I am the Most Spammed Person in the World 478
jefp writes "In November 2004, Microsoft's second-in-command Steve Ballmer made some headlines by mentioning that Chairman Bill Gates was getting four million spams per day. At the time, I was dealing with a little spam problem of my own - I was getting around a million spams per day. I found it a little comforting that my problem wasn't quite as bad as Bill's. However, a couple of weeks later Ballmer corrected himself, saying he mis-remembered the stat and Gates actually gets four million per year.
This means I was getting one hundred times as much spam as Bill Gates.
I've written a tutorial explaining why I get so much crapmail and how I deal with it."
This will help his spam problem for sure!! (Score:5, Funny)
I know how to deal with spam. (Score:5, Funny)
I figure if its important I'll get a phone call.
Re:I know how to deal with spam. (Score:5, Funny)
Re:I know how to deal with spam. (Score:5, Funny)
Re:I know how to deal with spam. (Score:5, Funny)
I couldn't resist, I'm sorry. *hangs head in shame*
Re:I know how to deal with spam. (Score:5, Funny)
Re:I know how to deal with spam. (Score:5, Funny)
Re:I know how to deal with spam. (Score:5, Funny)
As a result, since no one receives email, calls, visitors, IMs, telegrams, or Soviet secret police, we are sending messenger (African) pigeons to deliver these messages to you, in an entirely different style at great expense and at the last minute.
Re:I know how to deal with spam. (Score:4, Funny)
I need to know so that I can anticipate their arrival and delete them as soon as they get here.
I figure if it's important, they'll send a messenger swallow.
Re:I know how to deal with spam. (Score:5, Funny)
Re:I know how to deal with spam. (Score:5, Funny)
Close second. (Score:5, Funny)
Re:Close second. (Score:5, Funny)
That's not all. (Score:3, Interesting)
I replied, saying "Did you actually get modded up to +4 for pimp-slapping yourself?". He had.
--grendel drago
Re:MOD PARENT UP! (Score:4, Funny)
Full text - it's Slashdoted (minus img and tables) (Score:5, Informative)
Mail Filtering
Or, how to block a few million spams per day without breaking a sweat.
© 2005 by Jef Poskanzer.
Introduction
In November 2004, Microsoft's second-in-command Steve Ballmer made some headlines [slashdot.org] by mentioning that Chairman Bill Gates was getting four million spams per day. At the time, I was dealing with a little spam problem of my own - I was getting around a million spams per day. I found it a little comforting that my problem wasn't quite as bad as Bill's. However, a couple of weeks later Ballmer corrected himself [slashdot.org], saying he mis-remembered the stat and Gates actually gets four million per year.
This means I was getting one hundred times as much spam as Bill Gates.
Nevertheless, after filtering we both get about the same amount: around ten spams per day in our inboxes. Ballmer says that Microsoft has an entire department dedicated to protecting their mailboxes from spam. At ACME Labs there's just one guy, one server, and a T1 line. And yet my filters are a hundred times as effective as Microsoft's. How do I do it?
These pages will show you how, and help you deploy similar filters on your own system.
Goals
What am I trying to do here?
Results
For those who like to read the end of a novel first, here are some overall stats showing how the filters are performing.
Environment
This is all based on a Unix system running sendmail. If you're not using Unix, or you're using a different Unix-based mail system, most of the specific advice here will not help you. You may still find some value in the general ideas.
Sendmail Config
The first layer of spam defense is sendmail itself, because that's the first piece of software to touch each message. Sendmail has a number of different config options that can help you block spam and keep your machine stable.
greet_pause
As of version 8.13, sendmail added an anti-spam feature called "greet_pause". It is both simple and clever.
In a normal SMTP transaction [slashdot.org], first the client connects, then the server sends back a "220" greeting message, then the client sends its HELO command. Some spam programs, however, don't wait for the greeting message. They just send their commands immediately without listening.
The greet_pause feature detects this misbehavior by pausing briefly before sending out the "220" greeting message. If any commands arrive during that pause, then the connection is marked bad and anything coming over it is ignored.
This one is interesting because it actually cuts down on the number of spam attempts, not just the spam deliveries. I figure when the spammers hit the pause they are somehow getting stuck. I'll have a graph of this later - before I enabled greet_pause, I was getting a couple million spam attempts per day; after, only 600,000.
To enable the feature, you need to make two changes. First, in your sendmail.mc file:
You probably already have access_db defined; it just needs to appear somewhere prior to greet_pause. The number is how many milliseconds to pause; 5000 = five seconds. Then in your access file you should add this:
The second change prevents the pause from applying
Re:Full text - it's Slashdoted (minus img and tabl (Score:3, Funny)
The guy that gets 1000000 items of spam per day is slashdotted?
