Enter your email address to be notified of new blog entries:
01/15/2006 - 1:54am
How to Stop SPAM
Second, it must be understood that the reason spam exists is because it's profitable. The only reason a spammer would send out thousands or millions of emails is because he makes more money by doing so than it costs to actually send the emails. So the solution is to make it unprofitable.
There are various spam filters on the market, and even free solutions. Personally, I like SpamAssassin, and it works well for me. The problem, however, is that spammers (like virus writers) are always one step ahead. They'll figure out how the spam filtering programs work, and reformat their emails so they don't appear to the filters as spam. But these filters do play a vital role.
There are really two kinds of spammers, the novice and the advanced. The novice will send emails out through his own ISP, and promptly be disconnected by his ISP for doing so. They aren't really a threat.
The advanced spammer will compromise an innocent bystander's server and bounce email off of it, as it doesn't get tracked back to him. The innocent bystander will eventually be shut down or blocked, and the spammer will move on to another.
Standard blacklists don't work because they have to be human-edited. I used to block a server by its IP address whenever I received spam from that server. That seriously reduced my spam rate, but it also blocked a lot of legitimate email, as I had inadvertantly blocked large ISPs like Earthlink and Cox. Bayesian filtering doesn't work, because spammers adapt too quickly. This is the same reason rule-based filtering doesn't work either.
But these legacy filters, as previously mentioned, play an important role in this system. Each time a filter, (like SpamAssassin) scans an email, it can determine whether or not it believes the email to be spam or ham (not spam). If it's spam, it sends an email to the server's administrator notifying them (as much spam comes from compromised systems, the administrator may be happy to know about it). It then reports this information to a central database.
Once a certain number of emails have come through, the filtering of this database kicks in. The number of spam emails received from a particular source is divided by the total number of emails from that source to yield a percentage of spam that a server sends. If that percentage is beyond a specified threshold, then the server is blacklisted. This happens only after a specified number of emails have been collected.
Here is the thought. A server that sends 100% spam is probably a server setup to send spam, and should be blocked. A server sending 20%-99% spam is a legitimate server that's been compromised. The emails previously sent to the administrator should alert him in time to repair the damage before the threshold is reached that would cause the database to filter emails coming from this server. If the administrator does nothing to fix the problem in spite of being informed of it, then the server will be (and should be) blocked. A server sending a much lower percentage is probably a normal mail server with a rogue user that may or may not be caught.
But what has happened here is that the majority of spam is now blocked, meaning that the cost per email to a spammer has gone up 5 or 10 fold; perhaps making it cost-prohibitive to send spam. And this is the goal, as its the only way to stop it.
Posted by: radloffe
The only system that works currently is whitelist-only setup. You record specific list of users (or domains) who are allowed to send email to you and block everything else. If someone wants to send email to you, they have to request access from you via a non-email means so you can add them to the email list. Yes that sucks, but right now it's the only thing that actually works. And it's actually less time consuming to maintain the white list than it is to sort through the spam.
Posted by: Nick Coons
Since I originally wrote this article several months ago, I've made some modifications to my current setup that have worked well. I utilize SpamAssassin on my mail server and it's always worked fairly well (about 80% spam blocked, 0 false positives). Since I receive 600 a day, this was a "better than nothing" solution.
I agree that whitelisting works well, and it's good for a home-user email situation. But the high risk of a sender being annoyed at having to have pre-approval makes this option unviable in a business environment.
I still use SpamAssassin, but with some simple configuration changes, I've been able to make it much more effective. Of the 600 or so spam emails per day that come in to my system, about five of them actually make it to the Inbox, making this filtering better than 99% effective. I receive so many spam emails per day because I've had my email addresses for so long, so others are not as likely to have this much junk coming through. The few that do make it through (while still maintaining a zero-positive rating) are much more preferred over a whitelist situation where a potential client gives up before being able to contact you.
For those interested, here is my /etc/mail/spamassassin/local.cf file:
Copyright 2004-2021 Arizona Paths