The Measured Effectiveness of Blocking Asian Spam

fadden writes: "I recently started blocking IP addresses in China and Korea that were sending me spam. Instead of a blanket ban, I only blocked the subnets from which spam was being sent. After my first week of scanning and banning, I wrote up a report on the effectiveness of the blocks." In related news, SSKennel adds that: "The U.S. Federal Trade Commission has discovered (prepare to be amazed!) that revealing your email address in chat rooms can get you spammed. It claims to have taken action against spammers who harvest email addresses and use them to send fraudulent spam." Shocker!

Epiphany

[Masami+Eiri]

You mean, I shouldn't spam up those Yahoo chat rooms with my email address? Wow... who would have guessed... /sarcasm

A resounding DUH arrises from the competent computer users of the world.

Re:Epiphany

[RatBastard]

Quite a few people don't know this simple fact. And it's not because they're stupid, either.

One person's "common sense" is another person's "mystery of the unknown."

Re:Epiphany

[Moonshadow]

The thing is, most average uses don't know this. To their knowledge, the only way a spammer could get your address is for you to put it into a webform somewhere.

Most casual users probably don't even consider the possibility of their address being harvested from other places, such as chat rooms.

Re:Epiphany

[Psx29]

You should have seen what happened when I put a throw-away email address in my away message on irc. Suddenly I was getting 1000 messages a day...scary

Re:Epiphany

[zurab]

Most casual users probably don't even consider the possibility of their address being harvested from other places, such as chat rooms.

I don't believe this. They have to know. Common sense should tell anyone that if you give someone else your information, they will be able to record that information; doesn't matter if it's credit card number, e-mail address, social security number, or mother's maiden name. If they do know enough not to give out their mailing address, SSN, and mother's maiden name to complete strangers online, then they should treat their e-mail addresses no differently.

Now, you may say that giving out SSN is more dangerous than giving out e-mail, but mere knowledge of this fact by any user proves their awareness of their actions.

Re:Epiphany

[Moonshadow]

Perhaps deep down they know this, but they aren't consciously aware of it like geeks are. The mentality they approach a chatroom with is "I type, and once it scrolls off the screen, it's gone forever" whereas with a webform, they KNOW it's going into some database somewhere. The perceived threat is much lower in a chatroom, although the actual threat may be as high or higher than a webform.

Also, people tend to be a lot more paranoid about protecting their SSN, mailing address, etc than they are about their email. An email is a fairly disposable thing, and there is little threat perceived with it being public knowledge. A SSN or brick-and-mortar address is quite another thing.

Government will announce next..

[Metallic+Matty]

that Canada is indeed just above us on a map.

Re:Government will announce next..

[Cyno01]

Really? When i was younger i had a puzzle map of the United States, it was a blue frame and you put the 50 state pieces into it. But it was just a blue frame, so i assumed it was water and the US was its own big island (alaska just sat there in the corner not connected to anything). Untill i got a globe when i was 8, i didn't know where canada or mexico was.

Re:Government will announce next..

[rodgerd]

You're way ahead of many of your countrymen having worked it out at 8.

Re:Government will announce next..

[Flakeloaf]

That is, if they can spend 5 million dollars on the task they will confirm that it is indeed true that Canada is directly north of the USA. Next, Canada will spend 100 million on exactly the same task, only in reverse.

Um, more like 200 million. Don't forget the study has to be done in both official languages.

Re:Government will announce next..

[kmahan]

Better do it quick before the poles reverse

I'd say something

[Apreche]

about you know how shocking it is that revealing your e-mail address in a chat room will get you spammed. But I think the poster already kinda did that. /me ponders getting a job at the FTC telling them all sorts of things they don't know. Like how signing guest books with your real e-mail address will get you spammed, using AOL will get you spammed, using hotmail....

Re:I'd say something

[mudder]

Using Hotmail alone doesn't get you spammed. I've had a hotmail account for over a year now and haven't received more than 20 pieces of "unrequested" spam in total. I'm moderately careful with my email address, but it does get out there every so often. Also my email adress isn't terribly hard to guess (matt_allen_g....), and I don't have the Hotmail spam filter turned on. Maybe I'm lucky, but my experience does disprove the hypothesis that ALL hotmail accounts get spammed, simply due to the fact that they are hotmail accounts.

