Slashdot Mirror

← Back to Stories (view on slashdot.org)

Collateral Damage in the Spam War

Posted by Hemos on from the when-defensive-measures-go-wrong dept.

MarkedMan writes "The link points to a well researched article on Spam lists and those innocently appended to them. I have seen this myself with MailWasher. A posting will come through as potential spam, with the the bounce already red-flagged, but it is actually from a legitimate source. Only happens once or twice a month but still cause for worry. " I've found that Spam Assassin has made life easier, but I still have to ban domains like yahoo.com, hotmail.com, mail.com - and *.ru and *.cn. I sort through the spam periodically, but the collateral damage is still there.

11 of 350 comments (clear)

  1. Be careful when you Bcc... by Omega · · Score: 3, Informative

    A number of spam filters and spam blocking agents will mark a message as SPAM if it is only Bcc'd or CC'd. If you're going to Bcc -- at least make sure you have 1 To recipient else you may end up in the SPAM Folder.

  2. SpamBouncer Spam Assassin by Binestar · · Score: 5, Informative

    I've been using spambouncer for quite a long time and I've found that it catches more spam than Spam Assassin does.

    As with any anti-spam measure you have to keep an eye on it when you set it up that everything is working and you aren't blocking legitimate mail. Any anti-spam software you use will either let some spam through, or catch legitimate mail. Add some procmail scripts to catch any mailing list mail you are on into thier folders, block To: Friend@Public.com and the like and you have a pretty robust system.

    I've also found that blocking messages with malformed headers helps alot on spam... For example, the following Procmail recipe blocks all messages that are HTML only without a charset, which is common on spam mailings, and has never caught a legitimate mail for me:


    * ^Content-type: text/html
    * ! html; charset=
    * ! from hotmail
    | ${FORMAIL} -A"X-Spammers: text/html only message"


    Your Milage May Vary

    --
    Do you Gentoo!?
  3. Re:Sometimes "collateral damage" is intentional by King_TJ · · Score: 3, Informative

    I think the "peer pressure" idea is becoming a bit of a "dinosaur" from the days of the mom-and-pop ISP. In the past, except for AOL, you didn't really have many large ISPs that kept on large numbers of spamming users.

    The small ISPs would be pretty responsive to complaints, or if they weren't - they'd feel the pain of getting blacklisted, and would usually give in and kick off their problem users.

    Nowdays, with most customers on one of a handfull of giant ISPs, it's no longer effective or realistic to ban the whole ISP. (EG. With the number of customers Earthlink has, can you really expect them to always keep *every* user with an open-relay off of their network? Even if they hired whole teams of people just to perform that one task, new people with open-relays would subscribe faster than they could discover them. Hence, Earthlink would almost always be on a blacklist.)

  4. SpamCop chain test by Animats · · Score: 4, Informative
    One of the better features of SpamCop is the "chain test". SpamCop's header parser looks at all the "Received:" lines and figures out which ones are fake. It matches DNS names and IP addresses, and checks those "Received A from B", "Received B from C" relationships. The point at which the chain ceases to be valid identifies fake headers.

    This is essential if you want to report spam to the sender's ISP. Otherwise, you report addresses being abused by spammers. It's also a useful filtering tool; an e-mail with inconsistent headers is probably spam.

  5. ORDB is the Answer by DaveAtFraud · · Score: 3, Informative
    Quote:
    ...but I still have to ban domains like yahoo.com, hotmail.com, mail.com
    My e-mail address was recently harvested by a spammer. I started getting SPAM from the listed domains but the only problem was the mail didn't show up as from yahoo, hotmail or mail in my mail log. Turns out the spammer was forging the return address and sending through an open relay. So I learned about how to set up sendmail to filter incoming mail through the Open Relay Database (ORDB). That particular spam problem has now disappeared. It helps when you run your own mail server but if I can figure this out in less than a day then a paid sysadmin at an ISP, company or school should also be able to do it.

    You can find out more about the ORDB here and this site has very simple instructions for setting up sendmail to use the ORDB filter. Sendmail.org has quite a bit of additional stuff you can do to filter SPAM and still let legitimate e-mail through. ORDB also has solutions for people who don't run their own mail server and just connect someplace with a mail client to get their mail.

    --
    They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
    Ben
  6. Re:Sometimes "collateral damage" is intentional by sawilson · · Score: 3, Informative

    Before the earthlink "merger of equals", Mindspring had Harry. Harry absolutely rocked the abuse department. He worked together with the other admins (helped he was a Senior Admin in skill level) and they'd think up all kinds of interesting ways to "abuse" spammers. We'd catch them pretty fast if they were spamming from our network. One of my favorites was sending +++ATH0 in a formatted ping packet to their modem to disconnect them, sending thousands of spam messages back to their email client depending on what they used. Their port would be disconnected quickly. I think we had a 3 strikes and you are an ex-customer rule. Jan also rocked the news servers. I'm not sure how earthlink is handling things now post merger. I didn't hang around. :) At the time, were were number 2 in the world, and fighting spam very well. The "SPAMINATOR" product was very much loved by customers. I heard through the grapevine that it's basically a joke now, and doesn't work.

