De-spamming Your Inbox The Hard Way

ajain writes "Even after using precautions like dummy email address in public forums, I have been plagued by the spam mails for long time now. Accidentally, I hit upon a not-so-elegant but effective solution recently: Ever thought of shutting down the mail server temporarily to stop spam to your inbox permanently? Well, it seems to work. In my case, a two-day shutdown resulted in 97.5% decrease in spam traffic! Here are the details and a step-by-step guide to this desperate-method of spam reduction. I think I'll model, simulate and then optimize the amount of shut-down time required for spam levels to drop to zero!"

Another approach...

[beh]

You might entertain another method - if you have an internet domain of your own. Make use of mail-subdomains that you cycle through regularly.
And only trusted friends give permanent (or ermanent sub-domain) email addresses.

And as for mailing lists, if you use procmail to filter inbound messages on mailing lists, scan for specific things in it, e.g. don't just scan for the recipient, but also for specific mailing list headers. Anything that falls through this sieve you throw away (or, at least, quarantine it in a separate location).

Re:Another approach...

[whoever57]

Speaking of attacking in every way possible, I'm surprised some group of "white hat hackers" hasn't come up with a DDOS spammer attack bot, kind of like the Lycos screensaver.

You have not looked at artists against 419, have you? It's not a bot, just a few web pages that continuously reload images from spammers' sites, but it seems to be effective.

Re:Another approach...

[arget]

This doesn't actually work. Much of the spam the mail server I maintain sees goes to the abuse@ address, because for about a two or three month period, that address was the only one "scrapable" from the website, on the privacy policy. As that was the only place the abuse address was published, and because the abuse address had been active forever, but only started seeing spam traffic after it was published in the policy page, I can assure you that spambots just don't care enough to filter out abuse@.

Re:Another approach...

[Carnildo]

A cracker/black hat hacker is someone who breaks into networks with a malevolent intent, or anyone accused of cyber crime.

Conversely, a white hat hacker is someone who breaks security for altruistic purposes.

I think DDOSing spammers is altruistic, but there's an argument for malevolent intent, so there needs to be a third category: Vigilante Crackers.

The term for this I've seen is "grey hat hacker".

That only works for smart spammers

[fireboy1919]

Don't be fooled: there are plenty of stupid ones.

I shut down my e-mail server for a year and a half when I was getting the strange Spanish spams.

When I brought it back online again, I started seeing them again.

Re:That only works for smart spammers

[Throtex]

I had an e-mail address I used primarily for signing up to services that I needed to get an e-mail back from (with an autogenerated password). This was hosted on a domain that I took offline for nearly two years. When I brought it up again and created an account for the old e-mail address, lo and behold, spam kept coming.

There's little to no incentive in purging spam mail lists.

This simply doesn't work.

[barcodez]

I've got domains that I have left inactive for year then re-added them to dns and set up mail accounts for them and the spam comes in immediately.

Spammers simply aren't diligent when it comes to maintaining their list, they don't remove bounced emails (as they have spoofed all the headers anyway so they don't receive the bounces) they don't remove the address from domains without MX records or no reponding hosts(as they send all the spam from botnets that don't report failures back anyway).

I don't know what this guy did but he is thoroughly mistaken.

Re:This simply doesn't work.

[Mastoid]

Yeah, I call bullshit too. I mean, think about this. SMTP was designed to deal with unreachable hosts, which is why most relays will keep trying for five days unless they receive a permanent failure notice (such as a rejection) from further along the chain.

A two day outage might send users into a frenzy, but as far as SMTP is concerned, it's nothing. Spammers wouldn't even notice the server was offline. That's even assuming they're sending directly, not relaying through some schmuck who doesn't know how to secure his mail server.

Seriously, how did this story get approved? It shows a level of uninformed misunderstanding right up there with confusing the Web for the Internet.

you mean greylisting?

[ntr0py]

That sounds to be like a really inefficient form of greylisting.

By the way, I started greylisting on my mail server a couple of days ago, and my spam has gone down to virtually zero.

Greylisting?

[Doomie]

Isn't this just a variant of greylisting? (the link is the first hit on google for 'greylisting')

In case of our university mailserver it worked like magic. I was getting 100 spams per day and now I get 4-5 and these are mostly from 'professional' "spamming houses" (the ones with proper mailing lists and proper mailservers, but which don't like poeople who try to unsubscribe).

Re:Sure, that's fine...

[Mr.+Slippery]

What kind of important emails will you be getting from someone you haven't corresponded with in 30 days?

Most of my friends are not heavy e-mailers, and often more than a month goes by between e-mail messages from them.

Didn't work for me. Bots are stubborn.

