I am the Most Spammed Person in the World

jefp writes "In November 2004, Microsoft's second-in-command Steve Ballmer made some headlines by mentioning that Chairman Bill Gates was getting four million spams per day. At the time, I was dealing with a little spam problem of my own - I was getting around a million spams per day. I found it a little comforting that my problem wasn't quite as bad as Bill's. However, a couple of weeks later Ballmer corrected himself, saying he mis-remembered the stat and Gates actually gets four million per year. This means I was getting one hundred times as much spam as Bill Gates. I've written a tutorial explaining why I get so much crapmail and how I deal with it."

This will help his spam problem for sure!!

[fizz]

he just went from 1 million a day to about 1.3 million a day.

Give him a Tony

for Spamalot

And that's why....

[The+Woodworker]

you don't post your email address to farmgirls.com!

Re:And that's why....

[gstoddart]

you don't post your email address to farmgirls.com!

Oh, sure, and I'm sitting behind a monitored corporate firewall wondering just what might be on the end of such an URL.

Bastards!

Re:And that's why....

[spood]

Oh, sure, and I'm sitting behind a monitored corporate firewall wondering just what might be on the end of such an URL.

Well, apparently they don't have a problem with your slashdot habit!

You can cope with 1M spam emails...

[ccozan]

...but not with one slashdotting.

What's happening here is:

[Njoyda+Sauce]

He's really just using Slashdot to break his server farm so he won't have to get spam anymore.

nowhere

[magarity]

I'm pretty sure whoever runs nowhere.com can give you a run for your money in the most spam inbound. Although a lot of those are probably from organizations thinking they're sending to legit opt-in requests.

Re:nowhere

[abulafia]

I know the owner of that domain, and yes, she got so much mail that she ended up turning MX off for it.

Re:nowhere

[njcoder]

I used to use asdf.com all the time too.. Then one day I decided to see if it actually existed. This is a funny read. :)

Not so clever

[xtracto]

Keep my web service running too, since it's on the same machine.

You try to do this by submiting a story to /. front page?

Greylisting

[nocomment]

Just yesterday I enabled Greylisting in OpenBSD spamd, and today I got 6 spams, compared with my usual 150. (per day).

It's easy to set up and works with your existing mail server. OUr mail server is qmail on red hat, but openbsd just ahppily redirects the legit (what it suspects might be legit rather) to the mail server. The load has dramatically decreaed on the mail server.

A quick suggestion...

[nganju]

Your name in the posting is a link that resolves directly to your email address.

Don't know what you're doing right now to reduce the spam, but maybe putting your email address on the front page of Slashdot is a step in the wrong direction.

Mirror

[schnurble]

Just to alleviate some of his bandwidth, I have mirrored the mail_filtering pages. Looks like it's all there. Let me know if you want me to take it down.

I know how to deal with spam.

[PopeAlien]

I dont get nearly as much spam as that, but even a few hundred a day is pretty irritating. My solution is to delete all email as soon as I get it.

I figure if its important I'll get a phone call.

Re:I know how to deal with spam.

[Everleet]

Funny, I delete all phone calls as soon as I get them. I figure if it's important I'll get an IM.

Re:I know how to deal with spam.

[DoomHaven]

Funny, I delete all IMs as soon as I get them. I figure if it's important, I'll get a visit.

Re:I know how to deal with spam.

[over_exposed]

Funny, I delete all of my visitors as soon as they show up. I figure if it's important, I'll get an e-mail.

I couldn't resist, I'm sorry. *hangs head in shame*

Re:I know how to deal with spam.

[Poltras]

Funny, I delete all of my visitors as soon as they show up. I figure if it's important, the police will come and circle the house.

Re:I know how to deal with spam.

[AndersOSU]

Funny, in Soviet Russia the police delete you.

Re:I know how to deal with spam.

[Cobralisk]

I don't know, as I delete all slashdot threads as soon as I get them. I figure if its important I'll get a crapflood of spam.

Re:I know how to deal with spam.

[MarkGriz]

I also delete all slashdot threads as soon as I get them. I figure if its important, Taco will dupe it.

Re:I know how to deal with spam.

[The-Bus]

Sorry, readers. The posters and the posts above are on the queue to be sacked. We had asked someone in the department to sack them earlier, but they didn't do it. Those responsible for sacking the people who have just been sacked have been sacked.

As a result, since no one receives email, calls, visitors, IMs, telegrams, or Soviet secret police, we are sending messenger (African) pigeons to deliver these messages to you, in an entirely different style at great expense and at the last minute.

Re:I know how to deal with spam.

[Aerion]

Exactly how fast do these pigeons travel?

I need to know so that I can anticipate their arrival and delete them as soon as they get here.

I figure if it's important, they'll send a messenger swallow.

I wonder..

[Mikey+Rowan]

I wonder if Bill changes email addresses as much as I install security patches. Karma's a bitch.

in the world...

