De-spamming Your Inbox The Hard Way

ajain writes "Even after using precautions like dummy email address in public forums, I have been plagued by the spam mails for long time now. Accidentally, I hit upon a not-so-elegant but effective solution recently: Ever thought of shutting down the mail server temporarily to stop spam to your inbox permanently? Well, it seems to work. In my case, a two-day shutdown resulted in 97.5% decrease in spam traffic! Here are the details and a step-by-step guide to this desperate-method of spam reduction. I think I'll model, simulate and then optimize the amount of shut-down time required for spam levels to drop to zero!"

Shutdown

In my case, a two-day shutdown resulted in 97.5% decrease in spam traffic!

Rumour has it that shutting down your server permanently will result in a 100% reduction in spam traffic.

That only works for smart spammers

[fireboy1919]

Don't be fooled: there are plenty of stupid ones.

I shut down my e-mail server for a year and a half when I was getting the strange Spanish spams.

When I brought it back online again, I started seeing them again.

consequence:

[Progman3K]

A few hundred random people received
"The message you sent X was undeliverable"
spam instead.

Nice.

Re:consequence:

[Mr.+Bad+Example]

> A few hundred random people received
> "The message you sent X was undeliverable"
> spam instead.

That's the worst haiku I've ever seen.

This simply doesn't work.

[barcodez]

I've got domains that I have left inactive for year then re-added them to dns and set up mail accounts for them and the spam comes in immediately.

Spammers simply aren't diligent when it comes to maintaining their list, they don't remove bounced emails (as they have spoofed all the headers anyway so they don't receive the bounces) they don't remove the address from domains without MX records or no reponding hosts(as they send all the spam from botnets that don't report failures back anyway).

I don't know what this guy did but he is thoroughly mistaken.

Re:This simply doesn't work.

[SoTuA]

I don't know what this guy did but he is thoroughly mistaken.

I'd bet a beer that the new mail server installed at his institute includes some form of spam protection. My university's mail system has gone down for two days, and I still get one or two hundred spam mails a day. (of course, only one or two make it through the spam filters :)

Sounds like fun

[hobo2k]

Anybody want to help me shutdown hotmail for a couple days?

Maybe they added spam filtering?

[sterno]

The article says that the school upgraded to a new version of Exchange during that two day period. IS it possible that during the course of the upgrade they also added some anti-spam features that aren't visible to the end user?

I know that personally I've had my mail server go down for more than two days without a backup relay and had no notable drop in spam traffic.

Re:KDEMail?

[rf600r]

Bounce != no SMTP session at all

Spammers care little if at all about bounces. Ponder, for a moment, how many bounce messages his server sent when it was off if this is still confusing you.

Greylisting?

[Doomie]

Isn't this just a variant of greylisting? (the link is the first hit on google for 'greylisting')

In case of our university mailserver it worked like magic. I was getting 100 spams per day and now I get 4-5 and these are mostly from 'professional' "spamming houses" (the ones with proper mailing lists and proper mailservers, but which don't like poeople who try to unsubscribe).

Unacceptable

[DanteBlack]

This is a totaly unacceptable solution in a real-world business environment. Two days worth of bounced emails and even a moderate size company could miss over a $100K worth of online orders. Worse yet they could lose a current customer or, almost certainly, a potential customer. Customers as a rule don't take kindly to bounced orders and then they go to a competitor.

There are drop in solutions out there. Use them if it's a real issue.

Re:KDEMail?

[Erik+Hensema]

No. Bounces never reach the spammer. Ever. Spammers always use fake sender addresses, so the bounces will go to an innocent bystander.

So, while totally ineffective, you also burden the innocent bystander with yet another bounce.

The only way to combat spam is to reject it on the SMTP level.

Note that the guy in the article was wrong. When a mailserver is offline for two days, no bounces are sent. Sending mailservers will usually retry for 5 days before bouncing the message.

However, spammers don't use mailservers to send their spam, they deliver the spam direcly to the receiving mailserver. They've got instant feedback on wether the spam is accepted by the mailserver or not.

When a mailserver is offline, spammers will know immediately. However I doubt they'd remove your name from the list because of this simple fact. Mailservers are regulary offline for multiple days.

In this case I rather think they installed a very good spamfilter on that brand new Exchange Server.

Re:Sure, that's fine...

[fafaforza]

Most spammers use joe-job attacks so you'll likely get a double bounce back on your server, or someone innocent will get your bounce.

Yes, like greylisting. (ie, Postgrey for Postfix)

[kriegsman]

Our Postfix mail server uses Postgrey (click link for graph showing effectiveness), and it's as close to 'magic' as I've seen yet in the antispam category.

