Interview With The SpamAssassin 202
comforteagle writes "Howard Wen has conducted an interview with Daniel Quinlan of SpamAssassin. In it he explores what keeps Daniel motivated in the face of the unrelenting torrent of spam and new spamming techniques, as well as, what is working - what is not, and what he predicts spammers have up their sleeves next for defeating spam detection." From the interview: "If you don't mind deleting spam manually, that's your prerogative, but don't complain about it. If your ISP doesn't do a good job fighting spam, then switch ISPs or install your own anti-spam software. There are a lot of choices out there."
gmail has good spam protection (Score:5, Informative)
Re:gmail has good spam protection (Score:4, Interesting)
Re:gmail has good spam protection (Score:5, Interesting)
I'm subscribed to the Linux kernel mailing list with a GMail account and it constantly marks legitimate messages as Spam. Since the emails have such a common format and subject matter, that's really surprising.
On the flip side, many Spam messages and phishing attempts make it through GMails filter.
My small business mail server running Spamassasin and some blacklists is much more efficient compared to Gmail.
Cheers,
Andre
Re:gmail has good spam protection (Score:2)
Re:gmail has good spam protection (Score:5, Interesting)
There is a whitelist (Score:2)
Re:There is a whitelist (Score:3, Funny)
I really should have just posted AC, having gotten three replies that went:
1) google radiates golden benefince, you suck for criticizing them
2) see that "not spam" button? the shiny one? don't lick it, click it! good boy!
3) Use another email client, you're not firewalled or anything, and you configure this client everywhere you go, right? Aren't I clever for knowing about its existence?
My blood pressure really c
Re:There is a whitelist (Score:2)
Didn't I say this already?
Re:There is a whitelist (Score:2)
I suppose they're busier with the interface -- I see they added a fallback "plain HTML" mode for nonsupported browsers. Still, those tags they rave about aren't seeing much usefulness if I can't base other actions like whitelisting off of them.
Re:There is a whitelist (Score:2)
While we're talking about gmail...the fallback "plain HTML" thing annoys me. I use opera 8 beta which understands the javascript gmail has (earlier versions of opera didn't). Suddenly I don't get the neat-o features that would normally work (the only problem I've noticed is that opera doesn't size the sidebar
Re:gmail has good spam protection (Score:2)
T-H-U-N-D-E-R-B-I-R-D
That's right, a decent mail client from the geniuses at Mozilla that filters spam. It's pretty damn accurate once it learns a little...and it includes white and blacklisting.
Re:Why is it... (Score:2)
I use gmail as my primary email. Good enough for you?
Re:gmail has good spam protection (Score:3, Informative)
I've seen several of my filtered messages end up labeled as spam. Since they *were* spam, I was quite happy to see this.
Cloudmark SpamNet (Score:5, Informative)
Disclaimer: No interest in the company. Just a satisfied customer.
Re:Cloudmark SpamNet (Score:2, Informative)
Re:Cloudmark SpamNet (Score:2)
How many of these businesses have failed to remove you from their mailing lists on request? You have actually tried asking them, right?
you'ved been spammed! (Score:2, Funny)
Who has noticed a decrease in the effectiveness of Spam Assasin. I have! Anyone else?
Re:you'ved been spammed! (Score:2)
I still have SpamAssassin running, but I wrote my own spam filter to run before it because SpamAssassin was letting through so much spam. I found that my own filter is far more effective. Perhaps it is only because I can customize it easily (as I wrote the code) to handle what I receive. SpamAssassin has to be generalized for everyone else. Also, SpamAssassin didn't do an IP Address lookup on all links the emails, whi
Re:you'ved been spammed! (Score:3, Informative)
That said, SA has been a saviour of unimaginable proportions. I get 400-600 pieces of spam a day, and normally it's very g
Re:you'ved been spammed! (Score:4, Informative)
Part of the problem with open source spam filters, the Bad Guys can reverse engineer what's currently being tested.