Beware geeks bearing .GIFs
Re:DNS-RBLs (Score:5, Funny)
Maybe someone should create a blacklist blacklist?
Give him a Tony (Score:3, Funny)
And that's why.... (Score:5, Funny)
Re:And that's why.... (Score:5, Funny)
Oh, sure, and I'm sitting behind a monitored corporate firewall wondering just what might be on the end of such an URL.
Bastards!
Re:And that's why.... (Score:5, Funny)
Well, apparently they don't have a problem with your slashdot habit!
Re:And that's why.... (Score:3)
Dude, this is Slashdot. Any URL containing the word farm in it, is not to be opened at work.
It's just not done.
You can cope with 1M spam emails... (Score:5, Funny)
slashdotted... (Score:5, Funny)
What's happening here is: (Score:5, Funny)
nowhere (Score:4, Interesting)
Re:nowhere (Score:5, Informative)
Re:nowhere (Score:2, Funny)
Re:nowhere (Score:4, Informative)
Not so clever (Score:5, Funny)
You try to do this by submiting a story to
Good test for thttpd. (Score:3, Interesting)
Hi Pokey!
-jim
Re:Good test for thttpd. (Score:2, Funny)
Re:Good test for thttpd. (Score:3, Interesting)
Before it was Slashdotted.. (Score:3, Informative)
I guess 1,000,000 spams a day isn't as bad as 1000 people simultaneously trying to access your Web server!
Re:Before it was Slashdotted.. (Score:4, Informative)
Very reliable tech I guess.
Greylisting (Score:5, Informative)
It's easy to set up and works with your existing mail server. OUr mail server is qmail on red hat, but openbsd just ahppily redirects the legit (what it suspects might be legit rather) to the mail server. The load has dramatically decreaed on the mail server.
Re:Greylisting (Score:2)
Also I just checked and technically no spams were received today they came in yesterday. So I've gotten 6 spams SINCE enabling greylisting yesterday morning.
Re:Greylisting (Score:3, Interesting)
I'd really like to see everyone adopt SPF so I can start refusing domains that don't have SPF records published for them.
Re:Greylisting (Score:3, Insightful)
Re:Greylisting (Score:3, Interesting)
Re:Greylisting (Score:3, Informative)
On the other hand, a spammer wants to deliver 10,000,000 messages to random users on your system. Depending on whether your greylist takes place before recipient verification, he has to delay 100% of his messages to you before even having the privilege of knowing which ones are potentially going to real users. Additionally, there's a fighiting chance of the spammer being added to a DNSBL between the time they initially begin their transmission and when your server finally stops ignoring their requests.
Even if all spammers upgrade their bots to full SMTP compliance, the result of greylisting is a huge spike in the resources required to transmit a given amount of UCE. The goal isn't to make it impossible for them to transmit their junk, but to make it more expensive than it's worth.
Re:Greylisting (Score:3, Interesting)
The downside of grey-listing is that the easiest way for spammers to circumvent it is to simply use their bots to flood a recipient mailbox with the same message again and again until the greylisting timeout expires and the message(s) is accepted. To the recipient MTA there is very little difference between a proper message being retried and a spambot crapflooding the hell out of a mailbox - especially since some MTAs make a really poor job of being standards compliant and seem to take a 4xx temporary error as an invitation for an all out DOS to try and get their message delivered.
This has the unfortunate side effect of spam zombies sending 100s of copies of the same message for hours at a time. And on systems without greylisting it means a huge increase in duplicate spams being received.
Re:Greylisting (Score:3, Informative)
There can be some misconfigured or ancient SMTP servers, but you can always whitelist it if you really need to get email from such servers.
Preventing False Positives is a critical feature (Score:3, Informative)
Without downloading and unzipping your code, I can't tell how your blacklisting features work, but an obvious extension to a greylisting system is to give RBLed sites a much longer greylist time than mail from unknown sites (e.g. 4-hour retries vs. 5-minute.) It's particularly useful because you can even use some of the more aggressive lists in spite of their enjoyment of collateral damage, and you can use whole-country blocklists for places you don't expect to get mail from, such as Korea and China, without actually rejecting much mail from real people.
Don't need to RTFA... (Score:2, Funny)
A quick suggestion... (Score:5, Insightful)
Your name in the posting is a link that resolves directly to your email address.
Don't know what you're doing right now to reduce the spam, but maybe putting your email address on the front page of Slashdot is a step in the wrong direction.
Re:A quick suggestion... (Score:3, Insightful)
If you're standing in the surf, a little rain ain't gonna matter much...
