Slashdot Mirror
What's in Your Spam-Fighting Arsenal?
Spamhunter asksL "Everyone has their favorite tools to stop spam at the inbox, whether it's using a scoring tool like SpamAssassin, bayesian filters, or something as extreme as challenge/response whitelists (which creates a few problems itself). What I'd like to know is, what are your tools for actively investigating and shutting down spammers? I've found information sites like SPEWS and Spamhaus to be invaluable in tracking down spam gangs and spam-friendly ISP's in order to put pressure where it belongs. Sometimes just chasing the chain of ownership in WHOIS is helpful. What tools, approaches, and resources do you find helpful?"
Mozilla mail's bayesian filtering are more than enough for the spam that comes my way. Of course, I have a fat connection - spam would probably still annoy me a lot if I had to download it at POTS speeds.
SpamAssassin is great because it does almost all of those things. My setup filters for regexes, checks some databases on the web for relays and for registered spam messages, manages an auto-whitelist, and does wonderful Bayesian filtering.
I've had the same setup for several months, and I only have about 1 to 2 mistakes a month. A mix of various techniques is really the only way to go.
The adaptive spam filtering works great for me. :)
http://www.archive.org/details/ThePowerOfNightmares
Technically the Rules Wizard isn't a spam filter, but it does help me kill spam. I use it as a white list. I'll only see messages from peeps who I want to hear from.
Also, I have a few forwarders. If I register with Best Buy, for example, then I create a bestbuy@mydomain.com address for them and register with that. So if I get SPAM there, I just turn that forwarder off.
When somebody emails me and they're not on my list, they get a message back saying "Didn't get your message with human readable instructions on how to contact me.
No spam. No false positives.
"Derp de derp."
Seriously, I look forward to the latest bignaturals.com and christinamodel.com spam every week. I only lament when it's at work
My inbox, replete with bitmapped snatch, is become the PointCast push model, optimized to sublimity.
As the subject says... Spambayes (with procmail) does my filtering, so it gets stashed in the training/garbage bin. Works great, with excellent accuracy.
I subscribe to Spamcop (http://spamcop.net) too, which gives me a spam-filtered public email address, and they also do reporting. You send them your spam, they look up whatever complaint addresses they can for the source, relays, and even the URLs linked to in the spam; it just needs a few clicks to shotgun your complaints to all the ISP admins, keeping the jerks hopping.
I've been using the paid Yahoo mail service. I have my ISP forward all my mail to my yahoo account. Their spam filters are great. Spam goes into the bulk folder and the rest goes into the inbox. I've been using this for a year and it's great. I can read different attechments without downloading them. What I download is scaned for viruses with norton.
The only thing that will work or at least provide satisfaction is lots and lots of jail time.
Preferrably with a cell mate with a very very enlarged penis.
Oh yeah, and lots of Viagra.
Death Row would be too humane.
Of course that's a job for another virus. While that might be seen as worse than the problem, I don't run anything susceptible to viruses. Do you? The trick is to exploit holes before the spammers do, but be careful not to harm the ISPs in the process by overloading their pipes. Once all vulnerable hosts have been wiped (and, perhaps, reloaded with something secure, but that's the owners' job -- get it wrong and get wiped again!) the spammers will have nothing to work with. Better yet, most of their customers' customers will be off the net too, solving the other half of the problem.
(By the way, all answers about spam filtering should be moderated into the toilet, as "off-topic".)
MOD UP PLEASE
Okay, not quite 87 steps, but close...
1. SpamAssassin on the server. The highest rated spam gets immediately deleted.
2. Mozilla Thunderbird w/ bayesian filtering for email client. Most remaining spam is recognized easily.
3. Any spam that makes it through this far ends up reported to SpamCop.
I also create spamtrap email addresses on my websites which allows me to blacklist spam harvesters automatically.
i have a hotmail account, and believe it or not, i get 0 spams a day. My email address is something like name number word and its not very guessable. I use it for family, and as you can see, dextr0us @ s p l . a t is my e-mail address for spam. It works quite well.
"Martha Stewart can lick my Scrotum......do i have a scrotum?" -- Sharon Osbourne
Once spam has reached your inbox, you've lost.
