Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Spam

Interview With The SpamAssassin 202

comforteagle writes "Howard Wen has conducted an interview with Daniel Quinlan of SpamAssassin. In it he explores what keeps Daniel motivated in the face of the unrelenting torrent of spam and new spamming techniques, as well as, what is working - what is not, and what he predicts spammers have up their sleeves next for defeating spam detection." From the interview: "If you don't mind deleting spam manually, that's your prerogative, but don't complain about it. If your ISP doesn't do a good job fighting spam, then switch ISPs or install your own anti-spam software. There are a lot of choices out there."
This discussion has been archived. No new comments can be posted.

Interview With The SpamAssassin

Comments Filter:
  • by erick99 ( 743982 ) <homerun@gmail.com> on Friday March 04, 2005 @03:51PM (#11847714)
    When I got to over 300 spam a day was just about the time I tried gmail (google mail). So far this is the best spam protection I have come across. My spam folder is getting about 400 a day now but I can't remember the last time a "good" message went in there. I still get about five spam a day that I need to manually deal with.
    • by winkydink ( 650484 ) * <sv.dude@gmail.com> on Friday March 04, 2005 @03:55PM (#11847772) Homepage Journal
      I agree that Google has good protection, Even with slutting my email address by publishing it on /., the amount of spam that makes it into my gmail box is surprisingly small.
    • by int2str ( 619733 ) on Friday March 04, 2005 @04:14PM (#11847988)
      I disagree completely.

      I'm subscribed to the Linux kernel mailing list with a GMail account and it constantly marks legitimate messages as Spam. Since the emails have such a common format and subject matter, that's really surprising.

      On the flip side, many Spam messages and phishing attempts make it through GMails filter.

      My small business mail server running Spamassasin and some blacklists is much more efficient compared to Gmail.

      Cheers,
      Andre
      • The reason for this is obvious. Tons of people rely on gmail to get messages from lkml, gnome lists, and other known and trusted sources. When the mailing lists let the spammer messages go through, gmail would probably think it's unwise to filter messages from an source that so many others trust and rely on. Autowhitelisting en masse.
    • by snorklewacker ( 836663 ) on Friday March 04, 2005 @04:19PM (#11848045)
      gmail's spam filtering annoys the hell out of me: No whitelists. I'm subscribed to a spam discussion list, so it trips spam filters all the time, and I'm constantly having to fish messages out. I don't care that it classifies it as spam, I'm just annoyed at the fact that I cannot ever override its judgement.
      • Sort of. See that button above an e-mail that says 'not spam'? Yes, that's the one. If a message appears in your spam box, click that button, and it will be moved from the spam box to the inbox and taken off the 'spam' list, effectively adding it to a whitelist.
        • "Not spam" does not whitelist senders. It moves messages. Maybe I'm missing something.

          I really should have just posted AC, having gotten three replies that went:

          1) google radiates golden benefince, you suck for criticizing them

          2) see that "not spam" button? the shiny one? don't lick it, click it! good boy!

          3) Use another email client, you're not firewalled or anything, and you configure this client everywhere you go, right? Aren't I clever for knowing about its existence?

          My blood pressure really c
          • I think it actually takes it off the blacklist, basically whitelisting it, though not technically. This is how it seems to work, though I could be wrong.

            Didn't I say this already?
      • Come on, say it with me:

        T-H-U-N-D-E-R-B-I-R-D

        That's right, a decent mail client from the geniuses at Mozilla that filters spam. It's pretty damn accurate once it learns a little...and it includes white and blacklisting.
  • Cloudmark SpamNet (Score:5, Informative)

    by Zendar ( 578450 ) on Friday March 04, 2005 @03:52PM (#11847736)
    Been using Cloudmark's [cloudmark.com] SpamNet for over a year and haven't looked back since. Nothing gets by.

    Disclaimer: No interest in the company. Just a satisfied customer.

    • Re:Cloudmark SpamNet (Score:2, Informative)

      by brj ( 665333 )
      I tried Cloudmark once, but found their false positive rate to be atrocious. They were tagging legitimate marketing emails from companies like REI that I had actively signed up for as spam. Their network of lusers are too lazy to unsubscribe from legit emails and they just report them as spam. Argh! (This was several years ago, so I don't know if things have improved since then.)
  • v1agr@ r0g@1n3

    Who has noticed a decrease in the effectiveness of Spam Assasin. I have! Anyone else?
    • Who has noticed a decrease in the effectiveness of Spam Assasin. I have! Anyone else?

