Interview With The SpamAssassin

comforteagle writes "Howard Wen has conducted an interview with Daniel Quinlan of SpamAssassin. In it he explores what keeps Daniel motivated in the face of the unrelenting torrent of spam and new spamming techniques, as well as, what is working - what is not, and what he predicts spammers have up their sleeves next for defeating spam detection." From the interview: "If you don't mind deleting spam manually, that's your prerogative, but don't complain about it. If your ISP doesn't do a good job fighting spam, then switch ISPs or install your own anti-spam software. There are a lot of choices out there."

gmail has good spam protection

[erick99]

When I got to over 300 spam a day was just about the time I tried gmail (google mail). So far this is the best spam protection I have come across. My spam folder is getting about 400 a day now but I can't remember the last time a "good" message went in there. I still get about five spam a day that I need to manually deal with.

Re:gmail has good spam protection

[winkydink]

I agree that Google has good protection, Even with slutting my email address by publishing it on /., the amount of spam that makes it into my gmail box is surprisingly small.

Re:gmail has good spam protection

[int2str]

I disagree completely.

I'm subscribed to the Linux kernel mailing list with a GMail account and it constantly marks legitimate messages as Spam. Since the emails have such a common format and subject matter, that's really surprising.

On the flip side, many Spam messages and phishing attempts make it through GMails filter.

My small business mail server running Spamassasin and some blacklists is much more efficient compared to Gmail.

Cheers,
Andre

Re:gmail has good spam protection

[snorklewacker]

gmail's spam filtering annoys the hell out of me: No whitelists. I'm subscribed to a spam discussion list, so it trips spam filters all the time, and I'm constantly having to fish messages out. I don't care that it classifies it as spam, I'm just annoyed at the fact that I cannot ever override its judgement.

Cloudmark SpamNet

[Zendar]

Been using Cloudmark's SpamNet for over a year and haven't looked back since. Nothing gets by.

Disclaimer: No interest in the company. Just a satisfied customer.

Complain as much as you can!

[iolaus]

"If you don't mind deleting spam manually, that's your prerogative, but don't complain about it. If your ISP doesn't do a good job fighting spam, then switch ISPs or install your own anti-spam software. There are a lot of choices out there."

How the hell do you think the national do-not-call list came about? Because people bitched and complained! I agree there are spam solutions out there but I still think there should be an easier, more fool-proof, and legally backed way of opting out of spam.

Re:Complain as much as you can!

[dotslasher_sri]

and legally backed way of opting out of spam.

This might be a little difficult to do. Spamming is already is illegal in US. But anyone can spam from other countries. And making the US laws apply over there would be difficult.

in my opinion a fix to spam has to come from the software side, not from the government side.

Re:Complain as much as you can!

[winkydink]

The US and other countries could put pressure on China to get them to clean up their ISPs. If you reduce the number of safe-spamming havens, you should reduce the smount of spam.

Re:Complain as much as you can!

[frankie]

Most spammers are not in U.S.

This is false. The SpamHaus list shows the USA hosts more spammers than the other countries put together.

the FBI who has bigger fish to fry

This is somewhat true. We won't put a dent in spam from a legal perspective until a federal agency devotes some serious infrastructure to the job.

That's mainly due to lack of willpower and expertise rather than funding, however. A competent "Spam Czar" armed with the authority to seize spammer's personal assets could easily achieve self-funded operation within a year.

SURBL

[JohnGrahamCumming]

OSDir.com: What's the most effective anti-spam technology that SpamAssassin uses right now?

Quinlan: I think network rules are the most effective single technology, in particular, the URI rules that use SURBL, looking for spammer domains in Web links.

The SURBL can be found here: http://www.surbl.org. It's a very good thing, so much so that spammers are starting to try to get around it by doing stuff like this:

Copy the following URL removing the space into your browser:

www. spammer-site.com

John.

Once again..

[daeg]

I've said it before, but I have to promote PopFile (http://popfile.sourceforge.net/) again. Since doing a bit of training, it now correctly sorts about 99% of my e-mail. I get about 600 messages a day not including mailing lists, and my accuracy is 99.65%. It is generally not susceptible to new spam techniques unless they can match the subject matter that my e-mail typically covers.

When they start spamming "Linux IPF Apache LOOK! Vi@GR@ makes your peNi$ PHP Bug CSS" I will be concerned.

Am I alone?

[The+Eagle+Maint]

Maybe I'm the lucky minority here, or my mail host has some crazy filters I don't know about, but I very, very rarely recieve any type of spam. Now, I don't go handing out my email address either. If I'm signing up for something shady, I use another address at a web-based email account, which does get a lot of spam... but otherwise I use the mail host that comes with my website http://www.surpasshosting.com/ and Thunderbird as a client, and never see any type of spam.

