Slashdot Mirror
What's in Your Spam-Fighting Arsenal?
Spamhunter asksL "Everyone has their favorite tools to stop spam at the inbox, whether it's using a scoring tool like SpamAssassin, bayesian filters, or something as extreme as challenge/response whitelists (which creates a few problems itself). What I'd like to know is, what are your tools for actively investigating and shutting down spammers? I've found information sites like SPEWS and Spamhaus to be invaluable in tracking down spam gangs and spam-friendly ISP's in order to put pressure where it belongs. Sometimes just chasing the chain of ownership in WHOIS is helpful. What tools, approaches, and resources do you find helpful?"
I generally stick with the basics, whois and traceroute getting the most use. I rarely whois the spamvertised domain itself, unless I'm trying to determine the registrar or its DNS provider... But whois gets a lot of masked use, thanks to the following aliases (bash2, freebsd):So, suppose I get spam with an originating IP of 1.2.3.4, I just grab a shell and typeIf ARIN refers me to RIPE or APNIC, I use the `arin` or `apnic` commands, respectively. Within a couple of seconds, I know which ISP was abused to send the spam, as well as (usually) some administrative contact for that provider. A few more seconds and I have the same information about whichever ISP is hosting the spamvertarget. If you find yourself constantly typing out......or the appropriate flags to your flavor of whois, setting aliases to point to ARIN/RIPE/APNIC's servers can be a huge timesaver.
A script I wrote some time ago, called ANAL - get your mind outta the gutter, it stands for Auto NANAS and Lart - takes care of the rest. I paste in the spam, headers and all; then if I'm bothering to report it, I'll also enter in some abuse contacts for the origin/target ISPs. I post the form, the script posts a copy of the spam to the Usenet newsgroup news.admin.net-abuse.sightings, and also sends abuse reports to any email addresses I specified.
Not necessarily trying to plug myself, but if you've got PHP installed, check out ANAL. You can report spam to the ISP, and also archive a copy in Google Groups (which can help in future spam cases against the same spammer or spam-friendly ISP) at the same time.
Yes, I actually named one of my machines candletruq.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
I use SpamAssassin to sort and tag the spam server-side, with my threshold set at 5. Or rather I should say the ISP hosting my domain uses SpamAssassin, I don't have full control over the mail server.
Then I use Mailwasher mainly to preview the messages on the server before downloading them. Mailwasher has its own filters to tag and bag spam, and they're pretty good. Do NOT use Mailwasher's fake bounce feature, it only contributes to the problem. I get the full source of the messages before downloading and report them to SpamCop.
I then use Mozilla Mail for the actual downloading and reading, which of course has its own Bayesian filtering, but messages have already gone through two other filters before they reach it. The funny thing is that even though I preview the messages with Mailwasher, I don't delete them on the server, I want them for training purposes.
I use throw-away accounts on SpamGourmet if I need to sign up for anything online.
I only get maybe three spams a week to my real email address, so all of this may be a tad extreme. But perhaps this paranoia (I'm also very protective of my email address to begin with) is *why* I get so little spam.
My Hotmail account, OTOH, was getting about 20-30 per day, five or six of those were making it past the filters into my inbox. Since I don't use the account for much serious correspondance, I finally set myself to "Exclusive" and whitelisted those few domains that I actually want to get mail from.
General Geekery