      I still have SpamAssassin running, but I wrote my own spam filter to run before it because SpamAssassin was letting through so much spam. I found that my own filter is far more effective. Perhaps it is only because I can customize it easily (as I wrote the code) to handle what I receive. SpamAssassin has to be generalized for everyone else. Also, SpamAssassin didn't do an IP Address lookup on all links the emails, whi
      • For me it comes and goes, but yes, in the last couple weeks I've noticed a dramatic increase in false negatives. I feed them back into the bayesian filter for training, but it doesn't seem to help much. The worst part is that there's no real pattern to the stuff that gets through, other than the fact it tends to be very minimalist - a few words, often about a stock to invest in, etc.

        That said, SA has been a saviour of unimaginable proportions. I get 400-600 pieces of spam a day, and normally it's very g
      • by Christopher_G_Lewis ( 260977 ) on Friday March 04, 2005 @04:33PM (#11848195) Homepage
        It's just an arms race. SpamAssassin gets better, then the spammers adjust.

        Part of the problem with open source spam filters, the Bad Guys can reverse engineer what's currently being tested.

        I kinda wish that the SpamAssassin group would separate their tests from their product development, so we could get more frequent update of the "offical" spam assassin filters. However, I remember reading somewhere that testing and evalutating any new rules against their current corpus takes quite a long time.

        Also, make sure you check out http://www.rulesemporium.com/ [rulesemporium.com] for more frequently updated rules.
        • MOD DOWN PARENT (Score:3, Informative)

          Dude, did you even RTFA???

          From the article:

          Quinlan: I'm sure some spammers look at our code, but the end effect is about the same as with closed source. To beat closed-source spam filters, all you need to do is install the filter somewhere or get an account at the ISP, then you just keep an eye on whether your spam is getting through.

          Also, much of our filtering relies on stuff not in the source code: user training via Bayes, network rules like SURBL for URI blocking, various DNS blocklists, and messag

    • Who has noticed a decrease in the effectiveness of Spam Assasin. I have! Anyone else?

      I have been running Spamassassin for over a year now and have not noticed any real change. 1 or 2 spams get through (out of about 500) every 1 to 2 days. I should add that I also use spamcop, razor, bays, server blocks, and in the begining I wrote many of my own rules. If anything, Spamassassin is getting better because the inbound spam level goes up, but the amount in my inbox stays the same. These results will vary fro
  • by iolaus ( 704845 ) on Friday March 04, 2005 @03:54PM (#11847751) Homepage
    "If you don't mind deleting spam manually, that's your prerogative, but don't complain about it. If your ISP doesn't do a good job fighting spam, then switch ISPs or install your own anti-spam software. There are a lot of choices out there."

    How the hell do you think the national do-not-call list came about? Because people bitched and complained! I agree there are spam solutions out there but I still think there should be an easier, more fool-proof, and legally backed way of opting out of spam.
    • and legally backed way of opting out of spam.

      This might be a little difficult to do. Spamming is already is illegal in US. But anyone can spam from other countries. And making the US laws apply over there would be difficult.

      in my opinion a fix to spam has to come from the software side, not from the government side.
      • by winkydink ( 650484 ) * <sv.dude@gmail.com> on Friday March 04, 2005 @04:03PM (#11847864) Homepage Journal
        The US and other countries could put pressure on China to get them to clean up their ISPs. If you reduce the number of safe-spamming havens, you should reduce the smount of spam.
      • in my opinion a fix to spam has to come from the software side, not from the government side

        Well, the government could help by making it legal to mutilate spammers on the first offense ...

        On a more serious note, just make it legal to go after the companies that hire spammers.

        Wait, I like the first idea better. Yeah. Mutilate spammers. And their families.
      • Spamming is already is illegal in US. But anyone can spam from other countries.

        You're kidding yourself if you think that's the explanation. I reckon 80% of the spam I get is US based. No, I don't know that it's sent from mail servers in the US, probably zombies, but it definitely advertises US products to a US audience. Rx??? Didn't even know what that meant til I got 50 spam a day about it. What the hell is it with you guys and prescription medicine anyway? Approved for a new low rate? Is it reall

        • Re: Prescription medicine:

          Not sure about the UK, but in Canada and mainland Europe, much of the population is on at least one prescription medication, often anti-depressants. I've seen estimates suggesting that within the next decade or so, nearly half of the population of the industrialized nations will be on various prescription meds to deal with stress, weight, cholesterol, diabetes, and/or cancer, among other things. I've not had a prescription for anything in probably seven years, and not for anythi
    • Keep dreaming. Most spammers are not in U.S., or if they are, they are untraceable unless your the FBI who has bigger fish to fry. No legal tactic on the planet is going to solve this problem. A technical solution is all you can hope for - which when you think about it, should be very possible and is getting closer all the time.
      • by frankie ( 91710 ) on Friday March 04, 2005 @04:29PM (#11848148) Journal
        Most spammers are not in U.S.

