Slashdot Mirror
I am the Most Spammed Person in the World
jefp writes "In November 2004, Microsoft's second-in-command Steve Ballmer made some headlines by mentioning that Chairman Bill Gates was getting four million spams per day. At the time, I was dealing with a little spam problem of my own - I was getting around a million spams per day. I found it a little comforting that my problem wasn't quite as bad as Bill's. However, a couple of weeks later Ballmer corrected himself, saying he mis-remembered the stat and Gates actually gets four million per year.
This means I was getting one hundred times as much spam as Bill Gates.
I've written a tutorial explaining why I get so much crapmail and how I deal with it."
he just went from 1 million a day to about 1.3 million a day.
for Spamalot
you don't post your email address to farmgirls.com!
Give a man a fish and he'll eat for a day. Teach him to fish and he'll wipe out the species.
...but not with one slashdotting.
He's really just using Slashdot to break his server farm so he won't have to get spam anymore.
You can only be young once, but you can be immature forever.
I'm pretty sure whoever runs nowhere.com can give you a run for your money in the most spam inbound. Although a lot of those are probably from organizations thinking they're sending to legit opt-in requests.
Keep my web service running too, since it's on the same machine.
/. front page?
You try to do this by submiting a story to
Ubuntu is an African word meaning 'I can't configure Debian'
Hi Pokey!
-jim
I guess 1,000,000 spams a day isn't as bad as 1000 people simultaneously trying to access your Web server!
Just yesterday I enabled Greylisting in OpenBSD spamd, and today I got 6 spams, compared with my usual 150. (per day).
It's easy to set up and works with your existing mail server. OUr mail server is qmail on red hat, but openbsd just ahppily redirects the legit (what it suspects might be legit rather) to the mail server. The load has dramatically decreaed on the mail server.
/* oops I accidentally made a comment, sorry */
Your name in the posting is a link that resolves directly to your email address.
Don't know what you're doing right now to reduce the spam, but maybe putting your email address on the front page of Slashdot is a step in the wrong direction.
There are 2 kinds of people in this world. Those that can keep their train of thought,
Just to alleviate some of his bandwidth, I have mirrored the mail_filtering pages. Looks like it's all there. Let me know if you want me to take it down.
"To err is human, to forgive is simply not my policy." --root
I dont get nearly as much spam as that, but even a few hundred a day is pretty irritating. My solution is to delete all email as soon as I get it.
I figure if its important I'll get a phone call.
air and light and time and space
I wonder if Bill changes email addresses as much as I install security patches. Karma's a bitch.
They are ACME Labs! They have everything I ever need. I order my gear to get that nasty Road Runner from them all the time! Its great stuff!
Does Ballmer "mis-remember" his others stats too; he's been showering us with them lately.
but now he's the most slashdotted person in the world
:D
Hmmm...
* "World's biggest hacker"
* "World's Fastest Inkjet Printer"
And what we have here? The "most spammed person in the world" becomes "the most slashdotted person in the world" who used "the most over-used headline cliché in the world".
Ladies and Gentlemen, we have a winner!
That is impressive, but I imagine that any catch-all email addresses at foo.com or test.com might beat even that.
concrete5: a cms made for marketing, but strong enough for geeks.
For my fake email I have used john@holmes.com. I just thought it was funny to use. Then I realized there was a holmes.com. I would surely hate to some guy named john if I work there. I can imagine his email box is going nuts from 10 years worth of stuff.
If you work in a company like mine where Outlook is de rigueur and the Boss is too worried about missing an email to even allow for simple spam filtering at the head end. I can't recommend enough that you give SpamBayes Outlook plug-in a try. It operates nearly perfectly if you train it well (only about 600 spam messages needed).
Hmm... the article was submitted by jefp, and from the website: © 2005 by Jef Poskanzer. You don't suppose they could be the same person, hmm?
For those who do not know, Jef Poskanzer is the author of the thttpd webserver. I'm just wondering what sort of hardware you're running your site and email server on, Jef. I know that thttpd is extremely quick and efficient, so it wouldn't surprise me if you were running on an older 486 or early Pentium I machine.
Cyric Zndovzny at your service.
The site seems to be slowing down, but the coral cache is going strong.
I like his slam on qmail. Does djb ever address such concerns?
-mkb
thanks for the plug xtracto, I created and maintain dodgeit.com :-)
We were getting well over 1 million spams a day before we started using DNS blacklists. I'm stunned that the story author is weathering the storm with sendmail. I never could configure that beast. Dodgeit is a postfix shop.
slashsearch.org - slashdot search. powered by google.
