Interview With The SpamAssassin

comforteagle writes "Howard Wen has conducted an interview with Daniel Quinlan of SpamAssassin. In it he explores what keeps Daniel motivated in the face of the unrelenting torrent of spam and new spamming techniques, as well as, what is working - what is not, and what he predicts spammers have up their sleeves next for defeating spam detection." From the interview: "If you don't mind deleting spam manually, that's your prerogative, but don't complain about it. If your ISP doesn't do a good job fighting spam, then switch ISPs or install your own anti-spam software. There are a lot of choices out there."

gmail has good spam protection

[erick99]

When I got to over 300 spam a day was just about the time I tried gmail (google mail). So far this is the best spam protection I have come across. My spam folder is getting about 400 a day now but I can't remember the last time a "good" message went in there. I still get about five spam a day that I need to manually deal with.

Re:gmail has good spam protection

[winkydink]

I agree that Google has good protection, Even with slutting my email address by publishing it on /., the amount of spam that makes it into my gmail box is surprisingly small.

Re:gmail has good spam protection

[Neil+Blender]

I second that. I have all my mail from all my accounts forwarded to my gmail account. The spam filters are amazing. By the way, I have about 150 invites to give out if anyone wants one (they are getting harder and harder to get rid of.)

Re:gmail has good spam protection

[int2str]

I disagree completely.

I'm subscribed to the Linux kernel mailing list with a GMail account and it constantly marks legitimate messages as Spam. Since the emails have such a common format and subject matter, that's really surprising.

On the flip side, many Spam messages and phishing attempts make it through GMails filter.

My small business mail server running Spamassasin and some blacklists is much more efficient compared to Gmail.

Cheers,
Andre

Re:gmail has good spam protection

[snorklewacker]

gmail's spam filtering annoys the hell out of me: No whitelists. I'm subscribed to a spam discussion list, so it trips spam filters all the time, and I'm constantly having to fish messages out. I don't care that it classifies it as spam, I'm just annoyed at the fact that I cannot ever override its judgement.

Re:gmail has good spam protection

[jgclark123]

I agree; although I still have my Hotmail account on /., I have received no spam in my Gmail account. Hotmail is like a spam magnet, I suggest using Yahoo! or Netscape mail instead of Hotmail. Also, Gmail invites are difficult to give away... but if you need any check out my sig.

Re:gmail has good spam protection

That's correct. I had an extra gmail invite so I set it up and signed up for about 100 high volume mailing lists and a bunch of news alerts from cnn and google. I have received about 25,000 emails from these groups and have about 500 messages in the spam folder. 99% of the messages in the spam folder are mailing list messages.

Not that I care or anything, I just want to see what happens when I reach the gigabyte limit. I'm at 40% right now.

Re:gmail has good spam protection

[Threni]

> gmail has good spam protection

yeah, but you can't turn it off, and gmail doesn't forward mail it's erroneously decided is spam, so you still have to log in sometimes to read the false positives.

Re:gmail has good spam protection

[Afrosheen]

Come on, say it with me:

T-H-U-N-D-E-R-B-I-R-D

That's right, a decent mail client from the geniuses at Mozilla that filters spam. It's pretty damn accurate once it learns a little...and it includes white and blacklisting.

Re:gmail has good spam protection

[sirTifiable]

I agree, we are a small buisness with around 20 staff and we were getting around 300-400 spam a day through our exchange server. I put in a Linux box running sendmail and SA and it is down to around 3 a day. Well worth the effort and considering what we are paying for Exchange server, a damn good solution.

Re:gmail has good spam protection

[Murphy+Murph]

I also agree.
If anything I would say that most phishing attempts seem to make it through Gmail's filters.

The only type of spam that seems to consistantly get tagged correctly is all the non-english spam I get.

Re:gmail has good spam protection

Come on, say it with me:
T-H-U-N-D-E-R-B-I-R-D
That's right, a decent mail client from the geniuses at Mozilla that filters spam. It's pretty damn accurate once it learns a little...and it includes white and blacklisting.

Thunderbird is fine if you have only one machine you read e-mail from. But Thunderbird alone does not help someone who needs to access their mail from anywhere.

For me, I use a combination of Courier IMAP + fetchmail + procmail + Spambayes. I use Thunderbird currently (with spam filtering turned off), but thanks to IMAP its completely irrelevant want client I use and I can switch between them or even use different ones simultaneously. My e-mail comes to me with the spam filtered out, and the best thing is I have had no false positives (thanks to Spambayes), which I can't say the same about Thunderbird. False positives are much worse than the occasional spam coming through.

Only problem is contacts. I haven't had a chance to play with LDAP, so I don't have a synchronized set of contacts across all my machines. So what I do for now is store all my contacts in an e-mail that's saved in an IMAP folder.

I can also setup a web interface, but have not gotten around to that, mainly because I don't need it.

Re:gmail has good spam protection

[Murphy+Murph]

If a discussion list you are subscribed to is constantly tripping Gmail's spam filter - there is a solution.

You simply need to go to settings - and create a filter. I have my filters set up to apply a label to matching email. Labels in Gmail work very much like folders in other email clients.

Re:gmail has good spam protection

[exhilaration]

No, Gmail filters do NOT whitelist messages.

I've seen several of my filtered messages end up labeled as spam. Since they *were* spam, I was quite happy to see this.

Re:gmail has good spam protection

I just ran some tests - you are correct.
For the record - the messages received both labels, but ended up in the spam "folder".

Huh.

Re:gmail has good spam protection

[Rahga]

The reason for this is obvious. Tons of people rely on gmail to get messages from lkml, gnome lists, and other known and trusted sources. When the mailing lists let the spammer messages go through, gmail would probably think it's unwise to filter messages from an source that so many others trust and rely on. Autowhitelisting en masse.

Re:gmail has good spam protection

Even with slutting my email address by publishing it on /., the amount of spam that makes it into my gmail box is surprisingly small.

is that a challenge?

Re:gmail has good spam protection

[adeydas]

This is quite natural. Gmail uses the Bayesian Spam Technique to check spam. As you must be aware, it considers mails of high freqency with the same email address and headers as spam. Since a mailing list has the same header and email address, it is considered as spam by the filter.

Re:gmail has good spam protection

[SillyNickName4me]

Gmail seems to have relatively decent spam protection indeed, but it is not as good by far as my private sendmail/procmail/sa/clamav setup. First of all, gmail has too many false positives and second its spam learning doesn't seem to work very well and last but not least, it lets an amazing amount of phishing mails through.

It may have helped for sa that I have an account with thousands of spam messages, and no normal mail whatsoever, so initial 'teaching' of the Bayesian filter it has was soemwhat easy :)

I mostly use openwebmail as client, which has nice integration with sa and a nice set of learn spam/ham buttons.

It doesn't catch all spam, but no false positives so far, and about 1 in every 500-800 spam messages gets through.

The biggest advantage I see for the setup that I have is that you can tune it ourself, but if you don't know how, then that is not such a relevant argument. ALso, many people depend on their ISP for this, and in that case gmail may well do a better job at it.

Cloudmark SpamNet

[Zendar]

Been using Cloudmark's SpamNet for over a year and haven't looked back since. Nothing gets by.

Disclaimer: No interest in the company. Just a satisfied customer.

Re:Cloudmark SpamNet

[brj]

I tried Cloudmark once, but found their false positive rate to be atrocious. They were tagging legitimate marketing emails from companies like REI that I had actively signed up for as spam. Their network of lusers are too lazy to unsubscribe from legit emails and they just report them as spam. Argh! (This was several years ago, so I don't know if things have improved since then.)

Re:Cloudmark SpamNet

[Jherek+Carnelian]

Personally I would find that useful. Way too many companies automatically sign me up for their spam-lists just because I've made a purchase with them. I consider those messages to be spam, "pre-existing business relationship" or not, I didn't ask for them - I gave them an email address for order status updates, period.

I've never even been to cloudmark's web page, but seems to me that if you actively want specific marketing email they ought to have a whitelist option.

Re:Cloudmark SpamNet

[mollymoo]

Way too many companies automatically sign me up for their spam-lists just because I've made a purchase with them.

How many of these businesses have failed to remove you from their mailing lists on request? You have actually tried asking them, right?

Re:Cloudmark SpamNet

[Pete]

You've missed the point. If a company sends you commercial propaganda email that you didn't specifically request - and you didn't give them permission to send (to you) - then they're spamming you.

You shouldn't ever ask a spammer to "remove" you from their list.... even if they did remove you (and some do) who would want to be in debt to a spammer? Alternatively, if enough people report them, they'll (sooner or later) get added to mainstream RBLs - then they can just sit there and wail "No no, you've got us all wrong, spamming is what other people do!" :-)

Re:Cloudmark SpamNet

[SillyNickName4me]

The solution for this seems rather simple...

Do not ever buy from companies that are not very explicitly clear about what they will use your email addy for. Often they have this checkbox saying 'inform me of future products' or similar that you have to uuncheck, do so if provided, if not, and f they are not absolutely clear that they will not mail commercial junk, do not do business with them.

Re:Cloudmark SpamNet

[mollymoo]

You already have a relationship with this company. There is no problem with contacting them. You know where they live, they are not faceless spammers using hacked boxes to spam everyone and their dogs. I actually *like* some of the emails I get from companies I do business with. Your solution would in effect criminalise them and deprive me of product updates, special offers and the like because you are too lazy to even attempt to unsubscribe.

Any decent site has a privacy policy and if you don't even look at it before agreeing to buy that's your problem, not mine. If you don't like it then shop elsewhere.