        This is false. The SpamHaus list [spamhaus.org] shows the USA hosts more spammers than the other countries put together.

        the FBI who has bigger fish to fry

        This is somewhat true. We won't put a dent in spam from a legal perspective until a federal agency devotes some serious infrastructure to the job.

        That's mainly due to lack of willpower and expertise rather than funding, however. A competent "Spam Czar" armed with the authority to seize spammer's personal assets could easily achieve self-funded operation within a year.
        • "...armed with the authority to seize spammer's personal assets could easily achieve self-funded operation..."

          It's hard to picture a shorter route to corruption. When law enforcement officers fund themselves by taking stuff, the main incentive isn't to serve justice any more, it's to ... take stuff. This is exactly the problem faced by a lot of the former Soviet Union and Latin America: When the government can't (or won't) pay police enough to have a decent standard of living, they go into business for

    • I guess there are a few. Various states make it illegal to send spam. I don't know offhand if there is a federal law (in whatever country you're in), but none of that matters.

      American laws are not enforceable in

      Given that trademark, copyright, etc, laws are not universally accepted/enforced, I'm thinking this is something that can not be outlawed.

      A smallish part of the problem is that the SMTP protocol is broken in how naiive it is, but people are working on that (see http://spf.pobox.com/ etc).

      How
    • "If you don't mind deleting spam manually, that's your prerogative, but don't complain about it. If your ISP doesn't do a good job fighting spam, then switch ISPs or install your own anti-spam software. There are a lot of choices out there."

      This fool needs to realize that not everyone is or wants to be a computer expert, or an email specialist just so they can use their email. If every day a barrel of paper junk mail got delivered to your door you'd sure as hell complain, not just arrange to have a paper
  • My view (Score:3, Informative)

    by elid ( 672471 ) <eli DOT ipod AT gmail DOT com> on Friday March 04, 2005 @03:54PM (#11847760)
    OSDir.com: What's the craziest/toughest spamming scheme that the SpamAssassin team has encountered and dealt with?

    Quinlan: That would probably be advance fee fraud, also known as "Nigerian" or "419" scams. These messages are often literally sent individually to each recipient, mutating each time, by scammers typically located somewhere in West Africa. Because they often are sent in low volume, and almost every one is somewhat different, they are a bit tricky to catch.

    An easy solution for home users who don't happen to know anyone from West Africa is to just block all e-mail from there. But even without that, I have had decent success in the past with a combination of SpamAssassin tagging e-mails and Thunderbird filtering. Stay away from OE. Far, far away.

    • An easy solution for home users who don't happen to know anyone from West Africa is to just block all e-mail from there.

      Much of this email comes from free webmail providers. So I don't see how it would help.
    • Most 419's are sent from UK and Dutch ISP's. I'm not going to block all of .uk and .nl, thankyou. 419's may be hard to catch, but they represent pretty low volume. Not really considered a priority. Phishing is getting to be really bad news. Even if you're not dumb enough to fall for it, I bet you'll look real hard at any real correspondence from your bank. That cloud of suspicion is what the banks hate the most.

      And yes, stay way away from OE. The full blown outlook isn't too bad, though it has sever
    • Re:My view (Score:2, Informative)

      by daremonai ( 859175 )
      I have found that Bayesian filtering is essentially 100% effective on 419 scam mail. As is obvious when reading any of them, they have a very distinctive vocabulary...

      The "trick," such as it is, is to maintain three separate Bayes databases - a "good" one, a "spam" one, and a "419" one. Filter with good vs. spam first, and then with good vs. 419. This seems to work better than just lumping 419 mail in with other spam, since as Quinlan notes, the 419 scam mail tends to have little content in common with ot

  • SURBL (Score:5, Interesting)

    by JohnGrahamCumming ( 684871 ) * <slashdotNO@SPAMjgc.org> on Friday March 04, 2005 @03:54PM (#11847763) Homepage Journal

    OSDir.com: What's the most effective anti-spam technology that SpamAssassin uses right now?

    Quinlan: I think network rules are the most effective single technology, in particular, the URI rules that use SURBL, looking for spammer domains in Web links.

