Daley Ponderings

Mark Minasi, a guy who writes a Windows newsletter about various IT tricks and other things related to using a Windows system.
This month, the majority of his newsletter was about spam, and I think he missed a couple points, so I wrote to him, and it ended up pretty long, so I figured I might as well post it here as well.
Some ground rules for my filtering: I believe that it is unacceptable for server administrators to throw away email, ever. Individual users can decide to throw away email if they would like. Rejecting an email that you are very confident is spam is fine, as then the sender gets a bounce, and so if he is not a spammer, he knows it right away, rather than waiting a week, and then calling to find out why the receiver never responded to his email.

It is also very bad to bounce a mail back to the sender after the sender closes the smtp connection, you have no confidence that the "return-path/from" address is correct, and I get a couple of mails a month from administrators who incorrectly bounced a message to me that I did not send. And even worse, some servers correctly detect that they are receiving a virus, so bounce it, and send me the virus. duh.

Additionally, I treat viruses as spam, ie. I have only one bucket for things that waste my time. spamcop.net doesn't want to hear about viruses, so I have to be careful when reporting. I believe that my reporting email spam to spamcop for the last couple years has kept my spam down. I stopped reporting earlier this year (see the graph below) because the spam got to be too much to deal with a couple mouse clicks per spam.

I don't believe in hiding my email address on the web or newsgroups, but I do believe in using tracking email addresses, so if someone ever sells/uses my address for spam where I gave it to them, I come down hard. Just last week I got a small ISP's connection removed by his provider, until they promised to never spam again.


RBL using spamhaus.org, conservative enough to not cause false positives. Rejected before the sender has a chance to tell me who he is sending the email to - can't be used to figure out which addresses are valid.

Reject invalid pipelining - a couple percent of spammers have bad emailers that don't ask to use pipelining, or if they do ask, don't wait for the response, but just start sending commands, easy to reject them as well.

By this point 70% of incoming email is rejected, with very little server overhead, and as far as I know, no false positives.

Greylisting (I don't think you mentioned this at all in your article) this has reduced my spam to almost 0 just by itself. Some of my clients who use my server still get a fair amount of spam that gets by greylisting.

Mail is now accepted, ie. any rejections after this point will not be returned to the sender -- an important point, that some people forget.

spamassassin: bayesian filter, as well as dialup/open relay/rbl checks, but instead of straight blacklisting, emails get a spamminess score, and each user can decide what he wants to do with the email. I /dev/null after the score reaches a certain level, and use different levels for different recipients. Also uses auto-whitelists, where if you have gotten email from this guy before, it lowers its spaminess score.

razor: ask other people if they thought this mail was spam - not totally reliable, lots of people make mistakes, but if the score is high enough from razor, it is usually pretty good. I feed this result into spamassassin to bump up the score a little.

finally, report anything that made it through to spamcop.net, and email their ISP to get them removed.

After all of that, I personally get a couple spams/viruses a day, most in my spam folder, I think last month, I got 6 spams/viruses (the spammers are getting better) in my inbox.

You can see the sharp downturn after I implemented greylisting in August.

Mail statistics graph