Any way to deal with spam?

[neddie]

Since I got a domain name, my influx of spam has ballooned, such that I get dozens of almost-identical spams per day, and rising. This bothers me for a number of reasons, firstly I get bugged by the spam directly; secondly I get bugged by the auto-replies to the spams which were apparently (but not really) sent from an address on my domain (out-of-office replies and no-such-user replies); thirdly other random people get the impression that I am sending the spams, which bothers me also.

 

So, the common solution to these problems is to just delete the spam, and pretend it doesn't exist. Maybe by just accepting it and pressing the delete key dozens of times per day, or by using an automatic deletion mechanism. But this just ignores the problem really, makes the majority of it invisible (for me) but doesn't stop the source of the spam, and doesn't stop the other innocent bystanders from thinking that I'm sending the spam when I'm not. In short, it just alleviates my symptoms a bit, but doesn't do anything to deter the spammers, just encourages them to escalate their tricks.

 

So is there any way to really deter the spammers? What do you lot do, and does it work?

 

I tried to deal with it using spamcop, reporting the persistent, daily repeat offenders to spamcop.net and hoping that something happens as a result. I've given them hundreds of almost-identical spams, from a variety of servers, but months later the same emails are still being sent from the same servers - so does it actually do any good? I've also reported some of the persistent ones to their source (according to spamcop) if it's a big provider like verizon or rr.com but still they keep coming. Is anything done to deter the spammers, fix the relays, block the accounts etc, or does the reporting just draw attention to my domain to encourage further spamming of it? Is there anything else I could be doing to deter the spammers?

[tyme]

I use thunderbird as my mail client - it has a decent adaptive spam filter. I also have spamassassin running on my mail server, which filters out a decent amount. Even with these two I still get a few spams in my inbox per day. you can't really deter them, they aren't ones to be deterred, as all they do is run a program that spits out these e-mails.

 

Also, the less you make your address visible (posting it on the web, etc.) and the less you use it to register for stuff, the less spam you'll get (usually).

[ianw1974]

If you're talking about mail servers, I've put a wicked solution together.

 

First, it's using six RBL lists to see if any of the spammers exist on them. If they do, the email is rejected.

 

Second, using razor2, pyzor and dcc - distributed checksum clearing houses, and if it's scored in there, it's rejected.

 

Third, using spamassassin with amavisd-new and clamav to keep viruses out as well. Spamassassin isn't enabled as services as such, as amavisd does all the hard work, working with the razor2, etc, etc.

 

Fourth, greylisting. The first time a sender sends, they are greylisted, and effectively asked to retry sending the email at a later interval. Spammers don't always have a server to do this, so the email once greylisted and never resent, never actually arrives. If they do have a mail server, then obviously it would bypass this, but hopefully the rest of the setup would reject them as well.

 

Got minor spam, maybe 3-4 per day, and some of this is image spam, which I'm unable to scan and reject just yet. Maybe something will come up soon helping me block these out too.

[scarecrow]

Not really... spam filters advance every day, using new antispam techniques, but spammers are always one step ahead.

[neddie]

Interesting, but both of you just do what I already discussed - delete the spam, put up with the bandwidth burden, and let them carry on making their money. Read my first post again, I'm asking about a deterrent (subtitle: "apart from just deleting it, I mean...").

 

Plus, your greylisting technique generates _another_ email, this time to the poor unfortunate whose name is given in the "From:" field. So there's even more network traffic, and another spam email on _that_ guy's server, so he then installs another bit of software to delete the email which _your_ software sent him automatically. And the spammers are laughing and still making money.

 

I'm interested in your comment, tyme:

you can't really deter them, they aren't ones to be deterred, as all they do is run a program that spits out these e-mails

Do you really think it's impossible to deter spam? What I want spamcop (or something similar) to do is report the abuse to the source of the spam. If the initial mail server has left open a relay by mistake then they can close it, and it's now harder for the spammer to spam. If the sender is doing it from their own account then block the account and make it harder. If it's a botnetted PC then the ISP can inform the owner and ask them to fix it or risk being blacklisted. If a server is a persistent source then blacklist it until they fix it. That kind of thing. If it's possible to punish the spammers then so much the better but at least doing something to close loopholes and make it more difficult would be a start.

 

There was an effort until last year called Blue Frog but it was beaten into submission by a dos attack - did anyone here use it?

[paul]

greylisting doesn't generate another email.

 

what it does is use the rfc smtp protocol to it's fullest.

 

smtp server1 talks to smtp server2

 

server 1 says: I have an email

server 2 says: I am busy try again in 2 minutes

server 2 takes note of the details of the email (ip, to, from, etc)

 

2 minutes later:

server 1 says: I have that email again

server 2 says: I am available send me the message

server 1 send message

server 2 check ip, to, from, etc to see if they have changed

option 1: details have changed > /dev/null

option 2: details are the same "Accept the message"

 

I also use dspam after the message passes through greylisting.

I don't pyzor or razor, and only 2 or 3 RBLs

 

spam went from 1200+ per day delivered to mandrakeusers.org and mandrivausers.org to about 5

 

I do use f-prot, and clamav (but not for spam, for virii)

 

I quarantine the message to spam@domain, and check that account every week or so for false positives

 

I have a training script I run after checking the spam folder, and storing any false positives in a *HAM* folder, which is very rare

 

sudo /usr/bin/sa-learn --spam /mail/var/spool/imap/p/user/paul/Junk/*.

this trains spamassassin

 

for mail in `ls /mail/var/spool/imap/p/user/paul/Junk/*.`; do /usr/bin/cat $mail | /usr/bin/dspam --user amavis --class=spam --source=error; done;
for mail in `ls /mail/var/spool/imap/s/user/spam/NotSpam/*.`; do /usr/bin/cat $mail | /usr/bin/dspam --user amavis --class=innocent --source=error; done;

this trains dspam

 

works a treat ;)

[jboy]

Neddie, this may not help you but may help others in the future. When you register your domain name, you can hide your email address and other personal info by going through a private registration service like Domains By Proxy

 

From their web site on How Private Registrations Work:

 

"Your domain is registered in the name of Domains By Proxy® -- so our contact information is made public -- not yours.