Re:I'd say something

[Yo+Grark]

Wrongly Created hotmail address....free

Auto-checked by Trillian to keep it alive...free

Never Given it out.....free

# of Spam Received to date: 654

Finding out over 1/4 was from MSN...priceless.

Yo Grark

- Canadian Bred with American Buttering.

Re:I'd say something

[Latent+IT]

Number of Slashdotters who realise that SPAMMERs are not stupid and randomly try combinations of words and numbers (bob1@hotmail.com, bob2, bob3...)...Priceless

Do you really think that if I register afsradoij294@hotmail.com that I won't get any spam? I'd bet you a large sum of money I'd get some in the first few days.

I guess I'll find out.

Blocking subnets? Use SPEWS.

[smnolde]

Subject says it all. I block so much spam by using spews.

How I block Korean spam

[Jim+the+Bad]

I just have KMail redirect all HTML formatted mail into the spam bucket. I check it once a day for the odd false positive - this is easy, as message titles in English stand out amoung all the Hangul ones. Only takes me a few seconds.

On the other hand, 15 or so spams a day (in a language I don't even understand) every day is a major waste of bandwidth, and as irritating as hell.

What can we do about this nusiance?

Re:How I block Korean spam

[Moonshadow]

The problem with this approach is that a lot of people on Windows platforms using Outlook/OE send HTML mail by default, even for a simple text message.

A much more reliable appriach is the "pattern matching/scoring" technique a few pieces of software out there use. I've been using Spam Asassin for a while now, though (too lazy for a link :) ) and I have yet to see it a) tag a legit email as spam, or b) miss a spam message. If that sort of thing were installed on mail servers by default, then it may be possible to cut down spam drastically. Right now, my config just puts [SPAM] in the subject line - makes it easy enough to filter. Why can't ISPs do the same thing? I know that Spam Assassin is a bit resource hungry, and isn't practical for large scale operations, but surely something similar could be written that would accomplish the same thing with minimal resource drain.

Re:How I block Korean spam

The most effective way I've seen is to have your own domain and have all email sent to any alias under that domain to a single mailbox. Then, whenever you need to have something emailed to you, just use a different alias (preferably a descriptive one; for example, if you order something from amazon.com, you can use you-amazon@yourdomain.com). That way you can not only see where your email address was picked up, but also block all email coming to that particular alias. You'll also know who to bitch out.

Re:How I block Korean spam

[Iguanaphobic]

You'll also know who to bitch out.

I use addresses like amazon_spam@yourdomain.com

That way I can tell for SURE where it came from. Plus I filter based on _spam in the To: field.

Re:How I block Korean spam

[Binestar]

While it is true that just dropping HTML can cause issues, you can still capture alot of spam by filtering on HTML e-mail without a CHARSET.

:0 f
* ^Content-type: text/html
* ! html; charset=
* ! from hotmail
| ${FORMAIL} -A"X-Spammers: text/html only message"

The above has *NEVER* given me a false positive in over 9 months of use.

Also, I use 3 rules that block Fake Netscape/Hotmail/Yahoo e-mails. Basically, if the e-mail has a from address from either of those but isn't really from thier servers they get tossed as well.

# hotmail-specific
:0
* ^(From|Return-Path):.+@hotmail\.com
{
&nbs p; :0
* ^From: ".+" <[a-z0-9_.-]+@hotmail\.com>
* ^X-OriginalArrivalTime:
* ^X-Originating-IP: \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+]
* ^Received: from hotmail.com \(\/...
* $ ^Message-ID: <${MATCH}.+@hotmail\.com>
{ }

:0 Efhw
| formail -A "X-Spammers: fake hotmail"
}

# yahoo-specific
:0
* ^(From|Return-Path):.+@yahoo\.[a-z]+
{
&nb sp; :0
* ^Message-ID: <([0-9.]+\.qmail|[0-9]+\.[0-9A-Z]+)@\/[a-z0-9-]+\. yahoo\.[a-z.]+
* $ ^Received: from .+by $MATCH
{ }