    The SURBL can be found here: http://www.surbl.org. It's a very good thing, so much so that spammers are starting to try to get around it by doing stuff like this:
    Copy the following URL removing the space into your browser:

    www. spammer-site.com
    John.

    • The SURBL can be found here: http://www.surbl.org. It's a very good thing,

      I cannot agree with this enough. I wrote my own SURBL-like spam filter before SURBL was available. I mentioned it twice on Slashdot before SURBL and everyone said it wouldn't work, but it was great. The only way you can get a false-positive is if someone sends you a link to a spammer's website in an email that you actually want. Really, how often does that happen?

      I have since expanded my own filter to handle the "copy the fo
      • Is it a Spamassassin rule or a Procmail recipie? If so, can you share? I'm still stuck using SA 2.63 (too much of a pain to migrate right now, since so much was changed between SA 2.63 and SA 3) and I'm sticking with doing some incremental rule upgrades.
    • Re:SURBL (Score:3, Funny)

      by joranbelar ( 567325 )
      Interesting - the whole "copy and remove space" idea is something you see all over the place as an anti-harvesting technique for email addresses (like slashdot employs). Now spammers themselves are using anti-spam measures from within their spam to combat spam filters....

      ow. My brain is starting to hurt.

  • by csoto ( 220540 ) on Friday March 04, 2005 @03:55PM (#11847776)
    IT IS THE BOMB. Spam loads to my work account dropped by orders of magnitude. Now, Mail.app identifies maybe 2 per day, instead of 200+.

    Charles
  • Once again.. (Score:4, Informative)

    by daeg ( 828071 ) on Friday March 04, 2005 @03:58PM (#11847797)
    I've said it before, but I have to promote PopFile (http://popfile.sourceforge.net/ [sourceforge.net]) again. Since doing a bit of training, it now correctly sorts about 99% of my e-mail. I get about 600 messages a day not including mailing lists, and my accuracy is 99.65%. It is generally not susceptible to new spam techniques unless they can match the subject matter that my e-mail typically covers.

    When they start spamming "Linux IPF Apache LOOK! Vi@GR@ makes your peNi$ PHP Bug CSS" I will be concerned.
    • I wouldn't worry too much. I receive spam with "POPFile" as a word in the spam and it still catches it as spam.

      John.
    • I can second that. I have been using popfile for months, and it is currently doing an excellent job of putting my spam in a separate folder from my other correspondence.
      John Sauter (J_Sauter@Empire.Net)
    • by robogun ( 466062 )
      Use SpamPal [spampal.org]. It comes with blacklists, but you can turn it off because the reg expressions that came with it are very effective. There are also modules to decode base64, filter on spammed URLs, clean up web bug crap, block by country etc. & it's free.
  • Am I alone? (Score:4, Informative)

    by The Eagle Maint ( 862053 ) on Friday March 04, 2005 @04:00PM (#11847819)
    Maybe I'm the lucky minority here, or my mail host has some crazy filters I don't know about, but I very, very rarely recieve any type of spam. Now, I don't go handing out my email address either. If I'm signing up for something shady, I use another address at a web-based email account, which does get a lot of spam... but otherwise I use the mail host that comes with my website http://www.surpasshosting.com/ [surpasshosting.com] and Thunderbird as a client, and never see any type of spam.
    • Re:Am I alone? (Score:2, Insightful)

      by bfline ( 859619 )
      I'm with you. I hardly ever get spam. I just don't ever enter a real email address when it asks for one in forms. You know who you are people, who sign up for every contest. This is where you are essentially signing up for spam. I just put a fake address in when I have to fill out a form. I have two addresses, the real one that is just for friends and family and another that I use in cases where I have to use a real address on the web. But I rarely ever use that account.
    • Re:Am I alone? (Score:3, Insightful)

      > Maybe I'm the lucky minority here, or my mail host has some crazy filters I don't know about, but I very, very rarely recieve any type of spam. Now, I don't go handing out my email address either.

      Some of us think that's a really sad state of affairs when you can't have a public email address. I mean yes, there's cranks who might send you flames or whatever, but one shouldn't have to be utterly innundated with crap just for letting everyone know their address.

      Sadder still is that this sort of secrecy
    • you aren't alone. but I also make heavy use of yahoo free accts until I'm comfortable the account isn't being spammed too.

      There was a time though that I wasn't as careful and even with the same email address for over 5 years I'm only getting 2-3 a day at most.