Re:Cloudmark SpamNet

[Jherek+Carnelian]

Often they have this checkbox saying 'inform me of future products' or similar that you have to uuncheck, do so if provided, if not, and f they are not absolutely clear that they will not mail commercial junk, do not do business with them.

Such checkboxes, privacy policies and whatnot are meaningless.

They may with absolute good faith say that they won't spam me today. But tomorrow, when they get a new director of marketing, or when their revenues take a surprise dip, or whatever flavor of excuse pops into their heads, there is nothing preventing them from changing the policy.

you'ved been spammed!

[dmf415]

v1agr@ r0g@1n3

Who has noticed a decrease in the effectiveness of Spam Assasin. I have! Anyone else?

Re:you'ved been spammed!

[Kainaw]

Who has noticed a decrease in the effectiveness of Spam Assasin. I have! Anyone else?

I still have SpamAssassin running, but I wrote my own spam filter to run before it because SpamAssassin was letting through so much spam. I found that my own filter is far more effective. Perhaps it is only because I can customize it easily (as I wrote the code) to handle what I receive. SpamAssassin has to be generalized for everyone else. Also, SpamAssassin didn't do an IP Address lookup on all links the emails, which is what I wanted and has continued to be the most effective blocking tool I have.

Re:you'ved been spammed!

Then how about making those enhancments into additional modules/tests for SpamAssassin? Then everyone can benefit or they can disable that feature if they dont want it.

Re:you'ved been spammed!

[QuasiEvil]

For me it comes and goes, but yes, in the last couple weeks I've noticed a dramatic increase in false negatives. I feed them back into the bayesian filter for training, but it doesn't seem to help much. The worst part is that there's no real pattern to the stuff that gets through, other than the fact it tends to be very minimalist - a few words, often about a stock to invest in, etc.

That said, SA has been a saviour of unimaginable proportions. I get 400-600 pieces of spam a day, and normally it's very good about getting all but 1-2 of them each day with hardly any false positives. Lately it's been letting 10-20 slip through, though.

Re:you'ved been spammed!

[Christopher_G_Lewis]

It's just an arms race. SpamAssassin gets better, then the spammers adjust.

Part of the problem with open source spam filters, the Bad Guys can reverse engineer what's currently being tested.

I kinda wish that the SpamAssassin group would separate their tests from their product development, so we could get more frequent update of the "offical" spam assassin filters. However, I remember reading somewhere that testing and evalutating any new rules against their current corpus takes quite a long time.

Also, make sure you check out http://www.rulesemporium.com/ for more frequently updated rules.

Re:you'ved been spammed!

[Werrismys]

No, I have not noticed a decrease. I constantly train the bugger.

Re:you'ved been spammed!

[ch-chuck]

I've noticed an increase in stock tip spam getting through (spamassassin at my FreeBSD based ISP, so I don't control it) - but they capatalize O's a lot so they're pretty easy to weed out 5 or 10 a day.

hOt stOck tip!

Re:you'ved been spammed!

The servers I administer gets over 600,000++ pieces of spam daily. Since we host web based e-mail for over 300,000+ users.. Spam and Virii are a major issue.

Thank god for milter-greylist, ClamAV, and SpamAssassin. Our servers and users are alot happier.

Re:you'ved been spammed!

[RockClimb]

Who has noticed a decrease in the effectiveness of Spam Assasin. I have! Anyone else?

I have been running Spamassassin for over a year now and have not noticed any real change. 1 or 2 spams get through (out of about 500) every 1 to 2 days. I should add that I also use spamcop, razor, bays, server blocks, and in the begining I wrote many of my own rules. If anything, Spamassassin is getting better because the inbound spam level goes up, but the amount in my inbox stays the same. These results will vary from person to person based on the spam lists you are on. If you need to take viagra, need breast/penis enlargment, can't find your Rolex, need meds or a loan, need to loose weight, want to gamble online, want to see women do everything under the sun, etc., etc., your results might be different :)

Re:you'ved been spammed!

[Kainaw]

Then how about making those enhancments into additional modules/tests for SpamAssassin?

I never claimed to have written modules/tests for SpamAssassin. I wrote a completely separate filtering program. Also, it is available for anyone to use if they really want to. I put it in the 'projects' section of my website shaunwagner.com

Re:you'ved been spammed!

What is that "Virii" thing you guys keep talking about?

Re:you'ved been spammed!

[SillyNickName4me]

> SpamAssassin has to be generalized for everyone else. Also, SpamAssassin didn't do an IP Address lookup on all links the emails, which is what I wanted and has continued to be the most effective blocking tool I have.

Spamassassin is rather tunable and extendable. Generalized? yes, as in providing a generalized framework for this. It is the actual tests that determine the score, it is you who determines how tose scores work out and what is considered spam.

THere are obviously some checks that you may want to do that SA wont have, but imho it is way more effective to add a plugin to spamassassin then writing one that sits in front of it.

Re:you'ved been spammed!

[SillyNickName4me]

By default, the 'weight' of the bayesian test is not very high (1.6 or thereabout). After having used SA for a while and having fed enough mails to its learning feature, it may be wise to increase the weight of the bayesian filter (see spamd.conf)

Complain as much as you can!

[iolaus]

"If you don't mind deleting spam manually, that's your prerogative, but don't complain about it. If your ISP doesn't do a good job fighting spam, then switch ISPs or install your own anti-spam software. There are a lot of choices out there."

How the hell do you think the national do-not-call list came about? Because people bitched and complained! I agree there are spam solutions out there but I still think there should be an easier, more fool-proof, and legally backed way of opting out of spam.

Re:Complain as much as you can!

[dotslasher_sri]

and legally backed way of opting out of spam.

This might be a little difficult to do. Spamming is already is illegal in US. But anyone can spam from other countries. And making the US laws apply over there would be difficult.

in my opinion a fix to spam has to come from the software side, not from the government side.

Re:Complain as much as you can!

And just how effective is it? I get double as much political phone calls now (which are exempted from the do-not-call list), and still get tons of auto-dialer phone spam which is impossible to block because there aren't any human beings on the other end.

Re:Complain as much as you can!

[winkydink]

The US and other countries could put pressure on China to get them to clean up their ISPs. If you reduce the number of safe-spamming havens, you should reduce the smount of spam.

Re:Complain as much as you can!

[hawkbug]

Keep dreaming. Most spammers are not in U.S., or if they are, they are untraceable unless your the FBI who has bigger fish to fry. No legal tactic on the planet is going to solve this problem. A technical solution is all you can hope for - which when you think about it, should be very possible and is getting closer all the time.

Re:Complain as much as you can!

[zangdesign]

in my opinion a fix to spam has to come from the software side, not from the government side

Well, the government could help by making it legal to mutilate spammers on the first offense ...

On a more serious note, just make it legal to go after the companies that hire spammers.

Wait, I like the first idea better. Yeah. Mutilate spammers. And their families.

Re:Complain as much as you can!

I'm beginning to wonder what people would pay, as a group, for the heads of spammers on a pike. I mean literally. Hunt down a few of the really bad ones, place their heads on pikes, and put the pikes in public places. They may not last long there, at least only until the police arrive, but that would probably send a pretty powerful message.

Re:Complain as much as you can!

[kwerle]

I guess there are a few. Various states make it illegal to send spam. I don't know offhand if there is a federal law (in whatever country you're in), but none of that matters.

American laws are not enforceable in

Given that trademark, copyright, etc, laws are not universally accepted/enforced, I'm thinking this is something that can not be outlawed.

A smallish part of the problem is that the SMTP protocol is broken in how naiive it is, but people are working on that (see http://spf.pobox.com/ etc).

How the hell do you think the national do-not-call list came about? Because people bitched and complained! I agree there are spam solutions out there but I still think there should be an easier, more fool-proof, and legally backed way of opting out of spam.

If phonecalls were free internationally (and just wait), the do-not-call list wouldn't mean squat.

Re:Complain as much as you can!

We should hand spammers over to pissed off chimps.

Re:Complain as much as you can!

[dotslasher_sri]

The US and other countries could put pressure on China to get them to clean up their ISPs. If you reduce the number of safe-spamming havens, you should reduce the smount of spam. Well spammers will choose a different country then. It would just be a cat and mouse game, and on top of that its not really a fix to stop spam using the email protocol. i think something must be done in the email protocol.

Re:Complain as much as you can!

[winkydink]

You start running out of countries with cufficient bandwidth pretty quick.

Re:Complain as much as you can!

[bbuR_bbuB]

Most spam these days isn't coming from China and the far east. Instead, they are coming from zombie PC's haxored by spammers, most likely right in your own backyard. Well, maybe not your backyard, but a lot of it is definately coming from the US again. So much for blocking .cn emails....

Re:Complain as much as you can!

[winkydink]

Not .cn emails. A lot of US-based spam is coming via Chinese ISPs.

Re:Complain as much as you can!

[frankie]

Most spammers are not in U.S.

This is false. The SpamHaus list shows the USA hosts more spammers than the other countries put together.

the FBI who has bigger fish to fry

This is somewhat true. We won't put a dent in spam from a legal perspective until a federal agency devotes some serious infrastructure to the job.

That's mainly due to lack of willpower and expertise rather than funding, however. A competent "Spam Czar" armed with the authority to seize spammer's personal assets could easily achieve self-funded operation within a year.

Re:Complain as much as you can!