Re:A quick suggestion... (Score:3, Interesting)
I always wondered this. OK, Bill Gates gets a lot of email just because of who he is. But why do "everyday" people get hundereds of SPAM messages a day? I don't get it. Are you just handing out your email to everyone? Are these unfiltered messages on your own mail server? I just don't get how you can possibly get that many SPAMs in a day. I have 5 email accounts at various providers, and I get maybe 5-10 a day TOTAL. Are my providers just much better at filtering? Am I just more careful about who gets my email address?
I have to think that if you get that many SPAMs a day, it is because you are loose and easy with the address, or have a high-profile address.
I have a high-profile address... (Score:4, Interesting)
In 2000, the last time I added it all up, I was getting 300M a month *after* applying blacklists. At this point my mailserver is blocking several countries and ISPs, using multiple blacklists, and running some custom greylist software I wrote myself (for qmail... sorry, Jef), and my local mail client's only seeing 20-30 spams a day out of the hundreds of thousands (maybe as many as a million, it's too depressing to keep track) of delivery attempts that show up in my logs.
If you don't mind changing your email address now and then, more power to you, but I'm damned if I'll give the bastards the satisfaction.
A billion MIPS for defence, but not a byte for tribute!
Re:I have a high-profile address... (Score:3, Interesting)
Or if you don't have a choice. I used to use my work email for all my usenet stuff back in the late 90s. Then I left that job, and started using my own email address. That provider changed domain names, then I dropped them altogether when they took away all shell accounts. Then I had Earthlink for several years. I then moved across the country, and now have a new provider. So I have changed my email address, but only about every 3 or 4 years or so. But I have had a Yahoo account for about 5 or 6 years now, and I don't get much spam at all on it.
I think it all comes down to not giving out your email account. But even then, you don't have much control. At my last job, I ONLY used my work email account for work, I never sent email to anyone that wasn't work related. Then some dope at work got their laptop infected, and all of a sudden I was getting spam (my address was in their address book). Or if you get people who use that "send this news story to a friend" link to send you news stories and crappy little animated doo-dads that they find funny. ARGHHH!
Re:I have a high-profile address... (Score:3, Interesting)
I wrote an article [freesoftwaremagazine.com] about my Postfix + Amavisd + SpamAssassin + ClamAV + Greylisting setup; I'm down from many-thousand spams per day to one or two. We've reached the point where technology can do an excellent job of separating the wheat from the chaff, but people seem slow to adopt it. I'd go as far as to say that if you or your company still get significant amounts of spam, then it's a voluntary decision.
My only wish is that SPF were more widespread. One of my domains, honeypot.net, seems to be a favorite for spoofing, and it wouldn't hurt my feelings to never receive another whiny email from someone who just decided that they've had enough and wants to start fighting back.
The anatomy of successful spam filtering (Score:3, Informative)
(In fact the ISP it's hosted with currently hosts ONLY that email address and a tiny hunk of web space for me; I get my actual connection and everything from Cox).
My address has been plastered all over the Internet from since before there was a spam problem. Even if I were to take it off of all the sites I've made, or ask it to be taken down from all the other sites, there's still hundreds of UseNet posts from before there was need to spam-proof my address, all cached on the various web-based UseNet caches.
At one point a few years back I was getting many hundred spam messages a day. Now, I get about two. And I've not had any problems with false positives that I'm aware of, at least not for quite a while.
I don't run my own mail server and I don't know how West.net (my mail provider) runs theirs, but I do know they run a nice spam filtering service called Postini, which catches a large majority of the spam. When it gets to my end, I've got extensive whitelists for all the discussion lists I'm on, as well as everyone in my address book (everyone I've sent mail to, basically). A lot of spam I'd get has my own address forged onto it, so any mail from me that doesn't contain my passphrase in the subject is blacklisted. I've also got a blacklist for serious repeat spammers (same exact spam every day). Past that, Mail's Bayesian filtering quarantines most of the remaining messages, and all the ends up in my In box are legit messages from people I don't know, and maybe one or two spam messages.
I think the common thread between the article's successful spam filtering and my successful spam filtering is using multiple layers of whitelists, blacklists, and greylists. Keep the people you know on whitelists so you never need to worry about them not getting through; people doing evil things get blacklisted, preferably temporarily as he's done it; and everyone else takes the risk of being filtered (either because their mail server is dysfunctional, as some of his filters would risk, or because the message "looks like spam" as a Bayesian filter would risk). Implement this type of scheme on both the mail server (his way) and the client program (my way) for extra protection.
I think that's about as successful as anyone can hope for a spam filter.
Mirror (Score:5, Informative)
GPF (Score:2)
Damn. I could have submitted a story about it and used that same box as the web server.
I wonder.. (Score:4, Funny)
Of All things I've ever heard someone brag over, (Score:2)
Weird article, someone ASKING to have themselves put under Slashdot's thumb.