[Spy+der+Mann]

but now he's the most slashdotted person in the world

Hmmm...
* "World's biggest hacker"
* "World's Fastest Inkjet Printer"

And what we have here? The "most spammed person in the world" becomes "the most slashdotted person in the world" who used "the most over-used headline cliché in the world".
Ladies and Gentlemen, we have a winner! :D

Re:in the world...

[fataugie]

Ha! I'm the World's Greatest Dad, and I have a mug to prove it!

The funny thing is, I don't have any kids....

Heh

[aftk2]

That is impressive, but I imagine that any catch-all email addresses at foo.com or test.com might beat even that.

Re:Heh

[Anne_Nonymous]

I use my Senator's email address. I suspect he needs a bigger penis anyhow.

Re:Heh

[mattsucks]

I use my Senator's email address. I suspect he needs a bigger penis anyhow.

Nah, he's probably a big enough dick as it is.

It is testicular enhancement that is called for in the case of most Senators.

Re:Stop endorsing plagiarism, editors!!!

[zerbot]

Hmm... the article was submitted by jefp, and from the website: © 2005 by Jef Poskanzer. You don't suppose they could be the same person, hmm?

Coral cache

[gregbaker]

The site seems to be slowing down, but the coral cache is going strong.

qmail

[mmkkbb]

I like his slam on qmail. Does djb ever address such concerns?

Re:qmail

[spun]

Short Answer: No, but other people do.

Long Answer: The concern is the misdirected bounce. By default and in accordance with the RFC, qmail bounces messages it accepts then later decides it can't deliver back to the sender. Spammers use false return addresses, so you end up bouncing spam back to innocent third parties. When used with naive spam-filtering techniques, this can be a problem i.e. qmail accepts the message, but a spam filter rejects it, and it is bounced. Here's what SpamCop.net has to say about it:

Qmail: Qmail is one popular mail exchanger which suffers from this problem by default. If you use qmail, please apply a patch: spamcontrol or qmail-ldap.

There is also an experimental patch for qmail which allows you to send bounces, but isolate them on a different IP address (so that spamcop can block them without blocking other mail): Richard Lyons BOUNCEQUEUE patch

PZInternet.com reports chkuser is a very good qmail patch to avoid misdirected bounces - very easy to install too! http://www.interazioni.it/opensource/chkuser/

For users of qmail-toasters, check out the simscan patch

Everything anti-spam is done by people other than djb. I love qmail, but it really isn't the easiest server to set up for spam control. One needs about a dozen patches to get it working right.

Re:Tip #1

[phildog]

thanks for the plug xtracto, I created and maintain dodgeit.com :-) We were getting well over 1 million spams a day before we started using DNS blacklists. I'm stunned that the story author is weathering the storm with sendmail. I never could configure that beast. Dodgeit is a postfix shop.

Re:Stop endorsing plagiarism, editors!!!

[Anonymous+Brave+Guy]

You don't suppose they could be the same person, hmm?

I think the line

"I've written a tutorial explaining why I get so much crapmail and how I deal with it."

kinda gave that away already.

Full text - it's Slashdoted (minus img and tables)

Mail Filtering

Or, how to block a few million spams per day without breaking a sweat.

© 2005 by Jef Poskanzer.

Introduction

In November 2004, Microsoft's second-in-command Steve Ballmer made some headlines by mentioning that Chairman Bill Gates was getting four million spams per day. At the time, I was dealing with a little spam problem of my own - I was getting around a million spams per day. I found it a little comforting that my problem wasn't quite as bad as Bill's. However, a couple of weeks later Ballmer corrected himself, saying he mis-remembered the stat and Gates actually gets four million per year.

This means I was getting one hundred times as much spam as Bill Gates.

Nevertheless, after filtering we both get about the same amount: around ten spams per day in our inboxes. Ballmer says that Microsoft has an entire department dedicated to protecting their mailboxes from spam. At ACME Labs there's just one guy, one server, and a T1 line. And yet my filters are a hundred times as effective as Microsoft's. How do I do it?

These pages will show you how, and help you deploy similar filters on your own system.

Goals

What am I trying to do here?

• Keep my email service running and useful.
• Keep my web service running too, since it's on the same machine.
• Avoid losing real email by mistake.
• Delay growth in resource use, so I can delay spending money on hardware upgrades.
• Spend as little time as possible on the above, so I can get more important things done.
• Help other people do the same.

Results

For those who like to read the end of a novel first, here are some overall stats showing how the filters are performing.

Environment

This is all based on a Unix system running sendmail. If you're not using Unix, or you're using a different Unix-based mail system, most of the specific advice here will not help you. You may still find some value in the general ideas.

Sendmail Config

The first layer of spam defense is sendmail itself, because that's the first piece of software to touch each message. Sendmail has a number of different config options that can help you block spam and keep your machine stable.

greet_pause

As of version 8.13, sendmail added an anti-spam feature called "greet_pause". It is both simple and clever.