[syousef]

"If you don't mind deleting spam manually, that's your prerogative, but don't complain about it. If your ISP doesn't do a good job fighting spam, then switch ISPs or install your own anti-spam software. There are a lot of choices out there."

This fool needs to realize that not everyone is or wants to be a computer expert, or an email specialist just so they can use their email. If every day a barrel of paper junk mail got delivered to your door you'd sure as hell complain, not just arrange to have a paper recycling company sort and collect the rubbish, or learn about the intricacies of the US postal system.

When are we in the IT industry going to stop telling users that they need to be computer experts to run a computer. The RTFM attitude just does not cut it!

Re:Complain as much as you can!

[soliptic]

Spamming is already is illegal in US. But anyone can spam from other countries.

You're kidding yourself if you think that's the explanation. I reckon 80% of the spam I get is US based. No, I don't know that it's sent from mail servers in the US, probably zombies, but it definitely advertises US products to a US audience. Rx??? Didn't even know what that meant til I got 50 spam a day about it. What the hell is it with you guys and prescription medicine anyway? Approved for a new low rate? Is it really so difficult to find a mortgage via legitimate means?

Anyway, the point is it seems to me that if I WANTED to buy from the vast majority of spammers, then as a non-US citizen they wouldn't be interested in my custom.

From where I'm standing, at least, spam is mostly an American problem. Spanish-language second coming in a fairly distant second. China? Never seen any spam whatsoever advertising Chinese products to a Chinese audience.

And, imho, where the spam is technically sent from is utterly irrelevant. Follow the money!!

Re:Complain as much as you can!

This is a very small PART of the problem. The main problem are these clueless John Q's out there getting suckered into buying WinBlows machines and not patching them or doing stupid things like getting suckered into opening attachments or actually believing that Ebay is asking for "account information".

And of course there are the clueless ISP's not taking ANY action to repond to spam complaints which point out which machines are infected.

Spammers then use these infected machines to sent theit smut.
Of course it's not just US machines getting infected, it's world wide - MicroCraps world domination.

=c

Re:Complain as much as you can!

[houghi]

The US and other countries could put pressure on China to get them to clean up their ISPs.

You mean something like this? Remember that politics is a slow process.

Re:Complain as much as you can!

Don't we all laught at attempts at a technical solution to the copyright problem, because we all know that they will be obsolete before they are even fully implemented? There are enough people without ethics who are smart enough to bypass any simple technical solution, and the complex technical solutions never work well enough for something ubiquitous like email.

I'm with the side that goes for punishment. Harsh punishment. Make people afraid to spam. These guys get paid like drug dealers, but they don't risk getting shot. Change that. As long as it pays well, people will do it.

Re:Complain as much as you can!

[legirons]

China and other countries should put pressure on Florida to get them to clean up their ISPs. If you reduce the number of safe-spamming havens, you should reduce the amount of spam.

Re:Complain as much as you can!

[mollymoo]

The US and other countries could put pressure on China to get them to clean up their ISPs.

It's all China's fault is it? Let me guess, if this was 1980 it would all be the USSR's fault, 1991 Iraq's fault, 1945 Japan's fault, 1955 Communism's fault...

Re:Complain as much as you can!

[Martin+Blank]

Re: Prescription medicine:

Not sure about the UK, but in Canada and mainland Europe, much of the population is on at least one prescription medication, often anti-depressants. I've seen estimates suggesting that within the next decade or so, nearly half of the population of the industrialized nations will be on various prescription meds to deal with stress, weight, cholesterol, diabetes, and/or cancer, among other things. I've not had a prescription for anything in probably seven years, and not for anything more than antibiotics in... well, I'm not sure I've ever had anything other than antibiotics prescribed. I've even been lucky enough to avoid even painkillers, except for the occasional local anaesthetic at the dentist and once when I broke my arm as a child.

However, what is an issue is the cost here, since that's not regulated. While some drug manufacturers are correct in saying that the research costs justify the final prices, some others aren't, and huge advertising budgets don't help. (I would like to go back to the days when the drug manufacturers weren't advertising everything everywhere. It at least seemed much quieter then.) Many people will go looking for medications at a lesser cost, not realizing that they may be getting lower-quality illegal imports, sugar pills, or even unknowns. Some people will do this because they want to try Viagra or Cialis but are too embarrassed to talk to their own doctor about it because they suspect that they'll get turned down.

Re:Complain as much as you can!

[Rich0]

This is somewhat true. We won't put a dent in spam from a legal perspective until a federal agency devotes some serious infrastructure to the job.

I don't think that is true.

Sure, from the standpoint that there are 10,000 people sending mail, if you only bust 2 per year it would take 5000 years.

However, you can look at it another way. Make the sending of a spam message a serious crime. Then, all the FBI agent needs to do is check his home email account, pick one email, and start back-tracing logs to figure out where it came from. Once you track that single email back to a source you send the originator to Levenworth for 10 years. If he was being paid to do it you use RICO and work your way right up the food chain.

Suddenly there are FAR fewer than 10,000 people in the spam business, and they all have to live underground lives.

Right now you can be a mass-spammer and just live in a nice huge house and freely talk about what you do for a living. It is hard to deter people from going into that kind of a lifestyle.

I agree with the other reply, however, that law enforcement should be funded by society for the purpose of protecting it. It should not be a source of revenue...

My view

[elid]

OSDir.com: What's the craziest/toughest spamming scheme that the SpamAssassin team has encountered and dealt with?

Quinlan: That would probably be advance fee fraud, also known as "Nigerian" or "419" scams. These messages are often literally sent individually to each recipient, mutating each time, by scammers typically located somewhere in West Africa. Because they often are sent in low volume, and almost every one is somewhat different, they are a bit tricky to catch.

An easy solution for home users who don't happen to know anyone from West Africa is to just block all e-mail from there. But even without that, I have had decent success in the past with a combination of SpamAssassin tagging e-mails and Thunderbird filtering. Stay away from OE. Far, far away.

Re:My view

[ornil]

An easy solution for home users who don't happen to know anyone from West Africa is to just block all e-mail from there.

Much of this email comes from free webmail providers. So I don't see how it would help.

Re:My view

[snorklewacker]

Most 419's are sent from UK and Dutch ISP's. I'm not going to block all of .uk and .nl, thankyou. 419's may be hard to catch, but they represent pretty low volume. Not really considered a priority. Phishing is getting to be really bad news. Even if you're not dumb enough to fall for it, I bet you'll look real hard at any real correspondence from your bank. That cloud of suspicion is what the banks hate the most.

And yes, stay way away from OE. The full blown outlook isn't too bad, though it has severe problems all its own, but OE is a non-stop disaster.

Re:My view

[daremonai]

I have found that Bayesian filtering is essentially 100% effective on 419 scam mail. As is obvious when reading any of them, they have a very distinctive vocabulary...

The "trick," such as it is, is to maintain three separate Bayes databases - a "good" one, a "spam" one, and a "419" one. Filter with good vs. spam first, and then with good vs. 419. This seems to work better than just lumping 419 mail in with other spam, since as Quinlan notes, the 419 scam mail tends to have little content in common with other spam. But with a separate filter, it can be identified with essentially 100% accuracy.

Re:My view

[silvwolf]

Even if you're not dumb enough to fall for it, I bet you'll look real hard at any real correspondence from your bank. That cloud of suspicion is what the banks hate the most.

Yup. Take Paypal for example. Unless I know I generated the email by sending money, I ignore anything from them. If they do send legitimate emails I wouldn't know it. They can figure out a way to send me a message when I login to the website if they want to get a message to me.

SURBL

[JohnGrahamCumming]

OSDir.com: What's the most effective anti-spam technology that SpamAssassin uses right now?

Quinlan: I think network rules are the most effective single technology, in particular, the URI rules that use SURBL, looking for spammer domains in Web links.

The SURBL can be found here: http://www.surbl.org. It's a very good thing, so much so that spammers are starting to try to get around it by doing stuff like this:

Copy the following URL removing the space into your browser:

www. spammer-site.com

John.

Re:SURBL

[Kainaw]

The SURBL can be found here: http://www.surbl.org. It's a very good thing,

I cannot agree with this enough. I wrote my own SURBL-like spam filter before SURBL was available. I mentioned it twice on Slashdot before SURBL and everyone said it wouldn't work, but it was great. The only way you can get a false-positive is if someone sends you a link to a spammer's website in an email that you actually want. Really, how often does that happen?

I have since expanded my own filter to handle the "copy the following link" craze, as well as all the forms of encoding emails. I also used the same technology to block phone numbers because I get a hell of a lot of "call us for refinancing" spams. Like SURBL, it works great.

Re:SURBL

[silentbozo]

Is it a Spamassassin rule or a Procmail recipie? If so, can you share? I'm still stuck using SA 2.63 (too much of a pain to migrate right now, since so much was changed between SA 2.63 and SA 3) and I'm sticking with doing some incremental rule upgrades.

Re:SURBL

[JohnGrahamCumming]

http://chris.kainaw.com/projects/ferriera/

Re:SURBL

[Rocketship+Underpant]

The SURBL can be found here: http://www.surbl.org. It's a very good thing, so much so that spammers are starting to try to get around it by doing stuff like this:

Copy the following URL removing the space into your browser:

www. spammer-site.com

The nice thing is that with each new work-around, spamming gets more difficult and less profitable for the spammer. Since they don't know who has spam filtering and who doesn't, they have to make every email convoluted.

