De-spamming Your Inbox The Hard Way

ajain writes "Even after using precautions like dummy email address in public forums, I have been plagued by the spam mails for long time now. Accidentally, I hit upon a not-so-elegant but effective solution recently: Ever thought of shutting down the mail server temporarily to stop spam to your inbox permanently? Well, it seems to work. In my case, a two-day shutdown resulted in 97.5% decrease in spam traffic! Here are the details and a step-by-step guide to this desperate-method of spam reduction. I think I'll model, simulate and then optimize the amount of shut-down time required for spam levels to drop to zero!"

Another approach...

[beh]

You might entertain another method - if you have an internet domain of your own. Make use of mail-subdomains that you cycle through regularly.
And only trusted friends give permanent (or ermanent sub-domain) email addresses.

And as for mailing lists, if you use procmail to filter inbound messages on mailing lists, scan for specific things in it, e.g. don't just scan for the recipient, but also for specific mailing list headers. Anything that falls through this sieve you throw away (or, at least, quarantine it in a separate location).

Re:Another approach...

[whoever57]

Speaking of attacking in every way possible, I'm surprised some group of "white hat hackers" hasn't come up with a DDOS spammer attack bot, kind of like the Lycos screensaver.

You have not looked at artists against 419, have you? It's not a bot, just a few web pages that continuously reload images from spammers' sites, but it seems to be effective.

That only works for smart spammers

[fireboy1919]

Don't be fooled: there are plenty of stupid ones.

I shut down my e-mail server for a year and a half when I was getting the strange Spanish spams.

When I brought it back online again, I started seeing them again.

This simply doesn't work.

[barcodez]

I've got domains that I have left inactive for year then re-added them to dns and set up mail accounts for them and the spam comes in immediately.

Spammers simply aren't diligent when it comes to maintaining their list, they don't remove bounced emails (as they have spoofed all the headers anyway so they don't receive the bounces) they don't remove the address from domains without MX records or no reponding hosts(as they send all the spam from botnets that don't report failures back anyway).

I don't know what this guy did but he is thoroughly mistaken.

Greylisting?

[Doomie]

Isn't this just a variant of greylisting? (the link is the first hit on google for 'greylisting')

In case of our university mailserver it worked like magic. I was getting 100 spams per day and now I get 4-5 and these are mostly from 'professional' "spamming houses" (the ones with proper mailing lists and proper mailservers, but which don't like poeople who try to unsubscribe).

Re:Sure, that's fine...

[fafaforza]

Most spammers use joe-job attacks so you'll likely get a double bounce back on your server, or someone innocent will get your bounce.

NO, don't bounce, reject at MTA level ONLY

[gnuman99]

I just did a quick test on my mail server (~2500 users) to bounce only the spam that our filtering system identifies as 90% probability or higher. That's about 45-50% of the spam we get. Here are the results

No no no. DO NOT bounce mail that doesn't pass though spam filter after you accepted it for delivery. You are only spamming someone else.

What you need to do is to reject the email BEFORE you accept it in the queue. That is, after DATA is complete, scan the email and if it fails the test, then reject it at the MTA level. If you accept the email in MTA (ie. after DATA is complete), then DO NOT bounce it because the headers do not have the real FROM: anyway (in case of spam)

Also, if you are bouncing mail after DATA, then your servers will try connecting to some other MTA raising your load. Bad idea.

Re:NO, don't bounce, reject at MTA level ONLY

[Tripster]

This works great actually. There are a couple of methods to do it. I do it with SimScan (www.inter7.com) with my ISPs incoming MTA system. It checks incoming SMTP bodies with ClamAV and SpamAssassin and drops the viruses at the gate and if the message scores 10+ in SA it drops those at SMTP with a 5xx error.

Our previous method was with qmail-scanner which would then quarantine viruses and mark spam and pass it on to the end-user MTA. That method caused many pages due to high CPU usage when spammers hit hard.

The new SimScan system is C based so it is a tad easier on load, hardly see any red events anymore.

An alternative is available with Exim's exiscan patches for those using Exim.

After applying this system at my ISP the incoming spam levels have been reduced dramatically, we can still pass thru to those not wanting the filtering but for the rest of the customers they are very happy to not have nearly as much junk in the inbox.

Some have actually called wondering why they are only really getting their legitimate email now :)

Re:NO, don't bounce, reject at MTA level ONLY

[MagicMike]

I recognize you were talking postfix, but sendmail has a plugin interface for this, where the modules are called "mail filters", or "milters" for short.