I think the line
kinda gave that away already.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Mail Filtering
Or, how to block a few million spams per day without breaking a sweat.
© 2005 by Jef Poskanzer.
Introduction
In November 2004, Microsoft's second-in-command Steve Ballmer made some headlines by mentioning that Chairman Bill Gates was getting four million spams per day. At the time, I was dealing with a little spam problem of my own - I was getting around a million spams per day. I found it a little comforting that my problem wasn't quite as bad as Bill's. However, a couple of weeks later Ballmer corrected himself, saying he mis-remembered the stat and Gates actually gets four million per year.
This means I was getting one hundred times as much spam as Bill Gates.
Nevertheless, after filtering we both get about the same amount: around ten spams per day in our inboxes. Ballmer says that Microsoft has an entire department dedicated to protecting their mailboxes from spam. At ACME Labs there's just one guy, one server, and a T1 line. And yet my filters are a hundred times as effective as Microsoft's. How do I do it?
These pages will show you how, and help you deploy similar filters on your own system.
Goals
What am I trying to do here?
Results
For those who like to read the end of a novel first, here are some overall stats showing how the filters are performing.
Environment
This is all based on a Unix system running sendmail. If you're not using Unix, or you're using a different Unix-based mail system, most of the specific advice here will not help you. You may still find some value in the general ideas.
Sendmail Config
The first layer of spam defense is sendmail itself, because that's the first piece of software to touch each message. Sendmail has a number of different config options that can help you block spam and keep your machine stable.
greet_pause
As of version 8.13, sendmail added an anti-spam feature called "greet_pause". It is both simple and clever.
In a normal SMTP transaction, first the client connects, then the server sends back a "220" greeting message, then the client sends its HELO command. Some spam programs, however, don't wait for the greeting message. They just send their commands immediately without listening.
The greet_pause feature detects this misbehavior by pausing briefly before sending out the "220" greeting message. If any commands arrive during that pause, then the connection is marked bad and anything coming over it is ignored.
This one is interesting because it actually cuts down on the number of spam attempts, not just the spam deliveries. I figure when the spammers hit the pause they are somehow getting stuck. I'll have a graph of this later - before I enabled greet_pause, I was getting a couple million spam attempts per day; after, only 600,000.
To enable the feature, you need to make two changes. First, in your sendmail.mc file:
You probably already have access_db defined; it just needs to appear somewhere prior to greet_pause. The number is how many milliseconds to pause; 5000 = five seconds. Then in your access file you should add this:
The second change prevents the pause from applying
so I sent him an email asking for the text
This guy's SMTP server:Pipelining is turned on for untrusted hosts. Nice.
Either way, a good portion of the spam hitting my system never even makes it to EHLO/HELO time because if there's any sort of resolution problems with the dns/rdns or if the hostname contains the IP address in it (RFC violation) I delay the connection 20 seonds before the greeting. RFC states clients WILL NOT send data unless asked to do so, except for pipelining which is not advertised for untrusted hosts. When the MTA sees a bunch of incoming crap, it drops the connection because they violated the RFC rules for handshaking (clients MUST wait for the greeting). This does not affect legit MTAs with temporary problems.
I go through a whole bunch of other checks even before DATA time, delaying at each step if there's a problem. 90% of the spam/viruses never even make it to scanning for spam/viruses because they violate something before that and the connection get drops (or they drop it from waiting). Once again, delaying 20 seconds does NOT affect legit MTAs.
Big writeup on SPAM filtering
My MTA
He wasn't getting a million fucking spam a day.
Give me a break... 1/4 as popular as Bill Gates? Doubt it.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
Laws do not persuade just because they threaten. --Seneca
I have had the same address since 1989, long before there WAS a spam problem. My email address was all over Usenet when Cantor and Seigel sent out their first spame, which means it's all over Google Groups. The horse is so far out of the barn its grandchildren are headed for the glue factory.
In 2000, the last time I added it all up, I was getting 300M a month *after* applying blacklists. At this point my mailserver is blocking several countries and ISPs, using multiple blacklists, and running some custom greylist software I wrote myself (for qmail... sorry, Jef), and my local mail client's only seeing 20-30 spams a day out of the hundreds of thousands (maybe as many as a million, it's too depressing to keep track) of delivery attempts that show up in my logs.