:0 Efhw
| formail -A "X-Spammers: fake yahoo"
}

# netscape-specific
:0
* ^(From|Return-Path):.+@netscape\.
{
:0
* ^X-Mailer: Atlas
* ^Received: from +netscape.*MAILIN
* ^Return-Path: <\/[a-z0-9_.-]+@netscape\.[a-z.]+
* $ ^From:.*$MATCH
* $ ^Received: from $MATCH.*by [a-z0-9.-]+\.aol\.com
* ^Message-ID: <[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+@netscape\.[a-z.]+

:0 Efhw
| formail -A "X-Spammers: fake netscape"
}

Those 4 rules save me a big headache.

Re:How I block Korean spam

[Qrlx]

If you're in a corporate setting, then you should be installing Office from an Administrative Installation Point and have configured your install to override Outlook's default to send HTML, and changed it to Rich Text or Plain Text.

They can always go up to the menu bar and change it if they suddenly decide they need to send HTML emails.

By the way, I really, seriously, very strongly doubt that HTML mail format is necessary for your marketing group or whatever. I find it excpetionally unlikely that they are WRITING EMAIL IN HTML and that this is as core competency of your sales dogma. Most likely they are attaching files to email, which works fine with plain text.

HTML email actually IS evil. There's completely no point to it. And in fact it's part of the spam problem: Let's say a HTML email contains a ref to some JPG somewhere. You read the (spam) HTML email, your 'puter dowloads the JPG. Congratulations, now the spammer can check his web logs and determinie how many people got the message! If s/he's really crafty, you could even tell which recipients got it by cross-indexing the HTTP GET request with the virtual file name you've set up like 01010012001012712.jpg -> sucker1001@hotmail.com. Now you put that name on your "known good accounts" list and sell it.

Asian Spam???????

[ksplatter]

I prefer Group Spam and Teen Spam with the occasional Anal Spam. To Be honest, I am kinda sick of the Asian Spam.

And AS for effectiveness! That stuff works all the TIME.

Do they have a response email address?

[djkitsch]

I'd just like to know if it's still safe to post your email address on Usenet?

blocking ip's isn't enough

[martums]

We've had to block a number of Korean & China-based IP's in recent months (especially during the Summer). In addition to blocking a number of temporary (PPPOE and such) IP's by domestic service providers, (read: Comcast), the foreign IP's seem to be more static, but also offer a higher quantity of spam. (Are a number of these just open relays?) Though, in our case, it's usually short-lived. Except for Klez, which is the devil.

Good point about the pig singing. While Comcast is extremely unhelpful (bordering on incompetent), foreign ISP's don't face any accountability. There's no decent legal recourse. So blocking the IP is the simplest route.

Has anyone else seen a significant amount of spam from Brazil? Where is the onslaught of OSS Bayesian filters?

Re:blocking ip's isn't enough

[jensend]

Where is the onslaught of OSS Bayesian filters?

At Sourceforge. (Where else would you expect it to be?) That includes Bogofilter, POPFile, and a whole bunch of less-active programs. Searching for 'bayes spam' (Sourceforge uses OR searching by default) ought to get you more projects than you really want to look at. Mozilla is also looking at getting a similar filter- see bug 163188 at bugzilla.mozilla.org.

Re:blocking ip's isn't enough

[spongman]

Spambayes is simply the best spam filter I've ever seen. It's not a 'release' quality product but it's filtering is the best I've seen. There's an excellent plugin for Outlook which monitors your inbox and places spam in a 'spam' folder or an 'unsure' folder depending on your settings and its classification of incoming messages. It also notices when you move messages into/out of these folders and re-trains its database accordingly.

I believe they also have a POP3 proxy and an SMTP proxy is on its way. The automation for these is not quite so refined, however.

Asian Pacific network

[TheFlu]

I started blocking off all Asian Pacific networks about 6 months ago. I wrote a quick Sendmail tutorial about it right here.