Most of the spam messages that make it through my filter are unreadable because of all the misspellings, bizarre wording, and so on. And I doubt that most of the gullible fools who would actually click a spammer's link know how to copy an address from Outlook and paste it into their web browsers. I'm sure my parents would have trouble doing it (not that I'm saying they're gullible fools, though my mom did try buying airline tickets from a phishing site once).

Re:SURBL

[joranbelar]

Interesting - the whole "copy and remove space" idea is something you see all over the place as an anti-harvesting technique for email addresses (like slashdot employs). Now spammers themselves are using anti-spam measures from within their spam to combat spam filters....

ow. My brain is starting to hurt.

Re:SURBL

[mpath]

I'm not sure this (SURBL) is very well implemented, though. I get a few false positives b/c my DNS flakes out or something and then non-BL'd sites are reported. Bug report here.

Re:SURBL

[agrippa_cash]

I believe that there is a javascript program which takes your email address from a long string (created earlier) and translates it back to text. This is done to foil spambots, but a very slight variation could be used to foil suburl. Of course people would have to have JS enabled in their mail client to read the spam. But the only people dumb enough to do that are the same ones who w4NT CH3@p C1ali5!

Re:SURBL

[jeffcsu]

Yes there is an apparent SA bug that occasionally causes the SURBL lookups to FP. Strictly speaking that's almost certainly not the fault of SURBLs which are the data source in RBL form. If you are using Windows, you may want to upgrade to the latest version of ActiveState PERL, which apparently fixes a possibly related Net::DNS buffer overflow bug. I don't have a reference for the PERL bug, but here's a SpamAssassin bug mentioning the fix.

We use a Brightmail tool on Ironport appliances

[csoto]

IT IS THE BOMB. Spam loads to my work account dropped by orders of magnitude. Now, Mail.app identifies maybe 2 per day, instead of 200+.

Charles

Re:We use a Brightmail tool on Ironport appliances

[superpulpsicle]

Wait the sec, my comcast mail filters out 70 a day, 2 sneaks by. I don't consider that a success. It's good, but not 100% success.

Once again..

[daeg]

I've said it before, but I have to promote PopFile (http://popfile.sourceforge.net/) again. Since doing a bit of training, it now correctly sorts about 99% of my e-mail. I get about 600 messages a day not including mailing lists, and my accuracy is 99.65%. It is generally not susceptible to new spam techniques unless they can match the subject matter that my e-mail typically covers.

When they start spamming "Linux IPF Apache LOOK! Vi@GR@ makes your peNi$ PHP Bug CSS" I will be concerned.

Re:Once again..

[JohnGrahamCumming]

I wouldn't worry too much. I receive spam with "POPFile" as a word in the spam and it still catches it as spam.

John.

Re:Once again..

[eclectro]

When they start spamming "Linux IPF Apache LOOK! Vi@GR@ makes your peNi$ PHP Bug CSS" I will be concerned

Thanks for telling the world that.

Re:Once again..

From my experience, Bayesian Filtering (as POPFile uses) is the best way to filter spam. There is a little pain at first but if allows you to have a much more accurate filter for the specific types of email you get. Some spam is not spam for everyone.

I don't understand why everyone doesn't use it. Just lets users say "hey, this is spam to me" and that is that.

Re:Once again..

[ajs]

Heh, I always get a kick out of this message. It's not the same person, but someone always says, "I use spam filter X, and it's great because it gets 99.mumble% of spam." It sounds good at first, because percentages are the wrong metric to use here.

99% of correctly identified spam is considered the entry point. If you can't at LEAST get that much, then you're worthless. If you can get that much, then you are in a position to improve and start getting a respectable amount of spam.

SpamAssassin uses several techniques to improve past this basic level of accuracy.

To give you a sense, yesterday I got 14,028 messages that moved through (or at least attempted to move through) my personal MTA (just two users). 153 of those were delivered as legitimate mail in theory (one was actually spam, unidentified).

Do the math. 99.65% would allow 49 spams through per day on my site! No thanks, I don't need Viagra that bad.

Re:Once again..

[Sq]

They already HAVE started doing it. There is a spam part, and a bigger part with some excerpt from the book or something.

Am I alone?

[The+Eagle+Maint]

Maybe I'm the lucky minority here, or my mail host has some crazy filters I don't know about, but I very, very rarely recieve any type of spam. Now, I don't go handing out my email address either. If I'm signing up for something shady, I use another address at a web-based email account, which does get a lot of spam... but otherwise I use the mail host that comes with my website http://www.surpasshosting.com/ and Thunderbird as a client, and never see any type of spam.

Re:Am I alone?

[Neil+Blender]

Some people have had the same email address for 10-15 or more years and used them in public when spam wasn't really a problem. Also, if you have your own personal domain name and have default catch set to your email address, you can get spammed even if you never give out your email address. I get spam sent to some.common.firstname@mydomain.com all the time and it ends up in my inbox.

Re:Am I alone?

It's possible it's being very strict about who it receives mail from. I had my mail going through one host just for mail, who then bounced it to my home machine. I'd get perhaps 10 spam emails a day from that.

When I switched the mx record directly to my home box, the exact same email address receives over 200 a day.

I figure it's all in the rejection of IP addresses known to have spammed or who are more likely spammers.

Re:Am I alone?

[bfline]

I'm with you. I hardly ever get spam. I just don't ever enter a real email address when it asks for one in forms. You know who you are people, who sign up for every contest. This is where you are essentially signing up for spam. I just put a fake address in when I have to fill out a form. I have two addresses, the real one that is just for friends and family and another that I use in cases where I have to use a real address on the web. But I rarely ever use that account.

Re:Am I alone?

[snorklewacker]

> Maybe I'm the lucky minority here, or my mail host has some crazy filters I don't know about, but I very, very rarely recieve any type of spam. Now, I don't go handing out my email address either.

Some of us think that's a really sad state of affairs when you can't have a public email address. I mean yes, there's cranks who might send you flames or whatever, but one shouldn't have to be utterly innundated with crap just for letting everyone know their address.

Sadder still is that this sort of secrecy just becoming the norm now.

(no, I don't put my email on my slashdot account, but I like being pseudonymous for other reasons)

Re:Am I alone?

[Saeed+al-Sahaf]

Which is why, when you run your own personal mail server (qmail with vpopmail, anyone?), you should not have a default catch. If it does not go to a real account, dev/null it.

Re:Am I alone?

[pixelpusher220]

you aren't alone. but I also make heavy use of yahoo free accts until I'm comfortable the account isn't being spammed too.

There was a time though that I wasn't as careful and even with the same email address for over 5 years I'm only getting 2-3 a day at most.

Re:Am I alone?

I use a hotmail account, and only get one or two spams a week, including my junk folder. Guess I'm just lucky ^_^.

A spam "bubble"?

[antifoidulus]

From TFA:
The greater challenge is that the new techniques never stop coming. It's possible spammers will eventually run out of tricks, but it definitely hasn't happened yet. Most techniques backfire fairly in the long run, and make it more obvious that a message is spam.
You gotta wonder if there is a spam "bubble" that will burst pretty much like every other bubble. It started the same way, a few scammers got the idea of sending out scams via email and were quite successful, and everyone else started to jump on board. But soon enough(hopefully) people will learn their lesson and spam will slow....maybe I'm putting too much faith in people.
But it is interesting to see how many "me too" trends there are in spam. Up until about 2 years ago, I never received a 419 scam, but now I get at least one a week. Up until about a year ago, I never received a rolex email(typically the domain of brick and mortar(ok, urine soaked streetcorner) drifters), but now I get a few a day.

Re:A spam "bubble"?

[BackInIraq]

But it is interesting to see how many "me too" trends there are in spam. Up until about 2 years ago, I never received a 419 scam, but now I get at least one a week. Up until about a year ago, I never received a rolex email(typically the domain of brick and mortar(ok, urine soaked streetcorner) drifters), but now I get a few a day.

Strangely, I was getting the occasional 419 a couple years ago or more, but they were always adapted...never actually mentioned Nigeria. Now almost every one I see (and I see at least one a day because they are the one thing that seems to get through the filtering on my server) is ripped right from the "classic" Nigerian template.

Maybe they're just getting too lazy to come up with shit.

I think the best way to fight spam is through education. Start getting the word out somehow that this guy really isn't from nigeria, that that supplement won't make your penis bigger, etc. Maybe if people stop falling for this shit (and people do, or it would have stopped long ago) lowlifes will stop sending it out. Perhaps if AOL, MSN, and the like replaced their "Hey, welcome to our mail service...aren't we great?" with something more like "Welcome to MSN...in case you're new to the internet, here are some things you should know." Might seem redundant and silly, but so are the ones they really send, so what's the difference.

Hell, I'm almost tempted to start spamming with informative emails telling all these people that the OTHER spam they're getting is bullshit. Maybe that would work.

Then again, even if you got the word to everybody on the internet, the next minute another sucker would be born...and a million Nigerians would be out there trying to find him.

Re:A spam "bubble"?

> You gotta wonder if there is a spam "bubble" that will burst pretty much like every other bubble

Absolutely -- it's showing signs that it already has burst, sort of like the dotcom bubble had a few burps before the big bloodletting on wall street. Spam in general appears to be plateauing, though morphing enough that it always defeats the simpler filters.

phishing and viruses are sure to go on the upsurge however.

Re:A spam "bubble"?

[snorklewacker]

> I think the best way to fight spam is through education. Start getting the word out somehow that this guy really isn't from nigeria, that that supplement won't make your penis bigger, etc. Maybe if people stop falling for this shit (and people do, or it would have stopped long ago) lowlifes will stop sending it out.