If you don't mind changing your email address now and then, more power to you, but I'm damned if I'll give the bastards the satisfaction.
A billion MIPS for defence, but not a byte for tribute!
Someone deletes all your thoughts as soon as you get them?
Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
The guy that gets 1000000 items of spam per day is slashdotted?
Beware geeks bearing .GIFs
How come Slashdot never gets Slashdotted?
Ha---that's nothing. I saw someone modded up to at least +4 for responding to himself with a caustic put-down of his own original post.
I replied, saying "Did you actually get modded up to +4 for pimp-slapping yourself?". He had.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
I've had my current email address for the past 13 or 14 years.
(In fact the ISP it's hosted with currently hosts ONLY that email address and a tiny hunk of web space for me; I get my actual connection and everything from Cox).
My address has been plastered all over the Internet from since before there was a spam problem. Even if I were to take it off of all the sites I've made, or ask it to be taken down from all the other sites, there's still hundreds of UseNet posts from before there was need to spam-proof my address, all cached on the various web-based UseNet caches.
At one point a few years back I was getting many hundred spam messages a day. Now, I get about two. And I've not had any problems with false positives that I'm aware of, at least not for quite a while.
I don't run my own mail server and I don't know how West.net (my mail provider) runs theirs, but I do know they run a nice spam filtering service called Postini, which catches a large majority of the spam. When it gets to my end, I've got extensive whitelists for all the discussion lists I'm on, as well as everyone in my address book (everyone I've sent mail to, basically). A lot of spam I'd get has my own address forged onto it, so any mail from me that doesn't contain my passphrase in the subject is blacklisted. I've also got a blacklist for serious repeat spammers (same exact spam every day). Past that, Mail's Bayesian filtering quarantines most of the remaining messages, and all the ends up in my In box are legit messages from people I don't know, and maybe one or two spam messages.
I think the common thread between the article's successful spam filtering and my successful spam filtering is using multiple layers of whitelists, blacklists, and greylists. Keep the people you know on whitelists so you never need to worry about them not getting through; people doing evil things get blacklisted, preferably temporarily as he's done it; and everyone else takes the risk of being filtered (either because their mail server is dysfunctional, as some of his filters would risk, or because the message "looks like spam" as a Bayesian filter would risk). Implement this type of scheme on both the mail server (his way) and the client program (my way) for extra protection.
I think that's about as successful as anyone can hope for a spam filter.
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
A very nice read:
http://www.benzedrine.cx/relaydb.html
http://files.photojerk.com/alan/www.acme.com/mail_ filtering/
Still in creation... Images will 404 untill the server retrieves them.
Maybe someone should create a blacklist blacklist?
cpeterso
> Greylisting will prevent you from receiving email ...
> from a variety of non-complying SMTP hosts
such as slashdot.org?
I tried enabling greylisting on the sneakemail.com address I use to receive email from Slashdot, and it blocked all the email from Slashdot. The logs on sneakemail show many delivery attempts from Slashdot, so I guess there is some kind of incompatibility between the way Slashdot tries to resend the message and the way Sneakemail expects it to be resent. I don't know who is to blame for the incompatibility. Probably no one, since there is no specification on HOW redelivery should be attempted. Anyway, it shows that there can be problems with greylisting because the way a client resends the mail is not well defined.
On the other hand, greylisting is a very effctive filter. I enabled greylisting on the address I have in the whois record of my domain, and I get practically no spam to that address (before greylisting I got quite a lot, and the sneakemail greylisting logs list lots of attempts that are easily recognizable as spam: lots of broadband connection IPs, and "from" address from domain not matching sending server.).
Publishing an address in Slashdot is the most effective way to receive spam, and receive spam fast. About 10 days ago I changed the address I use in Slashdot. The next day I already received spam on that address. The older address is now greylisted and doesn't receive any mail, but the logs show many messages blocked by greylisting (31 yesterday). What I do now is change the address I publish in Slashdot every once in a while, and enable greylisting the old address. It doesn't block all spam, but it takes a while for the volume of spam to the new address to build.
Without downloading and unzipping your code, I can't tell how your blacklisting features work, but an obvious extension to a greylisting system is to give RBLed sites a much longer greylist time than mail from unknown sites (e.g. 4-hour retries vs. 5-minute.) It's particularly useful because you can even use some of the more aggressive lists in spite of their enjoyment of collateral damage, and you can use whole-country blocklists for places you don't expect to get mail from, such as Korea and China, without actually rejecting much mail from real people.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks