - on college campuses this happens all the time) get through - but after Reporting those as spam it hasn't messed up since. On average it has been eating about 30 spam emails a day.
I used Mozilla Mail's spam filter for the last year or so - and just completely switched to Gmail last week - and have found it to be superior in all regards (Filters and Labels are AWESOME!).
Ok - enough Gmail love...
Friedmud
Logically shut it down! (Score:3, Interesting)
mxlogic.com (Score:3, Interesting)
Or delay delivery, and check again ... (Score:5, Interesting)
From the FAQ (http://www.olympus.net/doubleVerifyNL):
DoubleVerify gets two chances to automatically identify mail. When mail arrives at our mail server the first time our server requests the sending mail server to send it a second time. Spammers rarely comply. Legitimate mail servers typically resend the mail about fifteen minutes later. Once OlympusNet receives mail the second time, it immediately delivers that mail and continues to immediately deliver mail from that sender. The DoubleVerify process works invisibly and is handled automatically by the mail servers.
You can whitelist entire domains (like your company, for example), too. It's worked pretty well for us.
Re:Another approach... (Score:3, Interesting)
Re:Another approach... (Score:5, Interesting)
Here's MY answer and it works 100% (Score:3, Interesting)
Account based email box ~ 25 spams/week over the past year.
My email account : 0!
Reasoning : spammers do s/nospam//ig; on their email addresses.
I really feel for that blahblah_@mindspring.com - They're getting my spam
(For the pedantic yes I know mindspring whitelists - mindspring.com is used as an example)
-B
What about grey lists? (Score:1, Interesting)
Those who don't understand technology are ... (Score:5, Interesting)
During that time, all the mails sent to my mail account were of course bouncing.
Of course they were NOT. During that time, emails sent to your account were being held at the sending server, or, in the case of spammers who aren't using open relays, there was a timeout during the connection to port 25 on your server. Neither results in a bounce. Most intelligent email systems are set up with a 5 day queue.
In other words, it will take 5 days for bounces to start being sent. That's for real email. For the spam, the bounces will be sent to fake addresses and the spammers will never see them.
I've had systems in place on many of my accounts for YEARS that bounce (reject with "unknown user" errors) spam and the same spammers keep sending the same shit over and over again. I've waatched the mail logs on my domain's servers where 99% of the incoming email is undeliverable spam (it ALL bounces) and the same spammers keep sending the same shit over and over again. Spammers simply either DO NOT CARE if they get a bounce, or do not see the bounces anyway.
There must be a different explanation for the reduction in spam. A new spam filter on the server, for example. Spammers seeing bounces and stopping is patently ridiculous.
Re:Another approach... (Score:2, Interesting)
Nice little trick, I like it.
Re:you mean greylisting? (Score:3, Interesting)
It sure does. A greylistning is a better approach. And with greylistning you lose no legitimate emails (unless the sender use a seriously broken mail server). Before greylistning was introduced on our mail server approximately 90% of all incoming mail was removed by spamassassin. And that is even with a very high threshold, so a lot of spam still made it past the filter.
Once greylistning was introduced the amount of incoming mail dropped by a factor of about ten. And those are still filtered by spamassassin, though only 40% are filtered and 60% let through. In total that means 90% stopped by greylistning, 4% blocked by spamassassin, and 6% let through. And in my experience about half of those let through both filters are spam. I don't want to think about what my Inbox would look like without spam filtering.
Dumb article (Score:3, Interesting)
Never, not once, did he consider the fact that his admins *upgraded* the exchange server. The probably went from 5.5/2000 to 2003.
By no means am I an M$ guru, but I know for a fact that 2003 comes with a large amount of internal things to help control and minimize spam.
In fact, anyone upgrading to 2003 sees drammatically better spam controls.
Someone revoke this guys geek license, as he just failed the critical thinking test.
Re:Another approach... (Score:2, Interesting)
If you've ever gotten a virus warning for a message you didn't send, you'll know what I mean.
You need to stop them at the IP/SMTP level if you really want to make sure they get the point. It's also a lot more satisfiying to think of a poor spambot getting a reject code.
Re:That only works for smart spammers (Score:2, Interesting)
Re:NO, don't bounce, reject at MTA level ONLY (Score:3, Interesting)
It also does a 20 second delay before sending the reject code, to slow down the spammer from moving on to their next target.
Read about it and download the source code on my web page.
http://highlandsun.com/hyc/
I've been using it for over a year and my spam-to-mail ratio dropped from 95% spam to 5% spam.
Re:Another approach... (Score:3, Interesting)
Re:Another approach... (Score:3, Interesting)
The logic is that a if a spam zombie is the source, they would just react to a problem by going to the next victim. A legitimate server will store the e-mail and try again.
Very few ISPs are so clueless that they don't queue and retry when they get a 4xx response (indicating a tempory failure). There are a few, but not many.
So if you refused all incoming e-mails the first attempt (or the first two attempts) with a mailbox full type message and then accept the e-mail on the next retry. You'd also want some minimum retry period, say 30 minutes. That way a spammer couldn't just try the same address two or three times in a row and reach it.
I'd bet that you could cut the number of spams you receive and the bandwidth eaten by it by 90% or more.
Of course, if everyone did this, the spammers would adapt. But then they'd at least have to store all the information so they could retry.