Well duh! (Score:2, Funny)
and i thought... (Score:2)
I can't even imagine getting that much, i'm already spamfiltering on at least 3 levels (bay server, bay client, manual client).
Spammers should die. If i had to pay for line charges, id just kill my accounts.
"mis-remembered" (Score:3, Funny)
Why so much mail? (from the article) (Score:2)
Heh (Score:5, Funny)
Re:Heh (Score:5, Funny)
Re:Heh (Score:5, Funny)
It is testicular enhancement that is called for in the case of most Senators.
if the goal is to make sure you get less spam (Score:2)
Problem solved!
Re:if the goal is to make sure you get less spam (Score:2)
What I Use (Score:3, Funny)
Outlook Spam Filter (Score:2, Informative)
I started to email you, but then.. (Score:2)
Coral cache (Score:2)
Seems a trifle slow..
Coral cache [nyud.net]What hardware is your site running on, Jef? (Score:2, Informative)
Re:What hardware is your site running on, Jef? (Score:5, Informative)
Thunderbird? (Score:2)
I'll point them to the corner liquor store instead, as they just wouldn't understand, anyway.
Coral cache (Score:3, Informative)
His new address... (Score:2)
wyle_e_coyote@acme.com
Hall of Shame (Score:2)
qmail (Score:4, Interesting)
Re:qmail (Score:5, Informative)
Long Answer: The concern is the misdirected bounce. By default and in accordance with the RFC, qmail bounces messages it accepts then later decides it can't deliver back to the sender. Spammers use false return addresses, so you end up bouncing spam back to innocent third parties. When used with naive spam-filtering techniques, this can be a problem i.e. qmail accepts the message, but a spam filter rejects it, and it is bounced. Here's what SpamCop.net [spamcop.net] has to say about it:
Everything anti-spam is done by people other than djb. I love qmail, but it really isn't the easiest server to set up for spam control. One needs about a dozen patches to get it working right.Sue the spammers into bankruptcy. (Score:2)
Having over a million spams a day should make easy to find some spammers that can be tracked and sued. With that volume, it may be easy to find an attorney that can do it on contigency.
A Million Spam Email Per Day... (Score:2)
I suspect most if it is from Wiley the Coyote (Score:2)
No more spam. (Score:2)
ACME? (Score:2)
What to do... (Score:5, Interesting)
This guy's SMTP server: Pipelining is turned on for untrusted hosts. Nice.
Either way, a good portion of the spam hitting my system never even makes it to EHLO/HELO time because if there's any sort of resolution problems with the dns/rdns or if the hostname contains the IP address in it (RFC violation) I delay the connection 20 seonds before the greeting. RFC states clients WILL NOT send data unless asked to do so, except for pipelining which is not advertised for untrusted hosts. When the MTA sees a bunch of incoming crap, it drops the connection because they violated the RFC rules for handshaking (clients MUST wait for the greeting). This does not affect legit MTAs with temporary problems.
I go through a whole bunch of other checks even before DATA time, delaying at each step if there's a problem. 90% of the spam/viruses never even make it to scanning for spam/viruses because they violate something before that and the connection get drops (or they drop it from waiting). Once again, delaying 20 seconds does NOT affect legit MTAs.
Big writeup on SPAM filtering [linux.com]
My MTA [exim.org]
Re:What to do... (Score:3, Informative)
Author is a liar. (Score:3, Insightful)
Give me a break... 1/4 as popular as Bill Gates? Doubt it.
Annoying Spammers with pf/spamd (Score:3, Interesting)
http://www.benzedrine.cx/relaydb.html [benzedrine.cx]
Re:Tip #1 (Score:2)
Re:Tip #1 (Score:5, Interesting)
in the world... (Score:4, Funny)
Hmmm...
* "World's biggest hacker" [slashdot.org]
* "World's Fastest Inkjet Printer" [slashdot.org]
And what we have here? The "most spammed person in the world" becomes "the most slashdotted person in the world" who used "the most over-used headline cliché in the world".
Ladies and Gentlemen, we have a winner!
Re:in the world... (Score:5, Funny)
The funny thing is, I don't have any kids....
Re:in the world... (Score:2)
Re:in the world... (Score:2)
Re:Stop endorsing plagiarism, editors!!! (Score:3, Insightful)
Re:Stop endorsing plagiarism, editors!!! (Score:5, Funny)
I think the line
kinda gave that away already.
Re:Stop endorsing plagiarism, editors!!! (Score:2)
Duh (Score:2)
I'm not sure if you're trying (and failing) to be funny or just not very observant. The submission was cut and pasted from a website BY THE ORIGINAL AUTHOR. Doh!
Comment removed (Score:2)
Re:Stop endorsing plagiarism, editors!!! (Score:2)
Re:First? (Score:2)