So you what you want then is spamass-milter and clamav-milter (both available from the dag RPM repository for modern redhat/fedore systems - so you can update them automatically for errata packages).

There must be something similar for postfix - its more advanced than sendmail, right? No sarcasm there either - I'm sure there's a way.

The only thing to watch out for is that both spamassassin and clamav will lock up sometimes while processing mail.

I finally took a second computer and scripted up a nagios filter check that sends mail to the mail server on a specific userid, then attempts to scp the mailbox over to make sure it got filtered. If the mail doesn't show up in 5 seconds, something is wrong, and it service stop/starts all the mail server components.

That sounds bad, but it really isn't. Happens about once a day, but no mail ever drops, the sending server just queues.

Finally, spammers and virus writers learn, so you're system needs to learn too, right? Set up "RulesDuJour" to update rules from the SpamAssassin Rules Emporium (SARE - http://www.rulesemporium.com/) so SA learns as the spammers learn, and be sure to update the ClamAV definitions regularly in an automated way, and you've got a robust system that updates itself and is monitored while being a good netizen by rejecting stuff at the MTA level.

The next thing you know, inboxes are squeeky clean, and the admin is relaxed.

Cheers.

Re:NO, don't bounce, reject at MTA level ONLY

[CritterNYC]

Maybe I'm not following you, but even if you reject at the MTA level won't the exploited mail relay bounce the message to the forged originator anyway? The only difference is who is doing the bouncing. Either way, the rejected message is bounced, assuming that a 3rd party relay (and not custom spam software) is doing the sending.

Most spam is coming from an exploited box directly. If it gets a 5xx Denied message, it just fails to send that message and generates no bounce. Legit mail from a real mail server will drop a bounce message in the sender's mailbox.

Blocklists, Teergrubes, Bandwidth Suckers

[billstewart]

Active cracker DDOSing is mean and nasty and you shouldn't do it. But there are better-behaved ways to use group efforts to stop spammers.

• Blocklists are of course a critical tool - identify the spammers or the relays/proxies/zombies they exploit, publish their addresses so that people can reject mail from them.
• Sugarplums and other spam poisoners generate web pages full of bogus trap addresses for spammer address harvesters, so that they can DDOS themselves. Infinite-loop web pages, bogus email addresses, email addresses of other spammers, email addresses of teergrubes, spambait addresses on your machines that tell you to block anything from that IP address. Imagine if everybody set your 404-not-found page to include a few bogus addresses for spammers to email to...
• Teergruben are modified tarpit mail servers that answer SMTP v...errrrryyyyyyyy... sssssssllllloooooooowwwwwwwlllllllly, and can keep SMTP senders that talk to them tied up for minutes or hours. If you're running real SMTP on the same machine, you can configure the tarpit function to only happen for recognized spammer IP addresses, or else you can run a dedicated server (e.g. if you're not running your own SMTP on your DSL or cable modem.) One of these doesn't make much difference. Lots of teergrubes can tie up lots of spammers.
• Bandwidth Suckers like Artists Against 419 repeatedly download images from spammer websites to tie up their bandwidth. Because many web sites and ISPs charge for bandwidth on a 95th percentile basis, two days of heavy downloads can totally jack their bandwidth bill for a month, and small sites (e.g. free web pages) that have quotas can be taken out for the month by aggressive downloads (1GB is about 6 hours at 384kbps, so you can blow out a small quota overnight.)

Bah

[SCHecklerX]

What works well for me is mimedefang with spamassassin. My "It's Spam for sure" threshold is now about 3 points after a year or so of bayesian training. Most stuff I really want to look at comes in at -3 or less.

In mimedefang:

1. 554 reject spamhaus sbl/xbl in filter_sender. This list is easy for people to get off of if they aren't spammers. Just tell them that is why they are rejected. Spammers, of course, won't even pay attention to the 554 and continue to hammer on your server *sigh*
2. have spamassassin continue to do the RBL checks anyway, as those other lists will add to the score (but we don't want to just reject on anything but spamhaus)
3. configure sendmail to use greet_pause (1000ms on my server)
4. reject helos that claim to be your own server in filter_sender
5. reject helos that are not a fqdn or ip address in filter_sender(just make sure that the helo has a dot in between something...spammers and zombies LOVE using single-word helos)
6. have mimedefang just discard anything that is above a certain spamassassin threshold in filter_end

You wouldn't believe how much stuff gets outright rejected just by checking the helo, greet_pause, and spamhaus. Spamassassin gets the rest.

I really don't know how I managed to run sendmail without mimedefang before.