Not to sound too cynical, but:

1) Stupid people are also resistant to education.
2) There's a sucker born every minute.

Sure, education is great, but I really am not holding my breath.

Re:A spam "bubble"?

[verbatim_verbose]

The problem with the idea of the spam bubble bursting is that spammers don't have the same economic situation that most companies do. Sending out spam to a million people doesn't cost much more than it does to send it to 10,000 - you can increase the number of customers you get without having to increase your "advertising" fees much at all, or having to hire more employees, etc.

This all means that spammers can be far less successful than any other business, yet still remain in business.

How to stop spam

[Merdalors]

Two words: Spam Arrest. Zero spam, no filters to nurse, no lost mail.

Re:How to stop spam

[Sassan+Sanei]

Uh, I don't think so. Wasn't Spam Arrest the one who spammed everyone who ever sent email to any of their subscribers - to advertise their anti-spam service? http://www.google.ca/search?q=spam+arrest+spammed+ customers Cheers, Sassan Sanei

Re:How to stop spam

Oh yes, challenge-response. Stop spam by spamming everyone else, and making everyone so annoyed with you that they don't bother.

Not to mention that Spam Arrest are themselves spammers.

Re:How to stop spam

Three words: No email address! :)

SpamAssassin has SURBL support

SpamAssassin got 'native' SURBL support in 3.0

Business cards

[nizo]

I bet he has cool business cards:
Daniel Quinlan - Spam Assassin
He can tell people his job is to kill spammers. Which reminds me, I wonder if anyone at the IRS actually checks what job title you put on your tax forms?

Re:Business cards

[inject_hotmail.com]

He can tell people his job is to kill spammers. Which reminds me, I wonder if anyone at the IRS actually checks what job title you put on your tax forms?

"Yeah, my job is to slaughter the product of another man's...and people love me for it."

Yep...that'd be worth a few tax credits in my book. We need more guys like him! My client's are forever begging me for spam filtering s/w...

Inject.

Re:Business cards

[LetterJ]

"I wonder if anyone at the IRS actually checks what job title you put on your tax forms? "

This is the federal government. It's probably someone's exclusive job to not only read it, but hand copy it in blue ink into large 3 ring binders which are then manually typed in by someone else employed full-time to do such an activity.

Re:Business cards

So I guess putting "Senior Tax Evader" as my occupation probably wasn't such a good idea?

Re:Business cards

[anticypher]

I wonder if anyone at the IRS actually checks what job title you put on your tax forms?

I used to put down Taxpayer. When I was working in the states, just over one half of what I earned went to the government, so it was accurate.

the AC

Re:Business cards

[bluGill]

So long as it is honest. You are required by law to report your occupation. You are required by law to report all the income you have. The law does not allow as evidence anything you are forced to reveal (This is known as the fifth amendment). Thus if you put "tax evader" on the forms, and this is your primary occupation they cannot get you on this. They might investigate you, but if you are good at hiding your tracks they can do nothing about it.

This comes up most often for drug dealers. If you report a lot of self employment income and list your job is drug dealer, they cannot get you on the easier charge to prove: tax evasion. Remember, Al Capone was got on Tax evasion, he managed to hide all evidence of his drug (alcohol) operations, but the court was able to find he had far more income than he was reporting. If he had reported that income they couldn't have got him.

Re:Business cards

Which reminds me, I wonder if anyone at the IRS actually checks what job title you put on your tax forms? I've been entering "All around good guy" for the last few years. No contact from the IRS yet.

Re:Business cards

[bsdbigot]

Although he would disagree that he is a "tax evader," you should check out this guy Larken Rose, recently under endictment, who qualifies for that title about as much as anyone possibly can. Much interesting reading, there, if you want to know about the inner workings of the IRS and tax laws.

Re:Business cards

[BenEnglishAtHome]

This comes up most often for drug dealers. If you report a lot of self employment income and list your job is drug dealer, they cannot get you on the easier charge to prove: tax evasion.

The last time this came up with an officer I personally know (I wasn't directly involved with the case) the drug dealer under indictment for distribution decided to stave off the tax charges by filing a John Doe return. His attorney showed up at the office with a completed tax return and, I kid you not, a briefcase full of money.

It was only a partially successful ploy. The tax charges were avoided, but the drug-sniffing dogs went bonkers on the briefcase. Man, was that lawyer pissed that his client had given him such a contaminated pile of bills.

Re:Business cards

[bluGill]

Yeah, the downside is that the police will be looking at you. So you have to be even more careful to keep everything hidden.

Re:Business cards

[dysjunct]

Which reminds me, I wonder if anyone at the IRS actually checks what job title you put on your tax forms?

As someone who used to work for the IRS, I can say yes, but it doesn't really matter. It's only when there is a large discongruity between your stated occupation and your actual income that it would raise a red flag.

I've seen people put "Bum" and "Domestic Goddess", in addition to a whole host of other things. In general, anyone worth the agency's resources to pursue for tax fraud is going to use a tax attorney anyway, who would therefore prima facie lack any sense of humor anyway. =^)

Your best choice

[evil-osm]

Don't publish your e-mail address in a public forum, only idots do crap like that and they get what they deserve.

Re:Your best choice

[winkydink]

As I said to an earlier poster, Google is doing an amazing job keeping things out of my gmail box even though my address is posted on /.

Re:Your best choice

[evil-osm]

Yeah I think I remember that, "do your worst" IIRC...anyway it was an attempt at a poor joke (note my signature).

Re:Your best choice

[bbuR_bbuB]

-- E. evil-osm@hotmail.com

You have obviously missed the joke.

Re:Your best choice

[Just+Some+Guy]

My email address is kirk@strauser.com, and I approve this message.

If you can't use your own address then your spam filters suck. I will not let spammers decide where and with whom I share my address. It is mine, and I'll do what it takes to defend it.

Re:Your best choice

[evil-osm]

You moderators are morons, did you not see that I had my e-mail address in the stupid signature... ITS A JOKE... so eager to mod people down.

popfile

[John_Sauter]

I can second that. I have been using popfile for months, and it is currently doing an excellent job of putting my spam in a separate folder from my other correspondence.
John Sauter (J_Sauter@Empire.Net)

All I can say is...

[Anthony+Boyd]

...God bless Daniel Quinlan and people like him. I have had a hell of a time with my daughter's email. A LOT of Web sites for kids have a "mail a friend" option. At one point my daughter wanted to use that option on a few sites. These are kid-oriented sites with privacy statements, so the sites felt trustworthy.

Fast forward to two weeks later, and one of those #@!&^ing sites has sold her email address to every spammer in the nation. My little kid got 196 spams yesterday -- for Viagra, lesbian cheerleader porn, you name it. So I have become heavily interested in every anti-spam product known to man. I've got 'em on the server, and got 'em on the client. Right now, with redundancy, this is 99% accurate, and my daughter gets only messages from friends and family. My biggest problem is not that spam gets through, but that false-positives block a legit message every now & then. That is the area I hope improves the most.

Re:All I can say is...

[disposable60]

Give the girl a new email address - they're free after all. And point out to her that all the scary crud that's been arriving has also been hitting her friends' boxes because of the 'mail-a-friend' thing.

Re:All I can say is...

[wolf-]

For my kids, I use a whitelist only system.
If you aint on the list, you aint gettin through.

While I despise whitelist only systems in the business world, in this specific situation, it is the only way to ensure that only people the kids know, can email them.

We dont drop non whitelisted mail. It sits in a file for a while, and we go through it periodically if someone says "hey, I sent you mail" and they were not whitelisted.

Re:All I can say is...

[secolactico]

I've been wondering what'll do when my kid is old enough to have an email address, and so far, the only solution I fully trust involves quarantining messages for parental approval.

Or maybe a combination of solutions: spamassassin + quarantine of non-whitelisted sources.

Re:All I can say is...

[Doctor+O]

Why don't you just allow whitelisted mail only (depending on her age)? I know for sure when my kids are old enough for e-mail, they'll start with whitelist-only.

I don't know what the problem is.

[defore]

When I get spam I don't want I just unsubscribe from it. "WHAT DO YOU MEAN IT WILL TAKE 72 HOURS TO REMOVE MY ADDRESS?"

Other analogies

[LordOfYourPants]

"If you don't mind deleting spam manually, that's your prerogative, but don't complain about it. If your ISP doesn't do a good job fighting spam, then switch ISPs or install your own anti-spam software. There are a lot of choices out there."

It seems pretty simple to me: complaining leads to awareness, which leads to action. Maybe a bunch of people on Slashdot griping about spam won't amount to jack, but let Oprah or someone else with a grappling hook or two on the office/church/bar water cooler complain about it and they can make a difference in social attitudes.

SpamAssassin is a good step but the real problem is the social system which makes spamming possible. How else can you explain a 60-year-old grandmother 1) using her computer as a spam relay, 2) acknowledging it on television, and 3) not seeing it as a problem because it's "legal" and she's getting regular cheques to do so?

How is it that a social/legal system can be designed to bankrupt and scare the shit out of people who share a few movies or songs but barely put a dent in the people sending out millions of useless, offensive, and content-bordering-on-the-illegal emails? Is there nothing wrong with this?

Re:Other analogies

[LordOfYourPants]

Quick correction (I missed this when previewing). Replace "social system" with "social attitudes."

Re:Other analogies

[Tom]

How is it that a social/legal system can be designed to bankrupt and scare the shit out of people who share a few movies or songs but barely put a dent in the people sending out millions of useless, offensive, and content-bordering-on-the-illegal emails? Is there nothing wrong with this?