How well does this work? Extremely well. I've gone from receiving 20 pieces of SPAM a day to only 1 or 2 (which Spamassassin typically catches. I realize that this method won't work for everyone, but it has worked out quite well for me.

Re:Asian Pacific network

[1u3hr]

I started blocking off all Asian Pacific networks about 6 months ago

So that's why American ISPs ignore me when I complain about the spam they send to me in Hong Kong.

Speaking of exposed email...

[Anonvmous+Coward]

"The U.S. Federal Trade Commission has discovered (prepare to be amazed!) that revealing your email address in chat rooms can get you spammed. It claims to have taken action against spammers who harvest email addresses and use them to send fraudulent spam." Shocker! "

Revealing your email address on Slashdot can get you spammed. You may have noticed my sig says "Sig: I'm performing an experiment on the origination of SPAM, don't email me.". What I did was I set up a junkmail box and pointed my Slashdot email address at it. The only place this address has ever been made available is in my user address that is displayed whenever I comment. When this address is e-mailed, it automatically responds with "thanks for the unsolicited mail!" I don't read the messages unless somebody responds to it.

What prompted me to do this was the 'armor plate your email address' feature in my user settings here on Slashdot. It made me curious if having my e-mail address viewable in the comments I make would mean I'd recieve lots of Spam. My curiosity is satisfied: You can get a good deal of SPAM if you don't use the 'armor plating'.

You know what? They don't just look for e-mail addresses to send mail to. They also use the e-mail addresses as reply-to addresses. I found this out when I got an email from a guy who was puzzled by my auto-responder emailing him. It turns out that somebody sent a message to me and used his address as a reply-to address. Weird, Iddn't it? Fortunately he was very nice and we got that all settled, but it is a little disconcerting that the addresses are used in ways like that.

When I first started this experiment, I responded to the messages I got. I accused one guy of harvesting my address without really reading what the message said. Turns out, the guy ran a mailing list for local (to him) volunteer firefighters announcing a meeting. This wasn't the type of event that somebody would 'direct market'. Heh. Evidentally, somebody volunteered my user address only displayed on Slashdot to his list. How weird is that?

I am extremely curious if anybody has any insight into the motivations of people who'd use email addresses in these ways. I can understand somebody using my email addie as a reply to address, but I have no explanation for why somebody'd volunteer me for a volunteer firefighter's list.

Re:Speaking of exposed email...

[Jucius+Maximus]

"What prompted me to do this was the 'armor plate your email address' feature in my user settings here on Slashdot. It made me curious if having my e-mail address viewable in the comments I make would mean I'd recieve lots of Spam. My curiosity is satisfied: You can get a good deal of SPAM if you don't use the 'armor plating'."

Agreed. This e-mail address attached to this article is my 'spam account' so I clean it out once a week, but I do actually read legitimate messages.

"When I first started this experiment, I responded to the messages I got. I accused one guy of harvesting my address without really reading what the message said."

Hehe, I make a point of responding to those Nigerian scammers. I tell them my name is James Kirk, phone number is 202-406-5850 and fax number is 202-406-5031. (Yes, the name was inspired by the haxial.org thing.) The zinger here is that those phone and fax numbers correspond to the US Secret Service Electronic Crimes branch!

I actually got a few of those scammers to phone the number. One guy was furious and demanded an apology. Another e-mailed me back and told me that the woman said there was no "James Kirk" there. I got at least 2 of them to fax their financial documents over there. Heh.

Cloudmark - Outlook 2k/XP users

[exhilaration]

If you're running Outlook 2000 or XP - Cloudmark is a nearly PERFECT solution to Spam - and IT'S FREE (for now, at least).

Re:Cloudmark - Outlook 2k/XP users

[spongman]

I have noticed that many spammers are adding random crap to the end of their messages. This tactic is specifically designed to circumvent products like cloudmark. If you're running Outlook, try spambayes, it uses some pretty complicated statistics to determine whether or not an incoming message is spam, and it works surprisingly well. It requires a certain amount ofo technical knowledge to set up, though.

Re:Blocking subnets? Use SPEWS.