A spam "bubble"?

[antifoidulus]

From TFA:
The greater challenge is that the new techniques never stop coming. It's possible spammers will eventually run out of tricks, but it definitely hasn't happened yet. Most techniques backfire fairly in the long run, and make it more obvious that a message is spam.
You gotta wonder if there is a spam "bubble" that will burst pretty much like every other bubble. It started the same way, a few scammers got the idea of sending out scams via email and were quite successful, and everyone else started to jump on board. But soon enough(hopefully) people will learn their lesson and spam will slow....maybe I'm putting too much faith in people.
But it is interesting to see how many "me too" trends there are in spam. Up until about 2 years ago, I never received a 419 scam, but now I get at least one a week. Up until about a year ago, I never received a rolex email(typically the domain of brick and mortar(ok, urine soaked streetcorner) drifters), but now I get a few a day.

How to stop spam

[Merdalors]

Two words: Spam Arrest. Zero spam, no filters to nurse, no lost mail.

Business cards

[nizo]

I bet he has cool business cards:
Daniel Quinlan - Spam Assassin
He can tell people his job is to kill spammers. Which reminds me, I wonder if anyone at the IRS actually checks what job title you put on your tax forms?

Re:Business cards

[LetterJ]

"I wonder if anyone at the IRS actually checks what job title you put on your tax forms? "

This is the federal government. It's probably someone's exclusive job to not only read it, but hand copy it in blue ink into large 3 ring binders which are then manually typed in by someone else employed full-time to do such an activity.

Re:Business cards

So I guess putting "Senior Tax Evader" as my occupation probably wasn't such a good idea?

All I can say is...

[Anthony+Boyd]

...God bless Daniel Quinlan and people like him. I have had a hell of a time with my daughter's email. A LOT of Web sites for kids have a "mail a friend" option. At one point my daughter wanted to use that option on a few sites. These are kid-oriented sites with privacy statements, so the sites felt trustworthy.

Fast forward to two weeks later, and one of those #@!&^ing sites has sold her email address to every spammer in the nation. My little kid got 196 spams yesterday -- for Viagra, lesbian cheerleader porn, you name it. So I have become heavily interested in every anti-spam product known to man. I've got 'em on the server, and got 'em on the client. Right now, with redundancy, this is 99% accurate, and my daughter gets only messages from friends and family. My biggest problem is not that spam gets through, but that false-positives block a legit message every now & then. That is the area I hope improves the most.

Other analogies

[LordOfYourPants]

"If you don't mind deleting spam manually, that's your prerogative, but don't complain about it. If your ISP doesn't do a good job fighting spam, then switch ISPs or install your own anti-spam software. There are a lot of choices out there."

It seems pretty simple to me: complaining leads to awareness, which leads to action. Maybe a bunch of people on Slashdot griping about spam won't amount to jack, but let Oprah or someone else with a grappling hook or two on the office/church/bar water cooler complain about it and they can make a difference in social attitudes.

SpamAssassin is a good step but the real problem is the social system which makes spamming possible. How else can you explain a 60-year-old grandmother 1) using her computer as a spam relay, 2) acknowledging it on television, and 3) not seeing it as a problem because it's "legal" and she's getting regular cheques to do so?

How is it that a social/legal system can be designed to bankrupt and scare the shit out of people who share a few movies or songs but barely put a dent in the people sending out millions of useless, offensive, and content-bordering-on-the-illegal emails? Is there nothing wrong with this?

If you can't run your own mailserver...

[vasqzr]

A pop3 proxy works great. I recommened SpamBayes

http://spambayes.sourceforge.net/

Re:you'ved been spammed!

[Christopher_G_Lewis]

It's just an arms race. SpamAssassin gets better, then the spammers adjust.

Part of the problem with open source spam filters, the Bad Guys can reverse engineer what's currently being tested.

I kinda wish that the SpamAssassin group would separate their tests from their product development, so we could get more frequent update of the "offical" spam assassin filters. However, I remember reading somewhere that testing and evalutating any new rules against their current corpus takes quite a long time.

Also, make sure you check out http://www.rulesemporium.com/ for more frequently updated rules.

The next frontier in spam fighting

[PurpleFloyd]

As alluded to in the article, the next chapter in the war against spammers is not going to be in blocking open relays or known spammers. Rather, more and more spammers are using hordes of broadband-connected and spyware/virus-infested zombie hosts to do their dirty business.