I kinda wish that the SpamAssassin group would separate their tests from their product development, so we could get more frequent update of the "offical" spam assassin filters. However, I remember reading somewhere that testing and evalutating any new rules against their current corpus takes quite a long time.
Also, make sure you check out http://www.rulesemporium.com/ [rulesemporium.com] for more frequently updated rules.
MOD DOWN PARENT (Score:3, Informative)
From the article:
Re:you'ved been spammed! (Score:2)
I never claimed to have written modules/tests for SpamAssassin. I wrote a completely separate filtering program. Also, it is available for anyone to use if they really want to. I put it in the 'projects' section of my website shaunwagner.com
Re:you'ved been spammed! (Score:2, Funny)
I have been running Spamassassin for over a year now and have not noticed any real change. 1 or 2 spams get through (out of about 500) every 1 to 2 days. I should add that I also use spamcop, razor, bays, server blocks, and in the begining I wrote many of my own rules. If anything, Spamassassin is getting better because the inbound spam level goes up, but the amount in my inbox stays the same. These results will vary fro
Complain as much as you can! (Score:5, Interesting)
How the hell do you think the national do-not-call list came about? Because people bitched and complained! I agree there are spam solutions out there but I still think there should be an easier, more fool-proof, and legally backed way of opting out of spam.
Re:Complain as much as you can! (Score:3, Insightful)
This might be a little difficult to do. Spamming is already is illegal in US. But anyone can spam from other countries. And making the US laws apply over there would be difficult.
in my opinion a fix to spam has to come from the software side, not from the government side.
Re:Complain as much as you can! (Score:4, Insightful)
Re:Complain as much as you can! (Score:2, Informative)
Re:Complain as much as you can! (Score:2)
Re: (Score:2)
Re:Complain as much as you can! (Score:2)
It's all China's fault is it? Let me guess, if this was 1980 it would all be the USSR's fault, 1991 Iraq's fault, 1945 Japan's fault, 1955 Communism's fault...
Re:Complain as much as you can! (Score:2)
Re:Complain as much as you can! (Score:2)
Well, the government could help by making it legal to mutilate spammers on the first offense
On a more serious note, just make it legal to go after the companies that hire spammers.
Wait, I like the first idea better. Yeah. Mutilate spammers. And their families.
Re:Complain as much as you can! (Score:3, Insightful)
You're kidding yourself if you think that's the explanation. I reckon 80% of the spam I get is US based. No, I don't know that it's sent from mail servers in the US, probably zombies, but it definitely advertises US products to a US audience. Rx??? Didn't even know what that meant til I got 50 spam a day about it. What the hell is it with you guys and prescription medicine anyway? Approved for a new low rate? Is it reall
Re:Complain as much as you can! (Score:2)
Not sure about the UK, but in Canada and mainland Europe, much of the population is on at least one prescription medication, often anti-depressants. I've seen estimates suggesting that within the next decade or so, nearly half of the population of the industrialized nations will be on various prescription meds to deal with stress, weight, cholesterol, diabetes, and/or cancer, among other things. I've not had a prescription for anything in probably seven years, and not for anythi
Re:Complain as much as you can! (Score:3, Insightful)
Re:Complain as much as you can! (Score:5, Informative)
This is false. The SpamHaus list [spamhaus.org] shows the USA hosts more spammers than the other countries put together.
the FBI who has bigger fish to fry
This is somewhat true. We won't put a dent in spam from a legal perspective until a federal agency devotes some serious infrastructure to the job.
That's mainly due to lack of willpower and expertise rather than funding, however. A competent "Spam Czar" armed with the authority to seize spammer's personal assets could easily achieve self-funded operation within a year.
Corruption! (Score:2)
It's hard to picture a shorter route to corruption. When law enforcement officers fund themselves by taking stuff, the main incentive isn't to serve justice any more, it's to ... take stuff. This is exactly the problem faced by a lot of the former Soviet Union and Latin America: When the government can't (or won't) pay police enough to have a decent standard of living, they go into business for
Re:Complain as much as you can! (Score:2)
American laws are not enforceable in
Given that trademark, copyright, etc, laws are not universally accepted/enforced, I'm thinking this is something that can not be outlawed.