I use a popular web mail service and a standard email client. I dont get spam becouse Im carefull about who and where I give my info out to and I certainly never post my email address on a newsgroup or web page and I never accept any of the email options if I must sign up for anything. Oh and both of my email addresses are, I hope, non guessable. Beyond that I use rules to sort what email I do get from NYTimes and the linux mailing list. I get about one spam a week from the web mail client provider, and another from excite.com which I was likeing for my homepage. Acceptable I think.
I dont do meaning of life questions.
I generally stick with the basics, whois and traceroute getting the most use. I rarely whois the spamvertised domain itself, unless I'm trying to determine the registrar or its DNS provider... But whois gets a lot of masked use, thanks to the following aliases (bash2, freebsd):So, suppose I get spam with an originating IP of 1.2.3.4, I just grab a shell and typeIf ARIN refers me to RIPE or APNIC, I use the `arin` or `apnic` commands, respectively. Within a couple of seconds, I know which ISP was abused to send the spam, as well as (usually) some administrative contact for that provider. A few more seconds and I have the same information about whichever ISP is hosting the spamvertarget. If you find yourself constantly typing out......or the appropriate flags to your flavor of whois, setting aliases to point to ARIN/RIPE/APNIC's servers can be a huge timesaver.
A script I wrote some time ago, called ANAL - get your mind outta the gutter, it stands for Auto NANAS and Lart - takes care of the rest. I paste in the spam, headers and all; then if I'm bothering to report it, I'll also enter in some abuse contacts for the origin/target ISPs. I post the form, the script posts a copy of the spam to the Usenet newsgroup news.admin.net-abuse.sightings, and also sends abuse reports to any email addresses I specified.
Not necessarily trying to plug myself, but if you've got PHP installed, check out ANAL. You can report spam to the ISP, and also archive a copy in Google Groups (which can help in future spam cases against the same spammer or spam-friendly ISP) at the same time.
Yes, I actually named one of my machines candletruq.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
...is a small-claims case filing form. 100% effective so far, with no false positives. ^_^
Procmail is your friend. Use it. In conjunction with SpamAssassin, you can filter it off to a folder to go send to SpamCop at your earliest convienence. While SpamCop officially discourages doing so, setting your mail server to reject based on the RBL bl.spamcop.net will save you some work (and money if you're a SpamCop member) by prohibiting mail from sites already reported by several people.
I use exim in conjunction with sa-exim to reject spam that scores high with Spamassassin, and to teergrube the luser. Since I'm the postmaster, I also have sa-exim give all the sa-exim rejected spam to my spam folder to report as well.
I have roughly 30 users. Almost all of them use my site for mail, since doing so is extremely spam hostile thanks to me, with very little inconvienence, if any, to legitimate mailers, which is the way it should be.
On an aside, I also use abuse.net's forwarding service to report hosts infected with viruses to their ISPs. I've been fairly successful, though it could be better. Roughly one third of the ISPs I contact suspend or terminate the user's account for it. I also maintain a net-lsearchable list of the last relay such infected messages go through before hitting my server. Feel free to use it for yourself, it's on my website.
Help us build a better map!
Translation: I am trying to bypass anti-spam measures and I want to know what my targets are.
- Sendmail - Claus ABman has some suggested rules for eliminating bogus AOL addresses, bad message IDs, etc. I just use those, plus some of my own "Subject:" filters
- DCC rejects spam based on how often myself and others have seen it, with a distributed database of hard and fuzzy checksums. It is part of Spam Assassin, and I plan to include that soon, too.
- Procmail is my third level of filtering.
- For the crap that gets through, I mark it as spam to levels 2 (automatically) and 3 (manually), so I don't see that again.
Regardless, I still get too damn much spam!I use SpamAssassin to sort and tag the spam server-side, with my threshold set at 5. Or rather I should say the ISP hosting my domain uses SpamAssassin, I don't have full control over the mail server.
Then I use Mailwasher mainly to preview the messages on the server before downloading them. Mailwasher has its own filters to tag and bag spam, and they're pretty good. Do NOT use Mailwasher's fake bounce feature, it only contributes to the problem. I get the full source of the messages before downloading and report them to SpamCop.
I then use Mozilla Mail for the actual downloading and reading, which of course has its own Bayesian filtering, but messages have already gone through two other filters before they reach it. The funny thing is that even though I preview the messages with Mailwasher, I don't delete them on the server, I want them for training purposes.
I use throw-away accounts on SpamGourmet if I need to sign up for anything online.