[jakedata]

I decomissioned a mail server recently. The IP address is empty. The MX record is flat out gone.

Despite this, my packet sniffer still sees ~20 connection attempts per hour to that old address, nearly three months later. They are all bot-infected PCs according to sbl-xbl.spamhaus.org

That address was being mercilessly spammed and under constant dictionary attack.

Ultimately, I was able to use my log files to reconstruct the dictionary they were hitting me with. I put the whole thing under blacklist_to and saw a big drop in junk getting past my filters.

-j

Re:Sure, that's fine...

[fafaforza]

Most spammers use joe-job attacks so you'll likely get a double bounce back on your server, or someone innocent will get your bounce.

Greylisting

[mpeppler]

I added greylisting to my mail server, and that cut down on both spam and virus messages by a tremendous amount. See http://greylisting.org/ for more info.

NO, don't bounce, reject at MTA level ONLY

[gnuman99]

I just did a quick test on my mail server (~2500 users) to bounce only the spam that our filtering system identifies as 90% probability or higher. That's about 45-50% of the spam we get. Here are the results

No no no. DO NOT bounce mail that doesn't pass though spam filter after you accepted it for delivery. You are only spamming someone else.

What you need to do is to reject the email BEFORE you accept it in the queue. That is, after DATA is complete, scan the email and if it fails the test, then reject it at the MTA level. If you accept the email in MTA (ie. after DATA is complete), then DO NOT bounce it because the headers do not have the real FROM: anyway (in case of spam)

Also, if you are bouncing mail after DATA, then your servers will try connecting to some other MTA raising your load. Bad idea.

Re:NO, don't bounce, reject at MTA level ONLY

[Tripster]

This works great actually. There are a couple of methods to do it. I do it with SimScan (www.inter7.com) with my ISPs incoming MTA system. It checks incoming SMTP bodies with ClamAV and SpamAssassin and drops the viruses at the gate and if the message scores 10+ in SA it drops those at SMTP with a 5xx error.

Our previous method was with qmail-scanner which would then quarantine viruses and mark spam and pass it on to the end-user MTA. That method caused many pages due to high CPU usage when spammers hit hard.

The new SimScan system is C based so it is a tad easier on load, hardly see any red events anymore.

An alternative is available with Exim's exiscan patches for those using Exim.

After applying this system at my ISP the incoming spam levels have been reduced dramatically, we can still pass thru to those not wanting the filtering but for the rest of the customers they are very happy to not have nearly as much junk in the inbox.

Some have actually called wondering why they are only really getting their legitimate email now :)

Re:NO, don't bounce, reject at MTA level ONLY

[MagicMike]

I recognize you were talking postfix, but sendmail has a plugin interface for this, where the modules are called "mail filters", or "milters" for short.

So you what you want then is spamass-milter and clamav-milter (both available from the dag RPM repository for modern redhat/fedore systems - so you can update them automatically for errata packages).

There must be something similar for postfix - its more advanced than sendmail, right? No sarcasm there either - I'm sure there's a way.

The only thing to watch out for is that both spamassassin and clamav will lock up sometimes while processing mail.

I finally took a second computer and scripted up a nagios filter check that sends mail to the mail server on a specific userid, then attempts to scp the mailbox over to make sure it got filtered. If the mail doesn't show up in 5 seconds, something is wrong, and it service stop/starts all the mail server components.

That sounds bad, but it really isn't. Happens about once a day, but no mail ever drops, the sending server just queues.

Finally, spammers and virus writers learn, so you're system needs to learn too, right? Set up "RulesDuJour" to update rules from the SpamAssassin Rules Emporium (SARE - http://www.rulesemporium.com/) so SA learns as the spammers learn, and be sure to update the ClamAV definitions regularly in an automated way, and you've got a robust system that updates itself and is monitored while being a good netizen by rejecting stuff at the MTA level.

The next thing you know, inboxes are squeeky clean, and the admin is relaxed.

Cheers.

Re:NO, don't bounce, reject at MTA level ONLY

[Voivod]

No no no. DO NOT bounce mail that doesn't pass though spam filter after you accepted it for delivery. You are only spamming someone else.

Maybe I'm not following you, but even if you reject at the MTA level won't the exploited mail relay bounce the message to the forged originator anyway? The only difference is who is doing the bouncing. Either way, the rejected message is bounced, assuming that a 3rd party relay (and not custom spam software) is doing the sending.

I agree that rejecting at the MTA level is great, but I don't think the reason for this is that bounces will not result. The benefit is that your server is not having to do this wasteful work, and the exploited relay is, possibly leading it its eventual discovery. Either way the owner of the forged From address loses.