A smallish part of the problem is that the SMTP protocol is broken in how naiive it is, but people are working on that (see http://spf.pobox.com/ etc).
How
Re:Complain as much as you can! (Score:3, Insightful)
This fool needs to realize that not everyone is or wants to be a computer expert, or an email specialist just so they can use their email. If every day a barrel of paper junk mail got delivered to your door you'd sure as hell complain, not just arrange to have a paper
My view (Score:3, Informative)
Quinlan: That would probably be advance fee fraud, also known as "Nigerian" or "419" scams. These messages are often literally sent individually to each recipient, mutating each time, by scammers typically located somewhere in West Africa. Because they often are sent in low volume, and almost every one is somewhat different, they are a bit tricky to catch.
An easy solution for home users who don't happen to know anyone from West Africa is to just block all e-mail from there. But even without that, I have had decent success in the past with a combination of SpamAssassin tagging e-mails and Thunderbird filtering. Stay away from OE. Far, far away.
Re:My view (Score:2)
Much of this email comes from free webmail providers. So I don't see how it would help.
Re:My view (Score:2)
And yes, stay way away from OE. The full blown outlook isn't too bad, though it has sever
Re:My view (Score:2, Informative)
The "trick," such as it is, is to maintain three separate Bayes databases - a "good" one, a "spam" one, and a "419" one. Filter with good vs. spam first, and then with good vs. 419. This seems to work better than just lumping 419 mail in with other spam, since as Quinlan notes, the 419 scam mail tends to have little content in common with ot
SURBL (Score:5, Interesting)
The SURBL can be found here: http://www.surbl.org. It's a very good thing, so much so that spammers are starting to try to get around it by doing stuff like this:John.
Re:SURBL (Score:2)
I cannot agree with this enough. I wrote my own SURBL-like spam filter before SURBL was available. I mentioned it twice on Slashdot before SURBL and everyone said it wouldn't work, but it was great. The only way you can get a false-positive is if someone sends you a link to a spammer's website in an email that you actually want. Really, how often does that happen?
I have since expanded my own filter to handle the "copy the fo
Re:SURBL (Score:2)
Re:SURBL (Score:2)
Re:SURBL (Score:3, Funny)
ow. My brain is starting to hurt.
Re:SURBL (Score:2)
We use a Brightmail tool on Ironport appliances (Score:3, Informative)
Charles
Re:We use a Brightmail tool on Ironport appliances (Score:2)
Once again.. (Score:4, Informative)
When they start spamming "Linux IPF Apache LOOK! Vi@GR@ makes your peNi$ PHP Bug CSS" I will be concerned.
Re:Once again.. (Score:2)
John.
popfile (Score:2)
John Sauter (J_Sauter@Empire.Net)
& for Windoze users... (Score:3, Informative)
Am I alone? (Score:4, Informative)
Re:Am I alone? (Score:2, Insightful)
Re:Am I alone? (Score:3, Insightful)
Some of us think that's a really sad state of affairs when you can't have a public email address. I mean yes, there's cranks who might send you flames or whatever, but one shouldn't have to be utterly innundated with crap just for letting everyone know their address.
Sadder still is that this sort of secrecy
Re:Am I alone? (Score:2)
There was a time though that I wasn't as careful and even with the same email address for over 5 years I'm only getting 2-3 a day at most.
Re:Am I alone? (Score:3, Informative)
A spam "bubble"? (Score:5, Interesting)
The greater challenge is that the new techniques never stop coming. It's possible spammers will eventually run out of tricks, but it definitely hasn't happened yet. Most techniques backfire fairly in the long run, and make it more obvious that a message is spam.
You gotta wonder if there is a spam "bubble" that will burst pretty much like every other bubble. It started the same way, a few scammers got the idea of sending out scams via email and were quite successful, and everyone else started to jump on board. But soon enough(hopefully) people will learn their lesson and spam will slow....maybe I'm putting too much faith in people.
But it is interesting to see how many "me too" trends there are in spam. Up until about 2 years ago, I never received a 419 scam, but now I get at least one a week. Up until about a year ago, I never received a rolex email(typically the domain of brick and mortar(ok, urine soaked streetcorner) drifters), but now I get a few a day.
Re:A spam "bubble"? (Score:2, Insightful)
This all means that spammers can be far less successful than any other business, yet still remain in business.
Re:A spam "bubble"? (Score:2)
Not to sound too cynical, but:
1) Stupid people are also resistant to education.
2) There's a sucker born every minute.
Sure, education is great, but I really am not holding my breat
How to stop spam (Score:3, Insightful)
Business cards (Score:5, Funny)
Daniel Quinlan - Spam Assassin
He can tell people his job is to kill spammers. Which reminds me, I wonder if anyone at the IRS actually checks what job title you put on your tax forms?
Re:Business cards (Score:3, Funny)
This is the federal government. It's probably someone's exclusive job to not only read it, but hand copy it in blue ink into large 3 ring binders which are then manually typed in by someone else employed full-time to do such an activity.
Re:Business cards (Score:3, Funny)
Re:Business cards (Score:2)
So long as it is honest. You are required by law to report your occupation. You are required by law to report all the income you have. The law does not allow as evidence anything you are forced to reveal (This is known as the fifth amendment). Thus if you put "tax evader" on the forms, and this is your primary occupation they cannot get you on this. They might investigate you, but if you are good at hiding your tracks they can do nothing about it.
This comes up most often for drug dealers. If you re
Re:Business cards (Score:3, Funny)
The last time this came up with an officer I personally know (I wasn't directly involved with the case) the drug dealer under indictment for distribution decided to stave off the tax charges by filing a John Doe return. His attorney showed up at the office with a completed tax return and, I kid you not, a briefcase full
Re:Business cards (Score:3, Interesting)
Re:Business cards (Score:2)
I used to put down Taxpayer. When I was working in the states, just over one half of what I earned went to the government, so it was accurate.
the AC
All I can say is... (Score:5, Interesting)
...God bless Daniel Quinlan and people like him. I have had a hell of a time with my daughter's email. A LOT of Web sites for kids have a "mail a friend" option. At one point my daughter wanted to use that option on a few sites. These are kid-oriented sites with privacy statements, so the sites felt trustworthy.
Fast forward to two weeks later, and one of those #@!&^ing sites has sold her email address to every spammer in the nation. My little kid got 196 spams yesterday -- for Viagra, lesbian cheerleader porn, you name it. So I have become heavily interested in every anti-spam product known to man. I've got 'em on the server, and got 'em on the client. Right now, with redundancy, this is 99% accurate, and my daughter gets only messages from friends and family. My biggest problem is not that spam gets through, but that false-positives block a legit message every now & then. That is the area I hope improves the most.
Re:All I can say is... (Score:3, Insightful)
If you aint on the list, you aint gettin through.
While I despise whitelist only systems in the business world, in this specific situation, it is the only way to ensure that only people the kids know, can email them.
We dont drop non whitelisted mail. It sits in a file for a while, and we go through it periodically if someone says "hey, I sent you mail" and they were not whitelisted.
Re:All I can say is... (Score:2)
Or maybe a combination of solutions: spamassassin + quarantine of non-whitelisted sources.
GPG (Score:2)
Just set up a rule so that your kid cannot open any email that isn't signed with pgp/gpg, with a key in your web of trust. I'm tempted to impose that rule on myself and force my friends to install gpg. (Sadly I'm lazy - I haven't gotten around to making myself a key yet)
Re:All I can say is... (Score:2)
Other analogies (Score:5, Insightful)
It seems pretty simple to me: complaining leads to awareness, which leads to action. Maybe a bunch of people on Slashdot griping about spam won't amount to jack, but let Oprah or someone else with a grappling hook or two on the office/church/bar water cooler complain about it and they can make a difference in social attitudes.