The problem is that spam is causing damage to the commons, and the commons have nobody to defend them. Everyone is affected, but everyone cares just so far.
The movie companies, however, care deeply and focus on their legal offensive. There's no focus when it comes to common problems.

If you can't run your own mailserver...

[vasqzr]

A pop3 proxy works great. I recommened SpamBayes

http://spambayes.sourceforge.net/

Re:If you can't run your own mailserver...

[maird]

A SMTP proxy may be as good: http://sourceforge.net/projects/assp/ I use this configured to give an error response on delivery of messages it rejects. It receives the whole message first and all spam goes into a dump mailbox. So I get to monitor it's filtering and cause failures on incoming spam. FWIW, I've noticed my daily spam message counts decreasing since I enabled error on spam behaviour.

Re:If you can't run your own mailserver...

I use SpamBayes on the server side and it works well. I have had no false positives, not even in my "maybe" results.

How does SpamBayes compare to the bayesian filtering in SpamAssasin?

Meridius Spam Appliance

[Morgahastu]

My company uses a spam appliance called Meridius. It's based on some proprietary technology and uses spam assassin as a second layer. It has a very slick interface and stops about 97% of spam. Oh and it's made by a Canadian company called BlueCat Networks.

Re:Meridius Spam Appliance

And, just because I work for BlueCat should not put you off.

Re:Meridius Spam Appliance

Geez, 97% is quite rotten. 99.7% should be your target.

personalized training

[the+quick+brown+fox]

Quinlan: Any technique that tries to identify "good" mail without authentication backing it up, or some form of personalized training. It worked well for a while, but it's definitely not an effective technique today.

What's wrong with personalized training? I get more spam than almost anyone I know, and SpamBayes does a fantastic job for me.

Re:personalized training

[bperkins]

I think you are reading this as:

(Any technique that tries to identify "good" mail without authentication backing it up,) OR some form of personalized training.

But I think the intention was:

Any technique that tries to identify "good" mail without (authentication backing it up, OR some form of personalized training.)


It's that comma that's confusing.

Re:personalized training

[Daniel+Quinlan]

(groan)

Someone (the author or some editor) added that comma to my sentence. My original email had no comma there. A clearer phrasing that would not tempt someone into adding punctuation would be:

[The least effective technique is] Any technique that tries to identify "good" mail with neither authentication backing it up nor some form of personalized training.

They also removed the name of the company where I work (IronPort), which struck me as a bit odd considering how my job allows me to do open source was part of the article. I think my employer deserves some kudos for that. Not to mention implying that I'm more than just one of the developers. There are eight commiters, six of them on the Project Management Committee and two of them (Justin Mason and Theo Van Dinter) write at least as much code as me.

Re:personalized training

[the+quick+brown+fox]

Thanks, that makes a lot more sense. Damn ambiguous English language :)

yahoo has good spam protection too

[krunk4ever]

i've been using yahoo for years and i get about 3000 spams per month which averages to about 100 spams a day. not quite as much as you, but i get about 1 spam a week that falls into my regular inbox. however, some of my newsletters which i subscribed to did get marked as spam and after marking them as not spam a couple of times, yahoo spam filter was smart enough not to do it again.

I don't use it

[sfjoe]

I admin a handful of domains and I don't use anything except blocklisting by IP address. I get a handful of spam emails per week that regularly get reported to Spamcop. Since I am in regular contact with many of the people that email me, I can be sure to know if I am falsely blocking innocent domains - hasn't happened yet. For some reason it makes many people crazy that my method works for me - so many people think they have the absolute right to contact me if it suits them. I feel that if you do business with a spam-supporting ISP, you have nothing to say that I need to hear.

Re:Fr0st P1st!

I bet the third post will be by a Google-employee bragging about how great Gmail's spam protection is (of course omitting the fact that every mail read with gmail conjures 20 AdNonSense-ads by Google's online-pharmacy and casino-spam friends.

Disgusting.

DSPAM

[wumpus188]

DSPAM is what worked best for me. It is not easy to set up but definitely worth the trouble.
As of today, 99.985% spam filtering rate.

Re:DSPAM

[gvc]

What exactly do you mean by "99.985% spam filtering rate" and how did you measure it?

Bollocks

[Tim+Ward]

Some of us have to earn a living. If potential clients can't contact us as easily as possible they'll just try someone else.

Re:Bollocks

[kendbluze]

I found many potential new clients are intrigued by experiencing the potential of a challenge/response permission-based email setup

The next frontier in spam fighting

[PurpleFloyd]

As alluded to in the article, the next chapter in the war against spammers is not going to be in blocking open relays or known spammers. Rather, more and more spammers are using hordes of broadband-connected and spyware/virus-infested zombie hosts to do their dirty business.

This has both good and bad aspects. First, the good news: responsible ISPs will be able to block a good portion of spam at their routers and mailservers; it's not hard to detect and blacklist a PC which is spewing the same email to 20,000 different recipients. Unfortunately, it only takes a few poorly-configured ISPs to provide a great deal of bandwidth to spammers. Couple this with Windows' known security holes, and home users' typical apathy regarding patches and security updates, and you have a large pool of potential spam-hosts which cannot be as easily targeted as open relays or specialized spam-spewing servers. After all, if spammers are using a legitimate ISP's mail server to send spam, a remote admin can't block that mail server without also condemning large amounts of legitimate email to deletion, which may well be unacceptable.

The upshot of all this? The onus of spam filtering is going to be, more and more, on ISPs rather than on recipients. While this has its good side - spam filtered at the source doesn't take up as much precious bandwidth - it also means that filtering will be more difficult for those not close to the source.

Re:The next frontier in spam fighting

[Linux_ho]

As alluded to in the article, the next chapter in the war against spammers is not going to be in blocking open relays or known spammers. Rather, more and more spammers are using hordes of broadband-connected and spyware/virus-infested zombie hosts to do their dirty business.

Uh, where have you been? Non-malware open relays haven't even been on the radar for the last two years. Practically all spam comes from either virus zombies or known spammers hiring offshore ISPs to provide them with 'legit' relays. This isn't a "new trend." It's changed very little over the past couple years, the only trend I've seen lately is that MORE spam is coming from spam-friendly offshore ISPs, who seem to have a nearly endless supply of unblacklisted IP addresses to cycle through. Hello, APNIC?

Might as well p1mp my fave too...

[ErikTheRed]

We run a cluster of Barracuda Networks spam firewalls. They use mainly open-source software (spam-assassin on Linux, plus lots of other stuff), are super-easy to install, and they advertise on Slashdot. What more do you want?

remember the economics

[LuxFX]

It depends on how you define "spam-free." If you mean that nobody is sending spam, posting blog spam, sending spam over chat networks, etc. then I think the chances are rather slim. If you mean that most people will rarely see [email] spam, then I think it's possible.

But I think that one would lead to the other. If relatively few people are seeing spam, then suddenly spamming is no longer making money for the spammers, and they would eventually stop actually sending it.

Of course that's an optimistic scenario. It would probably lie somewhere in the middle. Fewer and fewer people see the spam, so spamming itself is less and less cost effective. Fewer and fewer spammers participate, while the remaining ones will have to reduce their fees since there will be fewer views. Fewer spammers and less money mean less innovation. Eventually (hopefully), the entire movement will slow down until spamming is only done by a few recluses targetting only the most oblivious users.

It takes only one

[VIIseven7]

Trying to keep your email address private is the modern equivalent of tilting at windmills. All it takes is one friend sending you an "e-card" or something similar, and your email address is spreading through spammers' lists faster than.. uh.. something that spreads really quickly.

Also, people don't deserve to get spammed to hell because they post their email addresses in public forums. Slashdotters take things like "don't publish your email address" for granted, but it's only common sense to us because we know how all this works. The average user has likely never heard of an email harvester.

spamass + mimedefang milter == peace

[SCHecklerX]

I drop more stuff these days before it even GETS to spam assassin to be analyzed.

• Reject if on the spamhaus list
• Reject if claiming to be your mail server in the helo
• Reject if claiming to be RFC1918 space in the helo
• Reject if there isn't a '.' somewhere in the middle of the helo (simple way of checking for FQDN)

In addition, configure sendmail to do rcpt flood rejects, and even better, enable greet_pause. I've rejected quite a few with those.

Anything that gets through all of that is then analyzed by spamassassin. WIth Bayesian training, my current threshold is 3.0. Anything legit is normally -2.0 or less. I Totally DROP through mimedefang anything greater than 7.0. Anything from 3-7 is dumped in a special folder on my local account via procmail. I analyze that stuff every now and then to see if it is time to once again lower the thresholds.

Also, continue to do the RBL checks in spamassassin (although it's a little redundant since I check spamhaus in mimedefang). That way you also get scoring based on SURBL..good stuff.

Two words: Spam Bayes

[laxiepoo]

Spam Bayes with Outlook correctly handles over 95% of my spam.

Spamassassin much better with personal training

[gvc]

The article and the SpamAssassin documentation seem to imply that SpamAssassin is best used as a server-side filter.

In fact I've found it works great as a personal filter, if you configure it somewhat differently from the way the documentation suggests. That is, increase the weight of the Bayes filter, and have it train itself on every message it classifies. Then correct it on any mistakes it makes - which rapidly become few and far between.

Here's a paper showing that SpamAssassin can achieve as good results as others touted for personal use.

Unfortunately SpamAssassin is a bit hard to install and set up. But if you have RedHat or Debian Linux, it is available by rpm/apt and you can install a few scripts to make it work.