[EvilAlien]

And probably lots of legit mail too, unless you have a tiny mail server. SPEWS is an awful choice for large commercial services, they subscribe to the "throw the baby our with the bathwater" theory. They are ever more clumsy and heavyhanded than ORBS was.

Suing SPAM companies?

[bertok]

I've invested significant money some years back in a domain name so that I could give my clients and friends an easy to remember, unique email address. I consider it a significant investment, because it looks good on a CV, business card, or letterhead, is easy to remember, and it cost me time and money to establish it.

However, a number of spam companies have picked up on my email addresses at that domain, and have distributed it on a number of those unpteen-million address CDs sold to other spammers. I recieve over 100 unsolicited emails a day. Now, I try to filter them with software filters, but due to the hit-and-miss nature of heuristic filters, legitimate mail is deleted on occasion.

The way I see it, my unique and expensive email address has been devalued by these spam companies, because the whole point of buying that domain name was so that I could use it publically. If I have to keep it a secret to avoid spammers, it is worthless! I can't even use it as an example while writing this article, because it would be picked up by yet more spammers.

I wonder why nobody has tried suing along these grounds. Think about it: If some company had invested time, money, and effort into setting up a toll-free hotline for their customers and/or clients, but had the service ruined by telemarketers jamming the system with 100x more junk calls than the real calls the company recieves, the next outgoing call would be to a lawyer!

How can I block American spam?

[error0x100]

The /. crowd always seems to be talking about how huge the Asian spam problem is. So as an experiment, I've been keeping my spam in a separate folder for a few months, and less than 3% of it is Asian in origin (counted by relay server used AND the spammer itself). Over 70% of it, originates in the USA, and are mostly USA cons/scams/pseudo-products etc (diplomas, anti-spam software, spam software, porn sites, "hot strock investment advice newsletters", "work at home", MLM etc, "lose weight", search engine 'promote your website' offers etc).

Why the discrepancy, am I just an outlier, or are slashdotters exaggerating the non-US-originating spam problem in relation to the US-originating spam problem?

Re:Dont you just love it when spammers get your na

[esobofh]

Worse - How in the hell did they find out about my childhood family orgies?!?

Re:Fraudulent Spam?

[doomdog]

Yes, there is a difference between regular spam and the fraudulent variety. Normal spam is sent by well known "bulk mailers" (as they call themselves, in a pitiful attempt to legitimize their business) on a contract-for-hire basis.

They send email directly from their own systems to your mailbox. They do not fake their headers, use open relays, hijacked proxies or root'ed boxes of other people to send out their messages. They generally have contracts with their ISPs to not cancel their connectivity as long as they have some type of proof, no matter how vague, that the mail *might* be considered opt-in (and as long as the complaints aren't too frequent. These people do listwash their own lists, if only to stop spamming people who actually complain about it, and also to show to their ISPs that they have an effective opt-out system. Their spam is annoying, but currently legal.

Fraudulent spam, on the other hand, is completely different. These are the people that hijack other people's machines to do the dirty work, rape open relays and consume all of their bandwidth during spam runs, actively probe for open relays and proxies, forge everything they can in the headers, study SpamAssassin and other filters in an attempt to craft messages that don't "look" like spam. These are the people that use their opt-out lists as a source of revenue (by selling the names to other spammers), and will frequently joe-job spam activists and others who complain too loudly and to the wrong people...

The first type of spammer sends out insurance offers, cell phones ads, inkjet ads and such. The second type sends out virus/trojan laden messages, porno by the bucketload, ads for illegal drugs, etc.

Both types of spam are annoying, but the "fraudulent" type is much more so because of its immoral content (and anyone who thinks that sending pornographic images to children isn't immoral should quietly remove themselves from the gene pool) and also because of the theft of services (bandwidth, hard drive space, etc.) from the relays and proxies that they abuse.

obSimpsons

[sharkey]

Oh Marge, anyone can miss Canada on a map, all tucked away down there.
--Homer

Just a note

[djupedal]

...does it help to suggest that the spam in question is perhaps not originating from Asia, and is more the result of lax relays?

The spammers are outside of Asia, and simply target open relays where ever they find them.