My suggestion is to match on the ip address of the sending host, the host name in the helo/ehlo, the mail from e-mail address, and the rcpt to e-mail address. If the spam zombie tries again but with a different ehlo or a different mail from, it would count as a first attempt. And entries would need to be deleted when reaching some maximum age.
It could also be coupled with a white-list apprach. Keep a white-list of the various helo/ehlo, mail from, and rcpt to items to determine which e-mail the user has indicated to pass through without refusing the first time or two.
Even if you just randomly refused an e-mail with a temporary problem, you'd cut down on the problem some. For example, 2/3 of the time, you might refuse to accept an e-mail with a mailbox full message. That way, you wouldn't have to keep track of anything. But spammers would be able to get through by just trying several times in a row when they got a 4xx message.
Re:That only works for smart spammers (Score:3, Interesting)
For the spanish connection, I don't know but something really really weird happened to me one day on ICQ years ago. I was using the same username, and somebody approached me in random chat, and asked me some question in spanish. I replied that I didn't speak spanish and so, didn't understand them. The person wrote back, something long, with lots of exclamation points in it. I continued to protest that I didn't understand. 'No habla espanol' is about all I know. They switched to a larger font, restated their little rant, I protested again, so they switched to using all caps, and a still-larger font. They seemed to be getting very angry, and once they ran out of font sizes (for this continued for several more lines) they finally broke off the chat. And I was like, WTF??? Maybe Feanturi in spanish means something like baby-raper or somesuch, I have no idea.
Don't use the FROM, just ban open relays (Score:2, Interesting)
On a related note, I find it amazing that various antivirus/antispam vendors are still using the "From" line to report abuses. Do viruses or spam ever come from real email addresses? Not usually. I'm pretty much the victim of a "joe-job" on a regular basis because of this.
Re:Another approach... (Score:3, Interesting)
Occum'on (Score:3, Interesting)
Didn't that Occum guy have something to say about crazy theories like this author's rant?
Re:Not a good idea (Score:3, Interesting)
Re:Another approach... (Score:2, Interesting)
You store the connecting IP, sender and recipient address in a database and temporarily reject the first time you see that combination for a configurable time (1 second is currently good enough)
A good greylisting engine will strip the last byte of the subnet incase mail is retried from different hosts in a mail cluster, for this reason its not a good idea to use the HELO address.
Greylisting stops almost all SPAM and pretty much all virus traffic as viruses also have weak SMTP engines that can't deal with temporary failures. In practice the only viruses I've found that make it through greylisting either bounced messages or from some ISPs that transparent proxy outgoing e-mail.
The SPAM that remains is easily handled by blacklists or SPAM Assassin as these SPAMs are sent through properly configured mail servers, so they are likely to be in domain or IP blacklists.
Given that a good proportion of SPAM is sent through zombied windows machines even if a SPAM is re-sent 30 minutes later it'll take a lot more work for a spammer to ensure that the same message is sent out twice by the same zombie.
Its baffling me why greylisting isn't the first line of protection for alot more people, its simple to setup (use postgrey with postfix) and is less prone to error and unobtrusive and higher in performance than virtually any other SPAM detection technique. Setting up and accepting three lines of text and checking against a database is certainly alot less performance overhead than invoking a virus scanner and spam assassin.
Of course spammers will always evolve, repeatedly sending the message from the same host would be enough to get the message through and those not using greylisting would now get twice as much SPAM, but that also means that a spammers throughput has been halved.
If grey listing is combined with a few select blacklists (including the excellent rhs.mailpolice.com URL list), plus SPAM assassin your closer to 100% and there are a great deal less false positives.
Another interesting approach I've used is to use rhs.mailpolice.com on our web cache, so that any URLs requested are checked against the SPAM blocklist. This blocks any inline images which might either offend or used as a call back for address verification, it also means that even if a phishing SPAM makes it through by the time the user reads it they are unable to view the page as its in the blocklist.
Jason.
Re:Blocklists, Teergrubes, Bandwidth Suckers (Score:1, Interesting)
In my experience this, combined with other attacks such as form bombing, are the only proven ways to knock out a spammer.
I guarantee you would see a lot more spam, both from small-timers driven straight, to the loss of business incurred by hardcore spammers who implement countermeasures against us (complex javascript tests, etc) that also drive away legit customers, if this wasn't being done.
Please knock off the sanctimony about "damaging the network infrastructure." Idiot pornsite webmasters using
As for innocent sites being hit, the chances are extremely improbable; your bringing up that idea only shows your unfamiliarity with the process.
If idle routers are your goal, I would suggest campaigning against email windows worms, I know I have to delete half a meg of those every day.
Re:Not a good idea ??? (Score:4, Interesting)
How do I know this? I've owned my domain since 1996, and I've been administrating the email since 1998. I get spam nearly every single day for beth@ahab.com (no point in cloaking it, really), and it has NEVER been a valid address. It often bounces back to the postmaster (me) after not bouncing back to their forged yahoo address and after NOT getting the word out to a single baby-eating spammer (you do know they eat babies, right?), and I see it when I bother scanning my postmaster folder for anything interesting.
Sure, it's worth my hassle if it bounces back to them, but it's probably not worth it to the poor sucker whose yahoo address they forged.
Get a clue: SPAMMERS DON'T CARE. You're kinda hoping that the guy who lets his dog shit on the sidewalk in front of your house is going to be annoyed by the smell.