    --

    The most important thing any republican needs to know.
  7. Have to be careful with your e-mail address. by RobinH · · Score: 4, Informative

    When I was in university and making web pages and stuff, I used to get tonnes of spam. When I posted to newsgroups I got tonnes of spam. However, these days, I just have two addresses... one for personal email, and the other for work email, and I rarely ever get spammed.

    My personal email address is a yahoo account, and work email is provided from the company I work for. I give out my email addresses to friends and lots of contacts from work (and it's printed on my business cards).

    I NEVER do these things:
    -post to newsgroups with a real address,
    -put my personal address on a website,
    -give a real address when filling out surveys, etc. online
    -sign up for newsletters
    -give my email to anyone who asks over the phone ("Sorry, I don't have a computer, but yes, I'd like to order that CD-ROM drive")
    -give my email address to Radio Shack
    -enter my personal info into my browser

    Basically, I just refuse to allow my email address to proliferate. If I do happen to get spammed, I just don't reply, and it tends to go away, but it's really rare anyway.

    Of course, if I ran a website, I'd create a unique email address just for that purpose, and I'd expect to have the sh!t spammed out of it, but at least it would be separate from my real addresses.

    --
    "I have never let my schooling interfere with my education." - Mark Twain
  8. Re:Network Solutions, One domain per user? by Computer! · · Score: 3, Informative

    Randomly? Yes, that's wrong. However, you can cut that 3X10^12 down to aroung 3X10^6 merely by running a dictionary file filled with common last names and append one or two letters after. How do I know this? My personal email address is mccallclAThotmailDOTcom, and many of the spams I recieve are also addressed to mccallca, mccallcb, mccallcc and so on.

    --
    If you fall off a building, go real limp, because maybe you'll look like a dummy and people will be like hey, free dummy
  9. Re:Network Solutions, One domain per user? by mjh · · Score: 5, Informative
    Depending on which MTA you're using, you can do this with address extensions too. Sendmail uses + as it's address extension, and postfix/qmail use - for address extensions. So for my email, for example, mark-foobar@hornclan.com will get delivered to the same mailbox as mark@hornclan.com. The MTA simply ingores everything after and including the extension delimiter.

    TMDA takes advantage of this sort of thing. So it does what you're talking about, but it also adds a cryptographic hash onto the extension to verify that you infact were the person who generated the extension. So my equivalant of what you're doing would be:

    mark-keyword-slashdot.abc123@hornclan.com
    mark-keyword-msn.a1b2c3@hornclan.com

    The generation of the hash depends on a secret 140bit key that only I know. Thus I can create these things whenever I want and use them without modification to my mailsetup and be confident that no one else can generate these things that will get into my mailbox.

    Other types of addresses that tmda generates:

    • Dated addresses - addresses that will work for a certain amount of time, and then expire. Great to use when posting to USENET, and as the default for all outgoing email.
    • Sender addresses - addresses that will work if used by a particular sender. Great for subscribing to mailing lists with.

    Anyway, I'm pretty pleased with TMDA, although, as I say in another post, it can impact one's ego.

    --
    Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
  10. Re:Network Solutions, One domain per user? by macdaddy · · Score: 3, Informative
    Whoops. You showed the wrong syntax. Did you mean dada+slashdot@fatgeeks.com instead of dada_slashdot@fatgeeks.com? The underscore is a valid character in a user name. The plus sign however is called plus notation. I use it myself. Say I sign up for a demo of ProductX, I'll use the email address of userid+productx@domain.tld. MTAs are supposed to ignore everything between the "+" and the "@". Plus notation. It works pretty slick too. I use it for magazine subscriptions and what not too.

    Something I've started using more is simple mail aliases. Since I run many MTAs, I've taken one of my own domains and create an alias for a mail recipient for when I need to sign up for something. Let's say I order some X10 stuff. I'll create a quick mail alias called "x10" and point it at my usual mail account. I'll add a comment with a date, maybe a URL, etc.. to it and rebuild my aliases.db. There are 2 upsides to this. 1 is that I can easily make that a real account someday and spamtrap all that junk if needed. It's also garunteed to be accepted on every web form I come across. Occasionally I'll come across a web form that only accept alphanumeric characters (and the @) in the email address. Some webmaster thought he was being security-wise and didn't follow the RFCs. Whoops. No biggie. This method gets you around that little problem. The only real downside is that it takes a couple extra seconds to create that alias and add some comments about it. Oh wait, there's another plus. Some mass mailers strip out the plus notation from email addresses. Giving your address to, say, Citibank or CapitolOne as joeblow+citibank@domain.tld might confuse the person or raise suspicion if you're entering your address in a spamtrap. With the email alias, you can use an acronym, gibberish, or whatever you want for your particular situation.

  11. Re:It's not full proof by infiniti99 · · Score: 3, Informative

    And to do that they have to use a valid return address, thus ending their SPAM operation quickly (see other threads about this).