The stats by the submitter show that most of not all the mail is in English. That should tell something about the true origin of the spam.
If the open relays were closed, the spammers would move to other hotbeds. Let's work to educate the admins in Asia, and force the spammers to back off using open relays.

Re:Just a note

[djupedal]

I live, work and travel in Asia. I speak Japanese, Korean and Chinese (I'm a native English speaker, from Calif). I don't send mail...I talk to them in person. My situation is unique, I agree. And it's not viable for everyone that may consider helping.

I'm trying for a pragmatic approach, and I would never suggest that simply sending an email or making a phone call would be helpful. The admins I talk to want to fix things, but until a focused effort is made to help them (docs in their languages, etc.), things won't change, I agree. Certainly complaining isn't going to help...and ignoring it isn't going to make it go away.

I'm working on it the best I can...one admin at a time :)

Large-scale SpamAssassin installations

[dskoll]

I know that Spam Assassin is a bit resource hungry, and isn't practical for large scale operations

Au contraire, if you're clever about it, SpamAssassin works great in large-scale operations. In conjunction with MIMEDefang, people use SpamAssassin to scan a lot of mail -- over 1 million messages/day in two sites I know of.

Re:Blocking subnets? Use SPEWS.

I hate spews. spews is everything that is wrong with anti-spam work.

There is no way to get off of the SPEWS blacklist, and if they black your entire NSP for one of the NSP's customers... tough luck for you. You can post to a usenet group and beg, and they wont do anything other than tell you to break your legal contract and go elsewhere. 20 people will harass you, and you can't even know which one to listen to.

SPEWS can rot in hell. A properly configured SpamAssassin will block 98% of spam and have 0.01% false positives (I haven't gotten one false positive in a year, but I will someday).

SPEWS is NOT how one prevents spam. SPEWS is how one pisses off the people trying to mail them.

I can't stress enough how much I hate SPEWS and how much it should die.

Please, please don't support SPEWS. I beg you.

Or, to put it another way......

[Ride-My-Rocket]

One person's "Duh!" is another person's "Huh?"/

Ultimate Anti-SPAM plan

[infiniti99]

Since a few people are posting about anti-spam methods, I thought I'd go over my idea to counter spam. Currently I am not actually using this procedure, I have just been pondering it for awhile.

First off, the core of this system relies on whitelist-confirmation. This means that first time senders are given an auto-response email which must be "confirmed" in order for their message to deliver. Once they have done this, they are whitelisted, and all email from them passes through. TMDA is what I use for this job. I leave my email address "unarmored", because no spam can get through. When I check my mail in KMail, there is no spam.

However, all is not perfect. After many many months of using TMDA, I still find myself sifting through the "pending" folder on my mail server, which keeps hold of all the mails from unconfirmed senders. I generally do this every couple of weeks, and there are often at least one or two legitimate emails that were never confirmed. There are many possible reasons: 1) they thought the confirmation request was spam, so they deleted it (either manually or through an anti-spam filter). 2) they don't like the idea of having to do a stupid confirm (although no one has actually brought this up to me yet). 3) Maybe they use a reply-to or something weird that trips up TMDA (perhaps fixable or not..)

Anyway, the point is that legit emails aren't 100% getting through. The next consideration then, is to use a word-filter (and who knows, maybe TMDA does this too), to see if legit mails can be detected by their content. Maybe this could be done using a bayesian (sp?) filter, as recently discussed here, or perhaps SpamAssassin. Emails detected as legit would be delivered directly, and the sender would be auto-whitelisted. Ambiguous emails would go through the usual whitelist-confirmation procedure. This way, the word-filter never actually throws email away. It gives the sender a second chance, by sending it through the whitelist system.

This, I think, would solve the problem completely for me, as all of the legit mails that wind up unconfirmed would very much pass the legitimacy test (they mention a software project of mine, or something else very obvious). If this were in place, I could send my pending bin to /dev/null. Ahh, a life of no spam!

Asia regrets omission and will make best effort

[trentfoley]

You get only 3% of your product promotion emails from Asia? We are very sorry. Aparently, you are not listed in our database. We are proud of the many great products that we offer to the world. It is an unfortunate mistake that your email address is not listed in our systems. Please send email to add2list@spam.com and we will correct this error.