In a normal SMTP transaction, first the client connects, then the server sends back a "220" greeting message, then the client sends its HELO command. Some spam programs, however, don't wait for the greeting message. They just send their commands immediately without listening.

The greet_pause feature detects this misbehavior by pausing briefly before sending out the "220" greeting message. If any commands arrive during that pause, then the connection is marked bad and anything coming over it is ignored.

This one is interesting because it actually cuts down on the number of spam attempts, not just the spam deliveries. I figure when the spammers hit the pause they are somehow getting stuck. I'll have a graph of this later - before I enabled greet_pause, I was getting a couple million spam attempts per day; after, only 600,000.

To enable the feature, you need to make two changes. First, in your sendmail.mc file:

FEATURE(access_db)dnl FEATURE(`greet_pause',5000)

You probably already have access_db defined; it just needs to appear somewhere prior to greet_pause. The number is how many milliseconds to pause; 5000 = five seconds. Then in your access file you should add this:

GreetPause:localhost 0

The second change prevents the pause from applying

slashdotted...

[ajrs]

so I sent him an email asking for the text

What to do...

[SamMichaels]

Well his site is dead, mirrordot chokes on frames, and I'm too lazy to google....so I'll risk getting -1 RTFA and post anyway.

This guy's SMTP server:

220 gate.acme.com ESMTP Sendmail; Wed, 8 Jun 2005 11:53:27 -0700 (PDT)
EHLO myhostname
250-gate.acme.com Hello [myip], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250- 8BITMIME
250-SIZE
250-ETRN
250-STARTTLS
250-DE LIVERBY
250 HELP

Pipelining is turned on for untrusted hosts. Nice.

Either way, a good portion of the spam hitting my system never even makes it to EHLO/HELO time because if there's any sort of resolution problems with the dns/rdns or if the hostname contains the IP address in it (RFC violation) I delay the connection 20 seonds before the greeting. RFC states clients WILL NOT send data unless asked to do so, except for pipelining which is not advertised for untrusted hosts. When the MTA sees a bunch of incoming crap, it drops the connection because they violated the RFC rules for handshaking (clients MUST wait for the greeting). This does not affect legit MTAs with temporary problems.

I go through a whole bunch of other checks even before DATA time, delaying at each step if there's a problem. 90% of the spam/viruses never even make it to scanning for spam/viruses because they violate something before that and the connection get drops (or they drop it from waiting). Once again, delaying 20 seconds does NOT affect legit MTAs.

Big writeup on SPAM filtering

My MTA

Re:Before it was Slashdotted..

[LuckyStarr]

In fact his Webserver still runs perfectly. Why do I know? Because I am reading his article. Slashdottings occur when webservers use more RAM than the system has. Kernel swaps, webserver allocates some more memory, tilt. So the obvious solution is to configure your webserver not to. :) I guess this is what he did. All incoming connects get queued by the kernel and handed over to the webserver if a slot gets available. It gets terribly slow (I can tell!), but if the user has a high timeout-value (of a minute or 2) then no error will occur at his end either.

Very reliable tech I guess. :)

Close second.

[Grendel+Drago]

My money's on this one.

Yeah, back in my day, if we needed directions we had to slaughter a goat and wiggle the intestines!

You sick fucker. How can you joke about abusing a beautiful animal like a goat? If I ever catch you i'll crack your skull open.

You sick fucker. How can you joke about cracking someone's skull open? If I ever catch you i'll slaughter you and wiggle the intestines.

You sick fucker. How can you joke about slaughtering someone? If I ever catch you I'll sit down and eat Ice Cream.

I am Ice Cream, you insensitive clod!

Re:Close second.

[lpangelrob2]

I'm not sure how you managed to managed to repost a thread with a combined score of -1 to get a +4 Funny... but can you teach me that trick?

I have a high-profile address...

[argent]

I have had the same address since 1989, long before there WAS a spam problem. My email address was all over Usenet when Cantor and Seigel sent out their first spame, which means it's all over Google Groups. The horse is so far out of the barn its grandchildren are headed for the glue factory.

In 2000, the last time I added it all up, I was getting 300M a month *after* applying blacklists. At this point my mailserver is blocking several countries and ISPs, using multiple blacklists, and running some custom greylist software I wrote myself (for qmail... sorry, Jef), and my local mail client's only seeing 20-30 spams a day out of the hundreds of thousands (maybe as many as a million, it's too depressing to keep track) of delivery attempts that show up in my logs.

If you don't mind changing your email address now and then, more power to you, but I'm damned if I'll give the bastards the satisfaction.

A billion MIPS for defence, but not a byte for tribute!

Re:MOD PARENT UP!

[TuringTest]

Someone deletes all your thoughts as soon as you get them?

Re:What hardware is your site running on, Jef?

[jefp]

Hardware info here. It's a 3.2 GHz P4. I was struggling along on a 450 MHz box until only a year ago, but finally had to upgrade.

Re:DNS-RBLs

[cpeterso]

Maybe someone should create a blacklist blacklist?