  • A spam "bubble"? (Score:5, Interesting)

    by antifoidulus ( 807088 ) on Friday March 04, 2005 @04:00PM (#11847823) Homepage Journal
    From TFA:
    The greater challenge is that the new techniques never stop coming. It's possible spammers will eventually run out of tricks, but it definitely hasn't happened yet. Most techniques backfire fairly in the long run, and make it more obvious that a message is spam.
    You gotta wonder if there is a spam "bubble" that will burst pretty much like every other bubble. It started the same way, a few scammers got the idea of sending out scams via email and were quite successful, and everyone else started to jump on board. But soon enough(hopefully) people will learn their lesson and spam will slow....maybe I'm putting too much faith in people.
    But it is interesting to see how many "me too" trends there are in spam. Up until about 2 years ago, I never received a 419 scam, but now I get at least one a week. Up until about a year ago, I never received a rolex email(typically the domain of brick and mortar(ok, urine soaked streetcorner) drifters), but now I get a few a day.
    • The problem with the idea of the spam bubble bursting is that spammers don't have the same economic situation that most companies do. Sending out spam to a million people doesn't cost much more than it does to send it to 10,000 - you can increase the number of customers you get without having to increase your "advertising" fees much at all, or having to hire more employees, etc.

      This all means that spammers can be far less successful than any other business, yet still remain in business.
  • How to stop spam (Score:3, Insightful)

    by Merdalors ( 677723 ) on Friday March 04, 2005 @04:02PM (#11847846)
    Two words: Spam Arrest. Zero spam, no filters to nurse, no lost mail.
  • by nizo ( 81281 ) * on Friday March 04, 2005 @04:05PM (#11847883) Homepage Journal
    I bet he has cool business cards:
    Daniel Quinlan - Spam Assassin
    He can tell people his job is to kill spammers. Which reminds me, I wonder if anyone at the IRS actually checks what job title you put on your tax forms?
    • "I wonder if anyone at the IRS actually checks what job title you put on your tax forms? "

      This is the federal government. It's probably someone's exclusive job to not only read it, but hand copy it in blue ink into large 3 ring binders which are then manually typed in by someone else employed full-time to do such an activity.
      • by Anonymous Coward
        So I guess putting "Senior Tax Evader" as my occupation probably wasn't such a good idea?
        • So long as it is honest. You are required by law to report your occupation. You are required by law to report all the income you have. The law does not allow as evidence anything you are forced to reveal (This is known as the fifth amendment). Thus if you put "tax evader" on the forms, and this is your primary occupation they cannot get you on this. They might investigate you, but if you are good at hiding your tracks they can do nothing about it.

          This comes up most often for drug dealers. If you re

          • This comes up most often for drug dealers. If you report a lot of self employment income and list your job is drug dealer, they cannot get you on the easier charge to prove: tax evasion.

            The last time this came up with an officer I personally know (I wasn't directly involved with the case) the drug dealer under indictment for distribution decided to stave off the tax charges by filing a John Doe return. His attorney showed up at the office with a completed tax return and, I kid you not, a briefcase full

        • Re:Business cards (Score:3, Interesting)

          by bsdbigot ( 186157 )
          Although he would disagree that he is a "tax evader," you should check out this guy Larken Rose [3rdear.com], recently under endictment, who qualifies for that title about as much as anyone possibly can. Much interesting reading, there, if you want to know about the inner workings of the IRS and tax laws.
    • I wonder if anyone at the IRS actually checks what job title you put on your tax forms?

      I used to put down Taxpayer. When I was working in the states, just over one half of what I earned went to the government, so it was accurate.

      the AC

  • All I can say is... (Score:5, Interesting)

    by Anthony Boyd ( 242971 ) on Friday March 04, 2005 @04:10PM (#11847944) Homepage

    ...God bless Daniel Quinlan and people like him. I have had a hell of a time with my daughter's email. A LOT of Web sites for kids have a "mail a friend" option. At one point my daughter wanted to use that option on a few sites. These are kid-oriented sites with privacy statements, so the sites felt trustworthy.

    Fast forward to two weeks later, and one of those #@!&^ing sites has sold her email address to every spammer in the nation. My little kid got 196 spams yesterday -- for Viagra, lesbian cheerleader porn, you name it. So I have become heavily interested in every anti-spam product known to man. I've got 'em on the server, and got 'em on the client. Right now, with redundancy, this is 99% accurate, and my daughter gets only messages from friends and family. My biggest problem is not that spam gets through, but that false-positives block a legit message every now & then. That is the area I hope improves the most.