Regards,
joe

P.S. Add your friends to the list also! You don't want them missing out too, do you?

Re:Still no one has an answer, what do we do about

[quantum+bit]

I also have a catchall so anytime I order something or fill out any other online form I use "the domain I'm browsing"@mydomain.com, that way if they give it out I can tell.

I like to use the form me@"the domain I'm browsing".mydomain.com. That way if the address ever gets too inundated with spam, I can delete the DNS record for it and not even have to see the postmaster notifies for it. It also wastes a minumum of my bandwidth (1 DNS NACK packet vs. an entire SMTP conversation).

Re:we use a simple shotgun...

[binary+tr011]

t's our servers, we can block *.* if we want to.
I do this and I have found it to be extremely sucessful.
Since I did this I haven't got a single spam email.
It also stops annoying people who have my email address from contacting me.

A cure for HTML spam...

[aquarian]

A lof of spammers *do* use these HTML mail tricks. However, a lot of plain users send HTML mail, often without knowing it, because Microsoft mail programs send HTML by default. So if you want to read HTML mail safely, do this: block your network connection while opening it. You can unplug the cable, take the mail program "offline", hit the "stop" button on ZoneAlarm, whatever. This won't cause problems with legit HTML mail, because the HTML is usually just for fonts and stuff. But it keeps the spam messages from "phoning home" successfully to get their graphics.

How to get down to 0.0014%...

...even if you've naively left your e-mail address listed as the owner contact for your domain for years like I did. A three-pronged approach:

1) IP-level blackholing of certain large subnets, as I like many others virtually never get any legitimate email from China or Korea, and many of the craftiest fake headers ride on brand new Chinese and Korean open relays. In case of emergency, people there can always use Yahoo or the likes - and I suspect many Chinese and Koreans who communicate with people abroad are already used to doing just that, as blackholing is becoming more and more widespread.

2) RBL's. I personally use bl.spamcop.net and relays.osirusoft.com. These catch 99.2% of "quasi-legitimate" spam, and about 65% of the open-relay spam not caught above.

3) Heuristic tagging via Spam Assassin/procmail/filters/etc as a last line of defense. I personally use a filter file that I edit pretty much every time a POS (piece of spam ;-) manages to sneak through.

This is obviously more aggressive than many people can afford to be, but it's a viable solution for someone with a low signal-to-noise ratio and a high irritability ratio.

This works well for me

[laing]

A few months ago my spam level reached the point that made me do something about it. After looking carefully at all the headers, I concluded that about 80% of the junk (mostly from Asia) came from IP addresses with no reverse DNS database entry. (The IP did not resolve back into a hostname.) Just about all reputable mail exchangers have a reverse DNS entry. (The ones who don't are run by the clueless.)

I decided to use this to my advantage. You can too.

If your sendmail daemon uses the tcpwrappers library, you can create a /etc/hosts.deny
file with "sendmail: ALL" and a /etc/hosts.allow file with "sendmail: KNOWN". (Make sure "sendmail" equates to 25 in your /etc/services file.)

Doing the above will cause your mail exchanger to refuse incoming mail connections from any host with an unresolvable IP address. It will cut up to 80% of your spam.

For the clueless ISPs, you can add exceptions to your /etc/hosts.allow file. (e.g. "sendmail:66.187.232." will allow mail from RedHat.)

I wish more people would do this.

I'ts working!

[Tablizer]

I did some math on my spam before and after. Now the average promised penis enlargement is 326% instead of the usual 509%

What about management?

[Mustang+Matt]

So do you add another DNS record for every site you visit?

Seems like a big hassle on the management end.

Re:Blocking subnets? Use SPEWS.

[thrig]

If you run SpamAssassin after the MTA, sure, the cows are out. Better to run SpamAssassin integrated with your MTA if possible, which can be done with Exim, Sendmail, and possibly others. Doing spam checks at the MTA level also lets you look at the mail envelope data and similar that SA cannot check on.

Granted, you tend to have to run your own mail server to do this, but hey...