I only get maybe three spams a week to my real email address, so all of this may be a tad extreme. But perhaps this paranoia (I'm also very protective of my email address to begin with) is *why* I get so little spam.
My Hotmail account, OTOH, was getting about 20-30 per day, five or six of those were making it past the filters into my inbox. Since I don't use the account for much serious correspondance, I finally set myself to "Exclusive" and whitelisted those few domains that I actually want to get mail from.
General Geekery
3 months of tedious training (marking spam as Junk) has paid of quite well. Haven't had a single spam get through in 8 months. IIRC I think it uses some sort of Bayesian filtering. I highly recommend going through a few months of training at least, since at the beinging I would get a few false positives. Now however I don't know how I could ever live without it.
Just my 2 cents.
Eddy.WriteLinux.Com
I'm using my own tools. I've tied many computers together to launch a very subtle attack against the spammers. Unsolicited Commando
Spamassin's Bayesian rules are much improved for version 2.60. Unfortunately their unsupervised learning method (that is applied globally) causes
n -name
drift. It uses different rules when it classifies your mail from what it uses when it trains its database.
The solution is to write a script that applies spamassassin. If it classifies your mail as spam, have your script pipe it to "sa-learn --spam"; if
it classifies your mail as ham, pipe it to "sa-learn --ham". You also have to make sure to correct it when it mis-classifies email, using the same sa-learn program.
With this setup, smamassassin almost never makes mistakes. In about 10,000 emails, it misclassified maybe a dozen as spam that weren't. In all cases, the email was 'weird' - generally the first message from an on-line service to which I had subscribed. In the other direction, about 1 spam in 100 slips through under the radar.
Spamassassin was very useful to me during the recent Swen outbreak. At this time I received over 1000 copies of the virus per hour. Spamassassin caught them all. A few "unable to deliver" messages got through, but I was able to train spamassassin to reject those, too.
One unfortunate side-effect of the Swen outbreak is that it flushed some of the memory of my bayesian filter. This is because it uses a window of about 8MB, and the entire window was filled with Swen artifacts. But now that Swen has abated (at least at my site) I've had to kill a few Nigerian send-me-your-bank-account-and-your-mother's-maide
scams, but it has quickly learned and I'm back to normal.
I have done side-by-side comparisons with Mozilla's bayesian filter. Overall, spamassassin (at lest spamassassin 2.60 with personal training) is much more effective. On the other hand, Mozilla's filter is easier to use "out of the box." It would be nice to have an easy method to have Mozilla call spamassassin instead of its own training program.
I have used blackhole/razor for quite some time but found it to be disappointing. I am totally in love with "ASSP" or Anti-Spam Server Proxy. The project page is at http://assp.sourceforge.net . As someone who gets 150-200 spams a DAY, this has cut it down to 3-4. It's a Bayesian filter with tons of cool features like auto-whitelist and web-based config. It can even run on the same server as your MTA, just change your SMTP service to use something other than port 25, then have ASSP run on port 25. I highly recommend this software.
I use a sendmail milter called MimeDefang, which works in conjuction with SpamAassassin. I have users info ( whitelists, thresholds, etc..) stored in a mysql backend. Seems to work great. Many thanks to the Folks and MimeDefang and SpamAssassin for providing such great products.
On the server:
rblsmtpd (DNS-based block lists) in front of qmail
DSPAM filtering pre-delivery
SpamCop for the ones who make it through.
I'm planning to add SpamCop reporting for the messages that DSPAM catches and there is also ongoing development in the project that will log IP addresses of machines delivering SPAM for local RBL use.
I eat it! Yummy!
MailWasher (http://www.mailwasher.net/) to preview the spam, bounce it back, and copy it into notepad; SpamHaus (http:www.spamhaus.org/) to see if it's spam friendly, Norton Internet Security to add the IP address range as restricted if it is. Add web sites referenced in the spam to the hosts file pointing to 127.0.0.1.; Advanced Subnet Calculator (http://www.solarwinds.net/) to convert CIDR addressing to IP ranges for Norton to firewall.
jwhois (http://www.gnu.org/) to look up IP addresses and domains, it's configurable to look for ARIN, APNIC, JPNIC, LACNIC.
I welcome spam with open arms. After all, I'd hate to cut off my easiest revenue source. If you find any Nigerian millionaires, be sure to send them my way.
-- Stu
/. ID under 2,000. I feel old now.
Unsolicited Commando 1.1
Get revenge: Unsolicited Commando