    • by wolf- ( 54587 )
      For my kids, I use a whitelist only system.
      If you aint on the list, you aint gettin through.

      While I despise whitelist only systems in the business world, in this specific situation, it is the only way to ensure that only people the kids know, can email them.

      We dont drop non whitelisted mail. It sits in a file for a while, and we go through it periodically if someone says "hey, I sent you mail" and they were not whitelisted.

    • I've been wondering what'll do when my kid is old enough to have an email address, and so far, the only solution I fully trust involves quarantining messages for parental approval.

      Or maybe a combination of solutions: spamassassin + quarantine of non-whitelisted sources.
      • by bluGill ( 862 )

        Just set up a rule so that your kid cannot open any email that isn't signed with pgp/gpg, with a key in your web of trust. I'm tempted to impose that rule on myself and force my friends to install gpg. (Sadly I'm lazy - I haven't gotten around to making myself a key yet)

    • Why don't you just allow whitelisted mail only (depending on her age)? I know for sure when my kids are old enough for e-mail, they'll start with whitelist-only.
  • Other analogies (Score:5, Insightful)

    by LordOfYourPants ( 145342 ) on Friday March 04, 2005 @04:13PM (#11847973)
    "If you don't mind deleting spam manually, that's your prerogative, but don't complain about it. If your ISP doesn't do a good job fighting spam, then switch ISPs or install your own anti-spam software. There are a lot of choices out there."

    It seems pretty simple to me: complaining leads to awareness, which leads to action. Maybe a bunch of people on Slashdot griping about spam won't amount to jack, but let Oprah or someone else with a grappling hook or two on the office/church/bar water cooler complain about it and they can make a difference in social attitudes.

    SpamAssassin is a good step but the real problem is the social system which makes spamming possible. How else can you explain a 60-year-old grandmother 1) using her computer as a spam relay, 2) acknowledging it on television, and 3) not seeing it as a problem because it's "legal" and she's getting regular cheques to do so?

    How is it that a social/legal system can be designed to bankrupt and scare the shit out of people who share a few movies or songs but barely put a dent in the people sending out millions of useless, offensive, and content-bordering-on-the-illegal emails? Is there nothing wrong with this?
  • by vasqzr ( 619165 ) <vasqzr@nosPAM.netscape.net> on Friday March 04, 2005 @04:14PM (#11847982)

    A pop3 proxy works great. I recommened SpamBayes

    http://spambayes.sourceforge.net/ [sourceforge.net]
  • My company uses a spam appliance called Meridius. It's based on some proprietary technology and uses spam assassin as a second layer. It has a very slick interface and stops about 97% of spam. Oh and it's made by a Canadian company called BlueCat Networks [bluecatnetworks.com].
  • by the quick brown fox ( 681969 ) on Friday March 04, 2005 @04:22PM (#11848074)
    Quinlan: Any technique that tries to identify "good" mail without authentication backing it up, or some form of personalized training. It worked well for a while, but it's definitely not an effective technique today.

    What's wrong with personalized training? I get more spam than almost anyone I know, and SpamBayes does a fantastic job for me.

    • I think you are reading this as:

      (Any technique that tries to identify "good" mail without authentication backing it up,) OR some form of personalized training.

      But I think the intention was:

      Any technique that tries to identify "good" mail without (authentication backing it up, OR some form of personalized training.)


      It's that comma that's confusing.
    • by Daniel Quinlan ( 153105 ) on Friday March 04, 2005 @04:53PM (#11848401) Homepage
      (groan)

      Someone (the author or some editor) added that comma to my sentence. My original email had no comma there. A clearer phrasing that would not tempt someone into adding punctuation would be:

      [The least effective technique is] Any technique that tries to identify "good" mail with neither authentication backing it up nor some form of personalized training.

      They also removed the name of the company where I work (IronPort [ironport.com]), which struck me as a bit odd considering how my job allows me to do open source was part of the article. I think my employer deserves some kudos for that. Not to mention implying that I'm more than just one of the developers. There are eight commiters, six of them on the Project Management Committee and two of them (Justin Mason and Theo Van Dinter) write at least as much code as me.


