Mark Minasi, a guy who writes a
Windows newsletter about various IT tricks and other things related to using a Windows system.
This month, the majority of his newsletter was about spam, and I think he missed a couple points, so I wrote to him, and it ended up pretty long, so I figured I might as well post it here as well.
Some ground rules for my filtering: I believe that it is
unacceptable for server administrators to throw away email, ever. Individual
users can decide to throw away email if they would like. Rejecting an email
that you are very confident is spam is fine, as then the sender gets a
bounce, and so if he is not a spammer, he knows it right away, rather than
waiting a week, and then calling to find out why the receiver never
responded to his email.
It is also very bad to bounce a mail back to the sender after the
sender closes the smtp connection, you have no confidence that the
"return-path/from" address is correct, and I get a couple of mails a month
from administrators who incorrectly bounced a message to me that I did not
send. And even worse, some servers correctly detect that they are receiving
a virus, so bounce it, and send me the virus. duh.
Additionally, I treat viruses as spam, ie. I have only one bucket
for things that waste my time. spamcop.net doesn't want to hear about
viruses, so I have to be careful when reporting. I believe that my
reporting email spam to spamcop for the last couple years has kept my spam
down. I stopped reporting earlier this year (see the graph below) because
the spam got to be too much to deal with a couple mouse clicks per spam.
I don't believe in hiding my email address on the web or newsgroups,
but I do believe in using tracking email addresses, so if someone ever
sells/uses my address for spam where I gave it to them, I come down hard.
Just last week I got a small ISP's connection removed by his provider, until
they promised to never spam again.
RBL using spamhaus.org, conservative enough to not cause false positives.
Rejected before the sender has a chance to tell me who he is sending the
email to - can't be used to figure out which addresses are valid.
Reject invalid pipelining - a couple percent of spammers have bad emailers
that don't ask to use pipelining, or if they do ask, don't wait for the
response, but just start sending commands, easy to reject them as well.
By this point 70% of incoming email is rejected, with very little server
overhead, and as far as I know, no false positives.
Greylisting (I don't think you mentioned this at all in your article)
this has reduced my spam to almost 0 just by itself. Some of my clients who
use my server still get a fair amount of spam that gets by greylisting.
Mail is now accepted, ie. any rejections after this point will not be
returned to the sender -- an important point, that some people forget.
spamassassin: bayesian filter, as well as dialup/open relay/rbl checks, but
instead of straight blacklisting, emails get a spamminess score, and each
user can decide what he wants to do with the email. I /dev/null after the
score reaches a certain level, and use different levels for different
recipients. Also uses auto-whitelists, where if you have gotten email from
this guy before, it lowers its spaminess score.
razor: ask other people if they thought this mail was spam - not totally
reliable, lots of people make mistakes, but if the score is high enough from
razor, it is usually pretty good. I feed this result into spamassassin to
bump up the score a little.
finally, report anything that made it through to spamcop.net, and email
their ISP to get them removed.
After all of that, I personally get a couple spams/viruses a day, most in my
spam folder, I think last month, I got 6 spams/viruses (the spammers are
getting better) in my inbox.
You can see the sharp downturn after I implemented greylisting in August.
Mail statistics graph
Posted by
Jon Daley on
November 2, 2005, 8:39 am
| Read 2543 times
Category
Internet:
[
first]
[
previous]
[
next]
[
newest]