SpamAssassin is a good step but the real problem is the social system which makes spamming possible. How else can you explain a 60-year-old grandmother 1) using her computer as a spam relay, 2) acknowledging it on television, and 3) not seeing it as a problem because it's "legal" and she's getting regular cheques to do so?
How is it that a social/legal system can be designed to bankrupt and scare the shit out of people who share a few movies or songs but barely put a dent in the people sending out millions of useless, offensive, and content-bordering-on-the-illegal emails? Is there nothing wrong with this?
Re:Other analogies (Score:2)
If you can't run your own mailserver... (Score:4, Informative)
A pop3 proxy works great. I recommened SpamBayes
http://spambayes.sourceforge.net/ [sourceforge.net]
Meridius Spam Appliance (Score:2, Offtopic)
personalized training (Score:3, Informative)
What's wrong with personalized training? I get more spam than almost anyone I know, and SpamBayes does a fantastic job for me.
Re:personalized training (Score:2)
(Any technique that tries to identify "good" mail without authentication backing it up,) OR some form of personalized training.
But I think the intention was:
Any technique that tries to identify "good" mail without (authentication backing it up, OR some form of personalized training.)
It's that comma that's confusing.
Re:personalized training (Score:5, Insightful)
Someone (the author or some editor) added that comma to my sentence. My original email had no comma there. A clearer phrasing that would not tempt someone into adding punctuation would be:
They also removed the name of the company where I work (IronPort [ironport.com]), which struck me as a bit odd considering how my job allows me to do open source was part of the article. I think my employer deserves some kudos for that. Not to mention implying that I'm more than just one of the developers. There are eight commiters, six of them on the Project Management Committee and two of them (Justin Mason and Theo Van Dinter) write at least as much code as me.
I don't use it (Score:2)
I admin a handful of domains and I don't use anything except blocklisting by IP address. I get a handful of spam emails per week that regularly get reported to Spamcop. Since I am in regular contact with many of the people that email me, I can be sure to know if I am falsely blocking innocent domains - hasn't happened yet. For some reason it makes many people crazy that my method works for me - so many people think they have the absolute right to contact me if it suits them. I feel that if you do business w
The next frontier in spam fighting (Score:5, Insightful)
This has both good and bad aspects. First, the good news: responsible ISPs will be able to block a good portion of spam at their routers and mailservers; it's not hard to detect and blacklist a PC which is spewing the same email to 20,000 different recipients. Unfortunately, it only takes a few poorly-configured ISPs to provide a great deal of bandwidth to spammers. Couple this with Windows' known security holes, and home users' typical apathy regarding patches and security updates, and you have a large pool of potential spam-hosts which cannot be as easily targeted as open relays or specialized spam-spewing servers. After all, if spammers are using a legitimate ISP's mail server to send spam, a remote admin can't block that mail server without also condemning large amounts of legitimate email to deletion, which may well be unacceptable.
The upshot of all this? The onus of spam filtering is going to be, more and more, on ISPs rather than on recipients. While this has its good side - spam filtered at the source doesn't take up as much precious bandwidth - it also means that filtering will be more difficult for those not close to the source.
Re:The next frontier in spam fighting (Score:4, Insightful)
Might as well p1mp my fave too... (Score:2)
remember the economics (Score:2, Insightful)
But I think that one would lead to the other. If relatively few people are seeing spam, then suddenly spamming is no longer making money for the spammers, and they would eventually stop actually sending it.
Of course that's an optimistic sce
spamass + mimedefang milter == peace (Score:3, Interesting)
- Reject if on the spamhaus list
- Reject if claiming to be your mail server in the helo
- Reject if claiming to be RFC1918 space in the helo
- Reject if there isn't a '.' somewhere in the middle of the helo (simple way of checking for FQDN)
In addition, configure sendmail to do rcpt flood rejects, and even better, enable greet_pause. I've rejected quite a few with those.Anything that gets through all of that is then analyzed by spamassassin. WIth Bayesian training, my current threshold is 3.0. Anything legit is normally -2.0 or less. I Totally DROP through mimedefang anything greater than 7.0. Anything from 3-7 is dumped in a special folder on my local account via procmail. I analyze that stuff every now and then to see if it is time to once again lower the thresholds.