  • I admin a handful of domains and I don't use anything except blocklisting by IP address. I get a handful of spam emails per week that regularly get reported to Spamcop. Since I am in regular contact with many of the people that email me, I can be sure to know if I am falsely blocking innocent domains - hasn't happened yet. For some reason it makes many people crazy that my method works for me - so many people think they have the absolute right to contact me if it suits them. I feel that if you do business w
  • by PurpleFloyd ( 149812 ) <zeno20@@@attbi...com> on Friday March 04, 2005 @04:35PM (#11848221) Homepage
    As alluded to in the article, the next chapter in the war against spammers is not going to be in blocking open relays [ordb.org] or known spammers. Rather, more and more spammers are using hordes of broadband-connected and spyware/virus-infested zombie hosts to do their dirty business.

    This has both good and bad aspects. First, the good news: responsible ISPs will be able to block a good portion of spam at their routers and mailservers; it's not hard to detect and blacklist a PC which is spewing the same email to 20,000 different recipients. Unfortunately, it only takes a few poorly-configured ISPs to provide a great deal of bandwidth to spammers. Couple this with Windows' known security holes, and home users' typical apathy regarding patches and security updates, and you have a large pool of potential spam-hosts which cannot be as easily targeted as open relays or specialized spam-spewing servers. After all, if spammers are using a legitimate ISP's mail server to send spam, a remote admin can't block that mail server without also condemning large amounts of legitimate email to deletion, which may well be unacceptable.

    The upshot of all this? The onus of spam filtering is going to be, more and more, on ISPs rather than on recipients. While this has its good side - spam filtered at the source doesn't take up as much precious bandwidth - it also means that filtering will be more difficult for those not close to the source.

    • by Linux_ho ( 205887 ) on Friday March 04, 2005 @05:08PM (#11848511) Homepage
      As alluded to in the article, the next chapter in the war against spammers is not going to be in blocking open relays or known spammers. Rather, more and more spammers are using hordes of broadband-connected and spyware/virus-infested zombie hosts to do their dirty business.
      Uh, where have you been? Non-malware open relays haven't even been on the radar for the last two years. Practically all spam comes from either virus zombies or known spammers hiring offshore ISPs to provide them with 'legit' relays. This isn't a "new trend." It's changed very little over the past couple years, the only trend I've seen lately is that MORE spam is coming from spam-friendly offshore ISPs, who seem to have a nearly endless supply of unblacklisted IP addresses to cycle through. Hello, APNIC?
  • We run a cluster of Barracuda Networks [barracudanetworks.com] spam firewalls. They use mainly open-source software (spam-assassin on Linux, plus lots of other stuff), are super-easy to install, and they advertise on Slashdot. What more do you want?
  • by LuxFX ( 220822 )
    It depends on how you define "spam-free." If you mean that nobody is sending spam, posting blog spam, sending spam over chat networks, etc. then I think the chances are rather slim. If you mean that most people will rarely see [email] spam, then I think it's possible.

    But I think that one would lead to the other. If relatively few people are seeing spam, then suddenly spamming is no longer making money for the spammers, and they would eventually stop actually sending it.

    Of course that's an optimistic sce
  • by SCHecklerX ( 229973 ) <greg@gksnetworks.com> on Friday March 04, 2005 @04:40PM (#11848276) Homepage
    I drop more stuff these days before it even GETS to spam assassin to be analyzed.
    • Reject if on the spamhaus list
    • Reject if claiming to be your mail server in the helo
    • Reject if claiming to be RFC1918 space in the helo
    • Reject if there isn't a '.' somewhere in the middle of the helo (simple way of checking for FQDN)
    In addition, configure sendmail to do rcpt flood rejects, and even better, enable greet_pause. I've rejected quite a few with those.

    Anything that gets through all of that is then analyzed by spamassassin. WIth Bayesian training, my current threshold is 3.0. Anything legit is normally -2.0 or less. I Totally DROP through mimedefang anything greater than 7.0. Anything from 3-7 is dumped in a special folder on my local account via procmail. I analyze that stuff every now and then to see if it is time to once again lower the thresholds.

    Also, continue to do the RBL checks in spamassassin (although it's a little redundant since I check spamhaus in mimedefang). That way you also get scoring based on SURBL..good stuff.

  • by laxiepoo ( 783224 )
    Spam Bayes with Outlook correctly handles over 95% of my spam.
  • by gvc ( 167165 ) on Friday March 04, 2005 @04:41PM (#11848297)
    The article and the SpamAssassin documentation seem to imply that SpamAssassin is best used as a server-side filter.

    In fact I've found it works great as a personal filter, if you configure it somewhat differently from the way the documentation suggests. That is, increase the weight of the Bayes filter, and have it train itself on every message it classifies. Then correct it on any mistakes it makes - which rapidly become few and far between.