Re:NO, don't bounce, reject at MTA level ONLY

[CritterNYC]

Maybe I'm not following you, but even if you reject at the MTA level won't the exploited mail relay bounce the message to the forged originator anyway? The only difference is who is doing the bouncing. Either way, the rejected message is bounced, assuming that a 3rd party relay (and not custom spam software) is doing the sending.

Most spam is coming from an exploited box directly. If it gets a 5xx Denied message, it just fails to send that message and generates no bounce. Legit mail from a real mail server will drop a bounce message in the sender's mailbox.

Blocklists, Teergrubes, Bandwidth Suckers

[billstewart]

Active cracker DDOSing is mean and nasty and you shouldn't do it. But there are better-behaved ways to use group efforts to stop spammers.

• Blocklists are of course a critical tool - identify the spammers or the relays/proxies/zombies they exploit, publish their addresses so that people can reject mail from them.
• Sugarplums and other spam poisoners generate web pages full of bogus trap addresses for spammer address harvesters, so that they can DDOS themselves. Infinite-loop web pages, bogus email addresses, email addresses of other spammers, email addresses of teergrubes, spambait addresses on your machines that tell you to block anything from that IP address. Imagine if everybody set your 404-not-found page to include a few bogus addresses for spammers to email to...
• Teergruben are modified tarpit mail servers that answer SMTP v...errrrryyyyyyyy... sssssssllllloooooooowwwwwwwlllllllly, and can keep SMTP senders that talk to them tied up for minutes or hours. If you're running real SMTP on the same machine, you can configure the tarpit function to only happen for recognized spammer IP addresses, or else you can run a dedicated server (e.g. if you're not running your own SMTP on your DSL or cable modem.) One of these doesn't make much difference. Lots of teergrubes can tie up lots of spammers.
• Bandwidth Suckers like Artists Against 419 repeatedly download images from spammer websites to tie up their bandwidth. Because many web sites and ISPs charge for bandwidth on a 95th percentile basis, two days of heavy downloads can totally jack their bandwidth bill for a month, and small sites (e.g. free web pages) that have quotas can be taken out for the month by aggressive downloads (1GB is about 6 hours at 384kbps, so you can blow out a small quota overnight.)

Bah

[SCHecklerX]

What works well for me is mimedefang with spamassassin. My "It's Spam for sure" threshold is now about 3 points after a year or so of bayesian training. Most stuff I really want to look at comes in at -3 or less.

In mimedefang:

1. 554 reject spamhaus sbl/xbl in filter_sender. This list is easy for people to get off of if they aren't spammers. Just tell them that is why they are rejected. Spammers, of course, won't even pay attention to the 554 and continue to hammer on your server *sigh*
2. have spamassassin continue to do the RBL checks anyway, as those other lists will add to the score (but we don't want to just reject on anything but spamhaus)
3. configure sendmail to use greet_pause (1000ms on my server)
4. reject helos that claim to be your own server in filter_sender
5. reject helos that are not a fqdn or ip address in filter_sender(just make sure that the helo has a dot in between something...spammers and zombies LOVE using single-word helos)
6. have mimedefang just discard anything that is above a certain spamassassin threshold in filter_end

You wouldn't believe how much stuff gets outright rejected just by checking the helo, greet_pause, and spamhaus. Spamassassin gets the rest.

I really don't know how I managed to run sendmail without mimedefang before.

Re:KDEMail?

[ichimunki]

Believe me. The return address on penis enlargement stuff is fake (just like their product claims). The web links probably work, though. Anyone selling shady stuff via email is not going to put a real return address on it. They'll spend the whole day wading through angry messages from people fed up with spam, bounce messages, and hundreds of other non-revenue-generating emails. While not all spam headers are faked, the vast majority are.

Despamming The Easy Way

[NuttyBee]

I have a personal domain that I give out to friends. Then I have a domain I use for e-mail for everyone other than friends and assign everyone a different e-mail address.

For example: microsoft@mydomainz.com for Microsoft. If Microsoft sends my info to a spammer, I can easily shut down the microsoft@mydomainz.com with a simple filter..

I noticed that a lot of spam came through from domain registration.. register1@mydomainz.com.. Now banned. register2.. Now banned. I think I'm on 3 right now.. Those spammers never learn.

The end result is my spam level, although not zero, is so dramatically reduced that its very manageable.. Most of it gets deleted as I see the headers, so it never actually gets read.

no, no, no

[bogomipe]

This idea is as stupid as they get, the logic is flawed and experience has shown us otherwise. The most spam we get at our company is for accounts that have been bouncing for several years.

Surely no-one will act blindly on this poor fool's ramblings and kill their mail systems?

If you can't figure out what's wrong with it, don't try it.