-Mark

Re:Another [failed] approach...

[rjamestaylor]

From: Sammy Spammy
To: undisclosed-receipient
Subject: Don't buy this: Get it free!

For a limited time you can get the Wally Whizbanger FREE!!!!
...

Re:Another approach...

[ReverendLoki]

. And there's no such thing as a white hat cracker.

... at least not after Labor Day...

NO, don't bounce, reject at MTA level ONLY

[gnuman99]

I just did a quick test on my mail server (~2500 users) to bounce only the spam that our filtering system identifies as 90% probability or higher. That's about 45-50% of the spam we get. Here are the results

No no no. DO NOT bounce mail that doesn't pass though spam filter after you accepted it for delivery. You are only spamming someone else.

What you need to do is to reject the email BEFORE you accept it in the queue. That is, after DATA is complete, scan the email and if it fails the test, then reject it at the MTA level. If you accept the email in MTA (ie. after DATA is complete), then DO NOT bounce it because the headers do not have the real FROM: anyway (in case of spam)

Also, if you are bouncing mail after DATA, then your servers will try connecting to some other MTA raising your load. Bad idea.

Re:NO, don't bounce, reject at MTA level ONLY

[Tripster]

This works great actually. There are a couple of methods to do it. I do it with SimScan (www.inter7.com) with my ISPs incoming MTA system. It checks incoming SMTP bodies with ClamAV and SpamAssassin and drops the viruses at the gate and if the message scores 10+ in SA it drops those at SMTP with a 5xx error.

Our previous method was with qmail-scanner which would then quarantine viruses and mark spam and pass it on to the end-user MTA. That method caused many pages due to high CPU usage when spammers hit hard.

The new SimScan system is C based so it is a tad easier on load, hardly see any red events anymore.

An alternative is available with Exim's exiscan patches for those using Exim.

After applying this system at my ISP the incoming spam levels have been reduced dramatically, we can still pass thru to those not wanting the filtering but for the rest of the customers they are very happy to not have nearly as much junk in the inbox.

Some have actually called wondering why they are only really getting their legitimate email now :)

Re:NO, don't bounce, reject at MTA level ONLY

[CritterNYC]

Maybe I'm not following you, but even if you reject at the MTA level won't the exploited mail relay bounce the message to the forged originator anyway? The only difference is who is doing the bouncing. Either way, the rejected message is bounced, assuming that a 3rd party relay (and not custom spam software) is doing the sending.

Most spam is coming from an exploited box directly. If it gets a 5xx Denied message, it just fails to send that message and generates no bounce. Legit mail from a real mail server will drop a bounce message in the sender's mailbox.

Re:Another approach...

[whoever57]

Speaking of attacking in every way possible, I'm surprised some group of "white hat hackers" hasn't come up with a DDOS spammer attack bot, kind of like the Lycos screensaver.

You have not looked at artists against 419, have you? It's not a bot, just a few web pages that continuously reload images from spammers' sites, but it seems to be effective.

Or delay delivery, and check again ...

[theblackdeer]

Our ISP has set up a slightly more elegant way to fliter out lots and lots of spam. They call it DoubleVerify.

From the FAQ (http://www.olympus.net/doubleVerifyNL):

DoubleVerify gets two chances to automatically identify mail. When mail arrives at our mail server the first time our server requests the sending mail server to send it a second time. Spammers rarely comply. Legitimate mail servers typically resend the mail about fifteen minutes later. Once OlympusNet receives mail the second time, it immediately delivers that mail and continues to immediately deliver mail from that sender. The DoubleVerify process works invisibly and is handled automatically by the mail servers.

You can whitelist entire domains (like your company, for example), too. It's worked pretty well for us.

Re:Another approach...

Actually if you own a domain. Simply use abuse@yourdomainhere.com as your e-mail address. You will never receive any spam. I know this is not practical for most people but it works flawlessly.

Those who don't understand technology are ...

[Obfuscant]

doomed to repeat it. From the article:

During that time, all the mails sent to my mail account were of course bouncing.

Of course they were NOT. During that time, emails sent to your account were being held at the sending server, or, in the case of spammers who aren't using open relays, there was a timeout during the connection to port 25 on your server. Neither results in a bounce. Most intelligent email systems are set up with a 5 day queue.

In other words, it will take 5 days for bounces to start being sent. That's for real email. For the spam, the bounces will be sent to fake addresses and the spammers will never see them.

I've had systems in place on many of my accounts for YEARS that bounce (reject with "unknown user" errors) spam and the same spammers keep sending the same shit over and over again. I've waatched the mail logs on my domain's servers where 99% of the incoming email is undeliverable spam (it ALL bounces) and the same spammers keep sending the same shit over and over again. Spammers simply either DO NOT CARE if they get a bounce, or do not see the bounces anyway.