 

You retain the FULL BENEFITS of domain registration. You can: cancel, sell, renew or transfer your domain; set-up the name servers for, and resolve disputes involving, your domain.

 

We create a private email address for your domain. You tell us to forward, not forward, or filter messages for spam before forwarding."

[tyme]

Do you really think it's impossible to deter spam?

Yes. Until the day that every country/state/region with internet access has laws against spam that are intensively enforced, or they become unable to "make ze money", it won't go away or be deterred. Spammers will set up their own mail servers if they have to, possibly under the guise of something legitimate. But for spam to be even slightly deterred there has to be a world-wide effort to stop it, which will never happen (spam is definitely not at the top of the worlds problems). Any other solution is at best a method of deleting the spam. To deter spammers their business has to become unprofitable, any glimmer of easy money and they'll jump on it. If you can come up with a world-wide solution for making the business of spamming unprofitable, hell, I'll help you make it happen.

[neddie]

greylisting doesn't generate another email.

Aha, then that's much cooler than I thought. I didn't know that was possible - thanks!

 

One question though - if the email comes from server1 via server2 to server3, and the greylisting thing is on server3 (yours), won't that handshaking get done just between server2 and server3? And if server2 is well-behaved, it will do what it's told and repeat the same details again, regardless of what server1 is doing. So doing some clever greylisting on server3 won't help, will it?

 

About the email address publicity, well there has to be at least one email address made public because that's the contact info for the website. And I definitely want to make it public and get emails sent to that address. But I actually get many times more spams to random.address@website.com than to the published address. Like just random strings of letters and numbers. Currently I have it set up so that I get all emails sent to the domain (just in case I miss a falsely-typed address by mistake) so I get them all. I guess I could just either ignore or bounce back mails to all addresses, but as I said I was hoping for a bit more than just deletion.

 

The proxy registration sounds like it just adds another layer of spam filtering, rather than do anything different, unless I'm missing something.

 

Spammers will set up their own mail servers if they have to

Excellent! Then make it so that they have to, and then blacklist those mail servers! :D

[SoulSe]

I also recommend not using a catch-all account. It's tempting when you get a new domain to use catch-all, but it does result in a lot of spam. Mine is down substanitally since I disabled catch-all on my domain.

[paul]

greylisting doesn't generate another email.

Aha, then that's much cooler than I thought. I didn't know that was possible - thanks!

 

One question though - if the email comes from server1 via server2 to server3, and the greylisting thing is on server3 (yours), won't that handshaking get done just between server2 and server3? And if server2 is well-behaved, it will do what it's told and repeat the same details again, regardless of what server1 is doing. So doing some clever greylisting on server3 won't help, will it?

 

 

in a word .. yes

 

its not a perfect tool, but it is an excellent one

[tyme]

Spammers will set up their own mail servers if they have to

Excellent! Then make it so that they have to, and then blacklist those mail servers! :D

Why? So they set up new servers, in other places, and we end up just spamming our own blacklists by trying to block them all?

 

The greatest strength of the internet is simultaneously it's weakness: it's so large, and crosses so many boundaries, that it's impossible to control. All we are really doing is just enough to keep it running. It's slightly controlled chaos, but chaos nonetheless.

[jboy]

The proxy registration sounds like it just adds another layer of spam filtering, rather than do anything different, unless I'm missing something.

Your personal info (including email address) will not be public info in the WHOIS database if you do this domain registration by proxy.

 

That's how the spammers got your email address, from the public WHOIS database. So by having a proxy registration, you avoid that public disclosure.

[neddie]

That's how the spammers got your email address, from the public WHOIS database. So by having a proxy registration, you avoid that public disclosure.

That would be true, but in my particular case they're not spamming my personal email address, they're spamming published.address@website.com and random.addresses@website.com (which have never been published anywhere). And also sending spam with various.random.addresses@website.com in the "From" field of the emails, thereby sending the bounces/complaints to my catch-all address.

 

So they set up new servers, in other places, and we end up just spamming our own blacklists by trying to block them all?

Maybe it's impractical, but I figure the blacklists can grow dynamically (as existing blacklists already do) as new sources arise. And setting up a mail server isn't cost-free, so getting it instantly blacklisted would hurt, at least some. Plus I guess at some point they have to go through an ISP, which could be persuaded to block their SMTP traffic if it's shown that it's a persistent nuisance.

 

Basically what I'm saying is that at the moment the spammers benefit when their spams get through, and they lose nothing when their spams get trapped (and silently deleted). Heads they win, tails they don't lose. Services like Spamcop aim to give a consequence to sending these spams, a deterrent, so that the spammer's answer to the anti-spam measures isn't just to send more spam and trickier spam. Sadly for me at least it doesn't seem to be having a noticeable effect on the spammers.

[tyme]

Plus I guess at some point they have to go through an ISP, which could be persuaded to block their SMTP traffic if it's shown that it's a persistent nuisance.

Assuming you can find out who the ISP is. While some spam can be tracked, not all can, and even the headers of the e-mail can be modified if you know what you're doing - so the source can be completely hidden.

 

There's always a way to get around any "deterrent" you through up. It's just a fact ;) - it's like DRM, it'll never work, because someone will always find a way around it.