This has both good and bad aspects. First, the good news: responsible ISPs will be able to block a good portion of spam at their routers and mailservers; it's not hard to detect and blacklist a PC which is spewing the same email to 20,000 different recipients. Unfortunately, it only takes a few poorly-configured ISPs to provide a great deal of bandwidth to spammers. Couple this with Windows' known security holes, and home users' typical apathy regarding patches and security updates, and you have a large pool of potential spam-hosts which cannot be as easily targeted as open relays or specialized spam-spewing servers. After all, if spammers are using a legitimate ISP's mail server to send spam, a remote admin can't block that mail server without also condemning large amounts of legitimate email to deletion, which may well be unacceptable.

The upshot of all this? The onus of spam filtering is going to be, more and more, on ISPs rather than on recipients. While this has its good side - spam filtered at the source doesn't take up as much precious bandwidth - it also means that filtering will be more difficult for those not close to the source.

Re:The next frontier in spam fighting

[Linux_ho]

As alluded to in the article, the next chapter in the war against spammers is not going to be in blocking open relays or known spammers. Rather, more and more spammers are using hordes of broadband-connected and spyware/virus-infested zombie hosts to do their dirty business.

Uh, where have you been? Non-malware open relays haven't even been on the radar for the last two years. Practically all spam comes from either virus zombies or known spammers hiring offshore ISPs to provide them with 'legit' relays. This isn't a "new trend." It's changed very little over the past couple years, the only trend I've seen lately is that MORE spam is coming from spam-friendly offshore ISPs, who seem to have a nearly endless supply of unblacklisted IP addresses to cycle through. Hello, APNIC?

Spamassassin much better with personal training

[gvc]

The article and the SpamAssassin documentation seem to imply that SpamAssassin is best used as a server-side filter.

In fact I've found it works great as a personal filter, if you configure it somewhat differently from the way the documentation suggests. That is, increase the weight of the Bayes filter, and have it train itself on every message it classifies. Then correct it on any mistakes it makes - which rapidly become few and far between.

Here's a paper showing that SpamAssassin can achieve as good results as others touted for personal use.

Unfortunately SpamAssassin is a bit hard to install and set up. But if you have RedHat or Debian Linux, it is available by rpm/apt and you can install a few scripts to make it work.

I wish I had a better shrink-wrapped version, but I don't. So I'm supplying the raw files for one user in the hopes that (a) somewhat technical people can reproduce the setup and be happy, (b) somebody will make a shrink-wrapped version, perhaps with plugins or extensions or macros for more mail clients.

Here is the Linux Personal Spamassassin setup.

Easy manual sorting..

[deacon]

For those of us who prefer to sort manually, using Pine over SSH and leaving all email on the ISP's server works pretty well.

With a full screen terminal window, I can mark spam based on the name and the subject header. I can recognize spam at a rate of about 10 per second this way. With the names spammer pick, and the mis-spelled subject headers, it is pretty easy to pick them out.

Using pine, I never give a spammer info by opening web bugs. I can look at the raw email by typing "h" to show the headers, so all those phishing emails are immediately obvious.

Keeping the email on the isp's server means that when I rebuild a machine, I don't have to worry about about backing up my email.

Re:personalized training

[Daniel+Quinlan]

(groan)

Someone (the author or some editor) added that comma to my sentence. My original email had no comma there. A clearer phrasing that would not tempt someone into adding punctuation would be:

[The least effective technique is] Any technique that tries to identify "good" mail with neither authentication backing it up nor some form of personalized training.

They also removed the name of the company where I work (IronPort), which struck me as a bit odd considering how my job allows me to do open source was part of the article. I think my employer deserves some kudos for that. Not to mention implying that I'm more than just one of the developers. There are eight commiters, six of them on the Project Management Committee and two of them (Justin Mason and Theo Van Dinter) write at least as much code as me.

How I beat spam

[Just+Some+Guy]

I just wrote an article for this month's issue of Free Software Magazine on building spam filters. The long and short of it is that Spam Assassin is a very, very good last line of defense. However, there's a lot you can do to limit the amount of junk that even makes it that far into your system:

1. Filter the HELO messages. If the sender says "HELO yourownname.example.com", then it's lying and you can safely reject the connection.
2. Don't be overly picky about reverse DNS lookups, but do check that the domain of the From: address is resolvable. After all, what's the point of getting mail from "spew@nonexistentdomain.com" if you can't reply to them?
3. Selective DNS blacklists. Do your homework and find a couple that are picky about what they add. Remember: false negatives are much better than false positives!
4. SPF. It's not a cure all, but it works and it's available today.
5. Greylisting. Oh, how I love thee!
6. Finally, Spam Assassin, ClamAV, and other "expensive" defenses.

Since I implemented the above as a Postfix ruleset, I don't get spam anymore, and it's not exactly like I've actually kept my primary address secret. No, I'm not kidding or exaggerating - basically, my mailbox is my own once again. Viva Postfix! Viva greylisting!