    Here's a paper [uwaterloo.ca] showing that SpamAssassin can achieve as good results as others touted for personal use.

    Unfortunately SpamAssassin is a bit hard to install and set up. But if you have RedHat or Debian Linux, it is available by rpm/apt and you can install a few scripts to make it work.

    I wish I had a better shrink-wrapped version, but I don't. So I'm supplying the raw files for one user in the hopes that (a) somewhat technical people can reproduce the setup and be happy, (b) somebody will make a shrink-wrapped version, perhaps with plugins or extensions or macros for more mail clients.

    Here is the Linux Personal Spamassassin setup [uwaterloo.ca].

  • by deacon ( 40533 ) on Friday March 04, 2005 @04:51PM (#11848381) Journal
    For those of us who prefer to sort manually, using Pine over SSH and leaving all email on the ISP's server works pretty well.

    With a full screen terminal window, I can mark spam based on the name and the subject header. I can recognize spam at a rate of about 10 per second this way. With the names spammer pick, and the mis-spelled subject headers, it is pretty easy to pick them out.

    Using pine, I never give a spammer info by opening web bugs. I can look at the raw email by typing "h" to show the headers, so all those phishing emails are immediately obvious.

    Keeping the email on the isp's server means that when I rebuild a machine, I don't have to worry about about backing up my email.

  • How I beat spam (Score:5, Informative)

    by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Friday March 04, 2005 @05:00PM (#11848443) Homepage Journal
    I just wrote an article [freesoftwaremagazine.com] for this month's issue of Free Software Magazine [freesoftwaremagazine.com] on building spam filters. The long and short of it is that Spam Assassin is a very, very good last line of defense. However, there's a lot you can do to limit the amount of junk that even makes it that far into your system:
    1. Filter the HELO messages. If the sender says "HELO yourownname.example.com", then it's lying and you can safely reject the connection.
    2. Don't be overly picky about reverse DNS lookups, but do check that the domain of the From: address is resolvable. After all, what's the point of getting mail from "spew@nonexistentdomain.com" if you can't reply to them?
    3. Selective DNS blacklists. Do your homework and find a couple that are picky about what they add. Remember: false negatives are much better than false positives!
    4. SPF. It's not a cure all, but it works and it's available today.
    5. Greylisting. Oh, how I love thee!
    6. Finally, Spam Assassin, ClamAV, and other "expensive" defenses.

    Since I implemented the above as a Postfix ruleset, I don't get spam anymore, and it's not exactly like I've actually kept my primary address secret. No, I'm not kidding or exaggerating - basically, my mailbox is my own once again. Viva Postfix! Viva greylisting!

  • How I do it ... (Score:3, Informative)

    by Tripster ( 23407 ) on Friday March 04, 2005 @05:05PM (#11848486) Homepage
    I manage a couple ISP incoming MTAs, they come looking for a anti-spam and anti-virus solution which is easy to provide them in OSS land.

    First Qmail setup to use RBLs ...

    cbl.abuseat.org sbl-xbl.spamhaus.org relays.ordb.org dynablock.njabl.org list.dsbl.org dul.dnsbl.sorbs.net

    That bunch will block a whole lotta spam before it ever gets to discuss sending mail with the SMTP server.

    Next, SimScan from Inter7.com, this little c app runs at the front end of the SMTP process, it will scan incoming mail at SMTP level with ClamAV and SpamAssassin, anything scoring over 10 in SA is dropped at SMTP level with a 5xx error.

    SimScan allows you to fine tune settings on a per domain and per user level if you so desire, so it is easy to turn SA off entirely for a user who wants all the spam they can get, ditto for those who'd rather not be protected from viruses.

    Using these features you stop a LOT of spam, likely in the 80% or higher range. Most domains we've applied this to have gone from hundreds per day to less than 10 per day.

    It is imperative you also use the SURBL features in SA to stop more spam than ever, you should also use Razor2, DCC and Pyzor. I suggest upping the Razor2 scores a bit as well the defaults are quite low.
  • If you don't mind deleting spam manually, that's your prerogative, but don't complain about it.

    Don't complain? Don't complain about dealing with spam? Don't complain about paying money (ISP mail servers cost money, and you pay for them) so that some fucktard breaking the law (spamming is illegal in many places) can waste the time of millions of people every day?

    I'm complaining about you Daniel Quinlan. Go write a filter for me, you're good at it. I'll complain exactly as much as I like. I'll write to

Do you suffer painful illumination? -- Isaac Newton, "Optics"

Working...