Also, continue to do the RBL checks in spamassassin (although it's a little redundant since I check spamhaus in mimedefang). That way you also get scoring based on SURBL..good stuff.
Two words: Spam Bayes (Score:2, Informative)
Spamassassin much better with personal training (Score:4, Informative)
In fact I've found it works great as a personal filter, if you configure it somewhat differently from the way the documentation suggests. That is, increase the weight of the Bayes filter, and have it train itself on every message it classifies. Then correct it on any mistakes it makes - which rapidly become few and far between.
Here's a paper [uwaterloo.ca] showing that SpamAssassin can achieve as good results as others touted for personal use.
Unfortunately SpamAssassin is a bit hard to install and set up. But if you have RedHat or Debian Linux, it is available by rpm/apt and you can install a few scripts to make it work.
I wish I had a better shrink-wrapped version, but I don't. So I'm supplying the raw files for one user in the hopes that (a) somewhat technical people can reproduce the setup and be happy, (b) somebody will make a shrink-wrapped version, perhaps with plugins or extensions or macros for more mail clients.
Here is the Linux Personal Spamassassin setup [uwaterloo.ca].
Easy manual sorting.. (Score:4, Informative)
With a full screen terminal window, I can mark spam based on the name and the subject header. I can recognize spam at a rate of about 10 per second this way. With the names spammer pick, and the mis-spelled subject headers, it is pretty easy to pick them out.
Using pine, I never give a spammer info by opening web bugs. I can look at the raw email by typing "h" to show the headers, so all those phishing emails are immediately obvious.
Keeping the email on the isp's server means that when I rebuild a machine, I don't have to worry about about backing up my email.
How I beat spam (Score:5, Informative)
Since I implemented the above as a Postfix ruleset, I don't get spam anymore, and it's not exactly like I've actually kept my primary address secret. No, I'm not kidding or exaggerating - basically, my mailbox is my own once again. Viva Postfix! Viva greylisting!
Re:How I beat spam (Score:2)
How I do it ... (Score:3, Informative)
First Qmail setup to use RBLs
cbl.abuseat.org sbl-xbl.spamhaus.org relays.ordb.org dynablock.njabl.org list.dsbl.org dul.dnsbl.sorbs.net
That bunch will block a whole lotta spam before it ever gets to discuss sending mail with the SMTP server.
Next, SimScan from Inter7.com, this little c app runs at the front end of the SMTP process, it will scan incoming mail at SMTP level with ClamAV and SpamAssassin, anything scoring over 10 in SA is dropped at SMTP level with a 5xx error.
SimScan allows you to fine tune settings on a per domain and per user level if you so desire, so it is easy to turn SA off entirely for a user who wants all the spam they can get, ditto for those who'd rather not be protected from viruses.
Using these features you stop a LOT of spam, likely in the 80% or higher range. Most domains we've applied this to have gone from hundreds per day to less than 10 per day.
It is imperative you also use the SURBL features in SA to stop more spam than ever, you should also use Razor2, DCC and Pyzor. I suggest upping the Razor2 scores a bit as well the defaults are quite low.
Don't complain! (Score:2)
Don't complain? Don't complain about dealing with spam? Don't complain about paying money (ISP mail servers cost money, and you pay for them) so that some fucktard breaking the law (spamming is illegal in many places) can waste the time of millions of people every day?
I'm complaining about you Daniel Quinlan. Go write a filter for me, you're good at it. I'll complain exactly as much as I like. I'll write to
Re:Your best choice (Score:2)
Bollocks (Score:2)
Re:Your best choice (Score:3, Insightful)
If you can't use your own address then your spam filters suck. I will not let spammers decide where and with whom I share my address. It is mine, and I'll do what it takes to defend it.
Re:DSPAM (Score:2)