I wish I had a better shrink-wrapped version, but I don't. So I'm supplying the raw files for one user in the hopes that (a) somewhat technical people can reproduce the setup and be happy, (b) somebody will make a shrink-wrapped version, perhaps with plugins or extensions or macros for more mail clients.

Here is the Linux Personal Spamassassin setup.

There is a whitelist

[Laebshade]

Sort of. See that button above an e-mail that says 'not spam'? Yes, that's the one. If a message appears in your spam box, click that button, and it will be moved from the spam box to the inbox and taken off the 'spam' list, effectively adding it to a whitelist.

Re:There is a whitelist

[snorklewacker]

"Not spam" does not whitelist senders. It moves messages. Maybe I'm missing something.

I really should have just posted AC, having gotten three replies that went:

1) google radiates golden benefince, you suck for criticizing them

2) see that "not spam" button? the shiny one? don't lick it, click it! good boy!

3) Use another email client, you're not firewalled or anything, and you configure this client everywhere you go, right? Aren't I clever for knowing about its existence?

My blood pressure really cannot stand slashdot these days.

Re:There is a whitelist

[Laebshade]

I think it actually takes it off the blacklist, basically whitelisting it, though not technically. This is how it seems to work, though I could be wrong.

Didn't I say this already?

Re:There is a whitelist

There _is_ a button (well, a link actually), but not _that_ one. It's under "More options", called (surprisingly) "Add sender to Contacts list".

Gmail never classifies something from someone in your Contacts as spam.

HTH.

Re:There is a whitelist

[snorklewacker]

Yeah, but for that to work, I'd have to add every member of the list as a contact. I want to whitelist a label, and that label is based on the To: line, not a From: line.

I suppose they're busier with the interface -- I see they added a fallback "plain HTML" mode for nonsupported browsers. Still, those tags they rave about aren't seeing much usefulness if I can't base other actions like whitelisting off of them.

Re:There is a whitelist

[endx7]

I see they added a fallback "plain HTML" mode for nonsupported browsers. Still, those tags they rave about aren't seeing much usefulness if I can't base other actions like whitelisting off of them.

While we're talking about gmail...the fallback "plain HTML" thing annoys me. I use opera 8 beta which understands the javascript gmail has (earlier versions of opera didn't). Suddenly I don't get the neat-o features that would normally work (the only problem I've noticed is that opera doesn't size the sidebar correctly).

But then again, I suppose it's good that they finally allow non-javascript capable browsers to work now.

Although...most of the time this doesn't even matter. I use the POP3 access they provide.

Easy manual sorting..

[deacon]

For those of us who prefer to sort manually, using Pine over SSH and leaving all email on the ISP's server works pretty well.

With a full screen terminal window, I can mark spam based on the name and the subject header. I can recognize spam at a rate of about 10 per second this way. With the names spammer pick, and the mis-spelled subject headers, it is pretty easy to pick them out.

Using pine, I never give a spammer info by opening web bugs. I can look at the raw email by typing "h" to show the headers, so all those phishing emails are immediately obvious.

Keeping the email on the isp's server means that when I rebuild a machine, I don't have to worry about about backing up my email.

Re:Easy manual sorting..

[TheMysteriousFuture]

My god man, you're still using Pine? PINE!. You seriously need to check out mutt...

Interview with SpamAssassin

[Valdukas]

But the real question is: does the interview pass SpamAssassin's filters?

Huh?

(Posting as AC so no karma whoring here...)
I'd have to strongly disagree with people here saying that SpamAssassin doesn't work, etc. I run four different SA installations for different types of companies. After an initial training period, we've never looked back. Granted, I spend some time writing custom rules to be able to train it for their specific environment. But regular expression aren't that difficult, people. Our accuracy for each site runs in the 96-98% range, and we've also implemented some stricter sendmail access lists to keep crap from getting in to begin with. I've got very happy customers. So sit down over the weekend, read all the faq's, and get your SA installation tuned properly so you can stop bitching about such a great piece of software!

Re:Why is it...

[snorklewacker]

... and some oh-so-insightful shithead that comes on and waggles his finger and clucks at someone making a complaint, adding nothing but their righteous prattle to the conversation.

I use gmail as my primary email. Good enough for you?

How I beat spam

[Just+Some+Guy]

I just wrote an article for this month's issue of Free Software Magazine on building spam filters. The long and short of it is that Spam Assassin is a very, very good last line of defense. However, there's a lot you can do to limit the amount of junk that even makes it that far into your system:

1. Filter the HELO messages. If the sender says "HELO yourownname.example.com", then it's lying and you can safely reject the connection.
2. Don't be overly picky about reverse DNS lookups, but do check that the domain of the From: address is resolvable. After all, what's the point of getting mail from "spew@nonexistentdomain.com" if you can't reply to them?
3. Selective DNS blacklists. Do your homework and find a couple that are picky about what they add. Remember: false negatives are much better than false positives!
4. SPF. It's not a cure all, but it works and it's available today.
5. Greylisting. Oh, how I love thee!
6. Finally, Spam Assassin, ClamAV, and other "expensive" defenses.

Since I implemented the above as a Postfix ruleset, I don't get spam anymore, and it's not exactly like I've actually kept my primary address secret. No, I'm not kidding or exaggerating - basically, my mailbox is my own once again. Viva Postfix! Viva greylisting!

Re:How I beat spam

[Just+Some+Guy]

Open letter to the person who was looking for information on my wiki: it's at http://subwiki.honeypot.net/cgi-bin/view/Freebsd/F ilterMailWithPostFix, but the article I linked in the parent post is more recent and more closely proofread.

How I do it ...

[Tripster]

I manage a couple ISP incoming MTAs, they come looking for a anti-spam and anti-virus solution which is easy to provide them in OSS land.

First Qmail setup to use RBLs ...

cbl.abuseat.org sbl-xbl.spamhaus.org relays.ordb.org dynablock.njabl.org list.dsbl.org dul.dnsbl.sorbs.net

That bunch will block a whole lotta spam before it ever gets to discuss sending mail with the SMTP server.

Next, SimScan from Inter7.com, this little c app runs at the front end of the SMTP process, it will scan incoming mail at SMTP level with ClamAV and SpamAssassin, anything scoring over 10 in SA is dropped at SMTP level with a 5xx error.

SimScan allows you to fine tune settings on a per domain and per user level if you so desire, so it is easy to turn SA off entirely for a user who wants all the spam they can get, ditto for those who'd rather not be protected from viruses.

Using these features you stop a LOT of spam, likely in the 80% or higher range. Most domains we've applied this to have gone from hundreds per day to less than 10 per day.

It is imperative you also use the SURBL features in SA to stop more spam than ever, you should also use Razor2, DCC and Pyzor. I suggest upping the Razor2 scores a bit as well the defaults are quite low.

Re:Why is it...

[t0ny747]

.. that for every FREE service or software available on the internet, there's ALWAYS somebody who whines about how it lacks this-or-that feature? :|

Gmail is not really a 'FREE' service you pay for it by viewing the ads. Just like broadcast tv.

Zombie Write Up

Unfortunately it seems that a lot of the zombies out there aren't so much spambots as they are proxybots. It may not seem like much of a difference, but it has a tendency to open up a whole new set of possibilities for a spammer looking for a new network to spam from. Plus, because most of the bots are on dynamic ip's they move around enough that the blocklist entries are outdated within a few days.
I released a small paper on such a network back in October.
http://lowkeysoft.com/proxy/
-steele out

& for Windoze users...

[robogun]

Use SpamPal. It comes with blacklists, but you can turn it off because the reg expressions that came with it are very effective. There are also modules to decode base64, filter on spammed URLs, clean up web bug crap, block by country etc. & it's free.

GPG

[bluGill]

Just set up a rule so that your kid cannot open any email that isn't signed with pgp/gpg, with a key in your web of trust. I'm tempted to impose that rule on myself and force my friends to install gpg. (Sadly I'm lazy - I haven't gotten around to making myself a key yet)

MOD DOWN PARENT

[exhilaration]

Dude, did you even RTFA???

From the article:

Quinlan: I'm sure some spammers look at our code, but the end effect is about the same as with closed source. To beat closed-source spam filters, all you need to do is install the filter somewhere or get an account at the ISP, then you just keep an eye on whether your spam is getting through.

Also, much of our filtering relies on stuff not in the source code: user training via Bayes, network rules like SURBL for URI blocking, various DNS blocklists, and message checksum systems like DCC.

To put it another way, closed source hasn't exactly protected closed-source programs from other types of security problems.

Re:MOD DOWN PARENT

[Christopher_G_Lewis]

Dude, do you even run the program?

Yes, Bayes helps.
Yes, SURBL helps.

But when you can see the spam slowly but surely get less and less hits (such has malformed HTML mail, blatent screw ups such as $SUBJECT) on some of the lesser scoring rules, you can deduce that the spammers (or the spam program writers) are getting smarter.

A great example are all those junk filler paragraphs that the spammers use to fight Bayes.

They are not giving up, but neither are we!

Don't complain!

[mollymoo]

If you don't mind deleting spam manually, that's your prerogative, but don't complain about it.

Don't complain? Don't complain about dealing with spam? Don't complain about paying money (ISP mail servers cost money, and you pay for them) so that some fucktard breaking the law (spamming is illegal in many places) can waste the time of millions of people every day?

I'm complaining about you Daniel Quinlan. Go write a filter for me, you're good at it. I'll complain exactly as much as I like. I'll write to my elected representatives. I'll campaign to change the law. I'll demand good service from enterprises I patronise. I'll advise my friends how to do the same.