There must be a different explanation for the reduction in spam. A new spam filter on the server, for example. Spammers seeing bounces and stopping is patently ridiculous.

Re:Another approach...

[Kethinov]

I wonder if someone might write a program or plugins for existing mail programs to adapt on this approach? Every time you mark a mail as junk, it sends it back to your mail server to be treated as if it were bounced. This way anything you mark as junk gets bounced back to the spammer as if your mail server was down. Have the cake and eat it too?

Not a good idea

[Q2Serpent]

Many spam emails have forged 'from' addresses and/or envelope senders, so if you bounce the email, the bounce may end up at some unsuspecting person's email. This only adds to the problem.

Blocklists, Teergrubes, Bandwidth Suckers

[billstewart]

Active cracker DDOSing is mean and nasty and you shouldn't do it. But there are better-behaved ways to use group efforts to stop spammers.

• Blocklists are of course a critical tool - identify the spammers or the relays/proxies/zombies they exploit, publish their addresses so that people can reject mail from them.
• Sugarplums and other spam poisoners generate web pages full of bogus trap addresses for spammer address harvesters, so that they can DDOS themselves. Infinite-loop web pages, bogus email addresses, email addresses of other spammers, email addresses of teergrubes, spambait addresses on your machines that tell you to block anything from that IP address. Imagine if everybody set your 404-not-found page to include a few bogus addresses for spammers to email to...
• Teergruben are modified tarpit mail servers that answer SMTP v...errrrryyyyyyyy... sssssssllllloooooooowwwwwwwlllllllly, and can keep SMTP senders that talk to them tied up for minutes or hours. If you're running real SMTP on the same machine, you can configure the tarpit function to only happen for recognized spammer IP addresses, or else you can run a dedicated server (e.g. if you're not running your own SMTP on your DSL or cable modem.) One of these doesn't make much difference. Lots of teergrubes can tie up lots of spammers.
• Bandwidth Suckers like Artists Against 419 repeatedly download images from spammer websites to tie up their bandwidth. Because many web sites and ISPs charge for bandwidth on a 95th percentile basis, two days of heavy downloads can totally jack their bandwidth bill for a month, and small sites (e.g. free web pages) that have quotas can be taken out for the month by aggressive downloads (1GB is about 6 hours at 384kbps, so you can blow out a small quota overnight.)

Re:Blocklists, Teergrubes, Bandwidth Suckers

[jonastullus]

- "blocklists" are also questionable because the maintainers of these lists gain a lot of power and often ask for huge amounts of money for address-ranges which were accidentally added to be removed again!

- "teergruben" are a nice idea, but they would have to rely on source address filtering or only kick in after a few hundred messages. and if the spammer simple multithreads his sending "server" he might not be THAT bothered with slower delivery, as he can have thousands of concurrent deliveries, totally bogging down the receiving server!
and also, if teergruben should just be the exception it is trivial to add a timeout to the delivery routine to abort after 1 minute or so of trying to deliver!

- "bandwidth suckers" - this is just the kind of anarchistic vigilante justice that SHOULD SIMPLY NOT occur! even if it were not for the "collateral damage" to the network infrastructure and "innocent" pages being accidently hit, this is no better than stoning criminal suspects to death without proper trial...

- "sugarplums" - this idea is actually pretty good but looking at the small return that spammers are getting at the moment this won't really slow them down much. even at 1% reached mail addresses the spammers still have virtually no cost in sending millions of mails out and thus will be hindered but far from stopped by injecting wrong mail addresses! also you have to generate those fake addresses without the spammers getting behind your mechanism of randomizing the addresses and you MUST also take care NEVER to inject a valid mail address by chance!

there has actually been quite a discussion how to make mailing more "reliable" on a grand scale and i still find the idea of forcing mail servers to solve some computationally expensive computation rather nice. although this will cost legitimate service providers a little in hardware this will hit the mass mailers by far worse because they simply rely on cheaply mailing millions of mailings in a short time frame...

well, so much for "innocent" protocols used in a hostile, mercantilistic, hard-to-trace and more-or-less-anonymous environment...

jethr0

for love of logic...

[rich42]

my car started running poorly a few months ago - so I took it into the shop. when I came back to get my car - they charged me $400. it runs great now. not driving my car for two days fixed it! now I'm going to try not driving it for 3 days to see if it fixes the rips in my upholstry. Also - did anyone else hear that you can reformat your 120GB drive to 260GB with no ill effects? I read that on slashdot a while ago!