You think I should give up my power as a voter and consumer because there's a bit of software which helps? You think I should just sit here and take it in the ass from the spammers because 93.6174% of the time some code stops their dicks before they reach my butt-cheeks? Fuck you. I'm going to bitch, complain, campaign and whine till the day comes that I don't need your stinkin' software.

Re:Don't complain!

Time to switch to decaf...

Corruption!

[Squeamish+Ossifrage]

"...armed with the authority to seize spammer's personal assets could easily achieve self-funded operation..."

It's hard to picture a shorter route to corruption. When law enforcement officers fund themselves by taking stuff, the main incentive isn't to serve justice any more, it's to ... take stuff. This is exactly the problem faced by a lot of the former Soviet Union and Latin America: When the government can't (or won't) pay police enough to have a decent standard of living, they go into business for themselves. Not good.

Solutions for everyone else?

All these server-based solutions are great, but what about the average (ok, slashdot average) cable modem or dsl user? We get lots of spam, too, and the isp's filtering is pretty bad in my case. For me, something I can attach to Thunderbird or place between Thunderbird and my isp would be very helpful.

planet arium

[MillionthMonkey]

"Hi, I'm Dr. Adams, and welcome to the Planet Arium."
"I thought this was the planetarium."
"It is, I have a bone disease that prevents me from saying the 't' in Planet Arium."

Interesting - the whole "copy and remove space" idea is something you see all over the place as an anti-harvesting technique for email addresses (like slashdot employs). Now spammers themselves are using anti-spam measures from within their spam to combat spam filters....

This is an old technique. Haven't you ever gotten email about "V1a gra"?

I received the following chain letter recently:

> IT DOESN'T MATTER IF YOU ARE REPUBLICAN OR DEMOCRAT!
> KEEP IT GOING!!!!

> 200 8 Election Issue!!
>
> GET A BILL STARTED TO PLACE ALL POLITICIANS ON SOC. SEC.
> This must be an issue in "200 8 ". Please! Keep it going.
[remaining BS deleted. Snopes has an identical version with "2004" (no space) if you're really interested.]

So it looks like something somewhere is looking for the string "2008", because chain letters are adapting themselves to it.

Yahoo! Anyone?

[G1aucon]

I can't believe no one has mentioned Yahoo! yet. Automatic, accurate spam-filtering? Yes. White-listing? Yes. Black-listing? Yes. And if you want to stick with the free account, use Yahoo!POPs to download messages into Thunderbird.

Personally, I have the upgraded (2GB) account so I can take advantage of what I consider the best anti-spam feature available anywhere: disposable email addresses.

Not sure if you want to divulge your address to for a free iPod contest? Give them a disposable address where email is directed straight past your inbox and into a separate folder. When you lose that iPod contest and the spam starts pouring in, just delete the disposable address.

Sure, you can set up a free "junk mail" address with Hotmail, Yahoo!, but I've found that "checking in" on my spam is a waste of time.

Of course, the best solution is to not give out your email address.

Server-side anti-spam techniques

[King_TJ]

Not sure if this is already "common knowledge" or not, but my employer runs a small mail server for several of our customers - and he's started using a technique which seems to drastically reduce incoming spam.

He set things up so whenever a new piece of email arrives from an unknown source, it sends back a "try again later" request and trashes the message. Apparently, there's a function built into the specs for SMTP/POP servers so these "try again" requests normally get processed, and the mail is resent an hour or two later (sometimes longer if from a big ISP like AOL or something).

Since much of the spam coming in is just being blasted out by a "zombie" client, or some spam-sending software package, they generally ignore the "try later" request and simply move on down their list of addresses they're trying to shoot the spam out to.

When the mail does come through after a "try later" attempt, his mail server adds that address to a "white list" database, so future email from the same place won't get the "try later" treatment (and possibly irritate the owner of that mail server at some point!).

Whitelists/Permission based email

[kendbluze]

Permission-based email works great for me. While new correspondents need to respond to a challenge, I can have every response automatically accepted. This minimizes the delay in getting new messages, and insures that the message is being sent by person and not a bot. If it turns out I don't want to receive future mail from an approved new sender, I can black list them, with or without an explanation to them, with about two clicks. ChoiceMail http://www.digiportal.com/

Re:Whitelists/Permission based email

[cpghost]

TMDA works great for me too. But it's best to combine it with a content-based filter to reduce the number of challenges you send out.

Re:Whitelists/Permission based email

[kendbluze]

Help me out here. Aren't content based filters focused upon known patterns found in spam-type email? I don't care how many challenges I send back to bots. Have you found content based filters helpful in allowing email from real humans to get through without challenge?

Spambayes

[SlashDread]

Has single handedly raised my brownie points at the company I work for that must use Outlook.

Spamassassin. Mastery.

[donsaklad]

Where around the web would there be better information about Spamassassin that any novice can understand and use without having to research vocabulary and arcane references?...

Spamassassin has difficulties for people with little mastery of computers. The difficulty of instructive materials for Spamassassin is an overabundance of jargon and references unfamiliar to people with little mastery of computers.

Gmail uses SURBL :)

That all I have to say. Gmail uses SURBL as well ;)

Interesting......

I remember when SURBL was first announced on /. EVERYONE said they doubted it would work! Not a single post said ,"Oh I've had this idea for ages!", "Oh I invented this idea!", "I've been using this for a long time..." Blah blah blah....

Now that SURBL IS kicking butt, sudennly everyone had the idea first! Yeah, whatever!

Go ahead and dig up the article if you don't believe me.

Some of you guys just don't get it at all. Whoever posted the RANT to DQ about not complaining.... you have no reading comprehention. Go reread what he said.

I suggest more of you so called spam experts should actually spend some time at an antispam conference. Pretty much every antispam technique you can think of, has already been thought of.

Name me one other FREE antispam program that will work as well as spamassassin.

Also if your using an older version of SA, and not using rules from www.rulesemporium.com, then its your own fault.

AND, the DNS bug is in Net:Dns, not SURBL.

spam not that annoying

[burdalane]

Sure, spam is annoying, and it eats up lots of bandwidth, but I don't mind it that much. I used to give out my Yahoo email address everywhere, and I received tons of spam in that as well as some of my other accounts. But now it's not too bad, and Thunderbird's spam filters take care of most of it.

I have wasted lots of time on spam, especially as I used to read every one that wasn't porn and had fun tracing the servers. Most of my time is spent surfing the Internet anyway. My only regret is not figuring out how to get into the spam business back before the CAN-SPAM Act.

Eh

[lorcha]

Too much work. I only get about 1000 emails per day at my email server, so I just skip to step 6 (SA+ClamAV).

That's why we buy machines. To do our work for us. I mean, come on. Filtering HELOs? On what criteria? And why do I care? How do I even make qmail do that? Why would I care how? And then you go straight to DNS BLs? Which ones? And what do you do if there is a match? On one BL? On two BLs? When do you reject? Do you then let SA repeat the effort down in step 6?

spamd and clamd do not consume as many resources as people whine about. If you get under 100,000 emails per day at your server, I wouldn't even bother with anything else. A poorly tuned celeron would handle that load just fine.

Re:Eh

[Just+Some+Guy]

Too much work. I only get about 1000 emails per day at my email server, so I just skip to step 6 (SA+ClamAV).

Too bad. Those other filters catch huge amounts of spam with very few false positives. I love SA and ClamAV and recommend them whole-heartedly, but not as the first check on a server.

I have seen the light!

[lorcha]

Thank you for that insightful and well-substantiated message. I will spend the next 3 days figuring out how to bitchslap qmail into doing all those things for me before running clam and SA on incoming mail.

After I'm through with that, my server will go from humming along at a 0.00 load average to humming along at a 0.00 load average.

Thank you for helping me to see the light!

Re:I have seen the light!

[Just+Some+Guy]

Believe it or not, it's not my goal to convince you to adopt my all of my methodologies and mannerisms. I've developed a set of rules that a lot of people use to reduce their spam. If you want to use my rules, your rules, or nothing at all, then that's your choice and I won't talk you out of it.

Good luck with your qmail coercing. If you ever get tired of it, take a look at Postfix's configuration sometime. It was like a breath of fresh air after messing around with Sendmail's m4 system for years.

Hahahah

[lorcha]

If you think qmail can be made to do anything useful through mere coercing, then you know nothing about Dan J. Bernstein. Nothing short of a thorough bitchslapping will cause qmail to perform correctly.

Nice sig.

Re:Hahahah

[Just+Some+Guy]

Out of curiosity, why do you use it? There are other mailers out there that perform well, have good security records, and are easier to configure, so why stick with qmail? Does it have some good features that you don't want to give up?

Simple

[lorcha]

Current state: I have an email solution that meets my requirements.

I could:

1. Spend time learning how to instal a new MTA.
2. Spend more time learning how to configure a new MTA
3. Spend more time tweaking that configuration so that it meets my requirements (multiple domains/accounts, IMAP, spam and virus filtering with rejection during the SMTP session, SMTP AUTH)
4. Spend more time testing my new configuration
5. Realize a week later that something doesn't work the way I thought it did
6. GOTO 3.

The end result would be: I have an email solution that meets my requirements.

I am not in the email hosting business, and frankly I don't find email delivery to be that interesting. Qmail sucks balls--everything you want it to do requires the selection, application, and testing of a patch. If I had it to do over there is no way in hell I would have chosen it. But I have no time to dedicate to replacing it.