SPAM Escalation

Perverse Access Memory: Blackholing Spam

bq. We’ve started using realtime blackhole lists (RBLs) to stop some of the spam that whiterose mail users are seeing.

My SPAM escalation:

* some homegrown procmail filters. That lasted a couple of years, but was too hard to keep up-to-date.
* “junkfilter”:http://junkfilter.zer0.org/ was quite good, but I still had problems keeping it up-to-date.
* I now use “spambayes”:http://www.spambayes.org/. It is available as a procmail filter, as a POP/IMAP proxy, and as an Outlook plugin. I’m now using this everywhere. It uses statistical techniques to learn the characteristics of your incoming mail, and filters accordingly. It is surprisingly accurate :-)
* In parallel with spambayes, I switched cfrq.net from sendmail to postfix, which has a whole bunch of useful anti-spam technology built into the SMTP listener; the theory is that it is better to reject SPAM during the SMTP session than it is to deal with it later.
* Sadly, I had to disable some of postfix’s filters, because it was trapping too much legitimate e-mail :-) Many of my correspondents work for companies that can’t seem to configure their DNS or their SMTP servers properly, and educating / whitelisting them was taking too much time :-)
* I have now given up, and started testing some (conservative) RBLs, with reasonably good results; they’re now installed fulltime. I’m currently evaluating bl.spamcop.net, but I’m getting too many false positives (for me), because they tend to pick up the MTAs of large companies and ISPs.

Every time I’ve tried SpamAssassin I’ve had trouble with it; but naturally, your mileage may vary :-)

We’re in a war, and the spammers are as smart as we are. I’m already seeing SPAM specifically designed to foil statistical filtering. As with all escalations, the solution seems to be to make my host less attractive to spammers than someone else’s…

posted at 4:28 pm on Monday, May 19, 2003 in Site News | Comments (6)

6 Comments

  1. Michael says:
    2003-05-20 at 10:33

    I like the RBLs from http://blackholes.us/ cn-kr.blackholes.us in particular stops a lot of our spam.

    In fact, I need to add more of them. I’m hoping they’ll consolidate more of their lists. asia.blackholes.us would be nice…

    I also use
    sbl.spamhaus.org – a conservative list recommended by a very knowledgable regular poster to the Stalker SIMS mailing list
    dialups.relays.osirusoft.com – known dialup open relays
    socks.relays.osirusoft.com – know open socks proxies

    To date we haven’t had any good mail caught, but we may. We’ll see.

    Also using the new version of Eudora (beta 6) which has a beysean Junk Filter function. I’m really starting to see a lot less of the spam I get sent.

  2. Michael says:
    2003-05-20 at 10:51

    Bayesian would be the other (i.e. correct) spelling. blackholes.us lists several anti-spam products that can use the RBLs…

  3. Harald says:
    2003-05-20 at 11:30

    <laughter> never post before coffee.

    I’m going to move on to test spamhaus next; I’ve heard good things about them. I tried relays.osirusoft.com once, but got way too many false positives; I’ve never tried their individual subdomains.

    I’m currently using (recommended by the postfix-users list):

    (155) proxies.relays.monkeys.com – socks/HTTP proxies
    (91) list.dsbl.org – single-stage relays, proxies, and formmail sources

    The number is the number of messages rejected by the RBL in the last week. I used to use relays.ordb.org, because they are described as “extremely conservative”, but I didn’t get any rejects from them other than a mailhost that I was forced to whitelist.

    I’ve just tested bl.spamcop.net for a week. It rejected 28 messages that no one else did, but it lists all of the servers for groups.msn.com, generating false positives.

  4. Harald says:
    2003-05-20 at 11:38

    I forgot to add: I’ve been using a (postfix specific) log scanner to tell my users when email to them has been rejected by an RBL; I’ve had a couple of false positives reported that way :-)

    http://www.roble.com/docs/spamrep_today_byuser

  5. Ginger says:
    2003-05-20 at 22:17

    I second the recommendation for Eudora. It’s getting some false positives (mostly via my yahoo account, which classifies some solicited commercial email/mailing lists as spam) but has been excellent about learning from its mistakes.

  6. Vipul Bhatt says:
    2003-08-16 at 06:07

    Can anybody help me in configuring exchange 2003 to check blocklist using sbl.spamhaus.org

    Kindly reply at the earliest and oblige by doing the needful.
    I possible PLEASE mail at vrbhatt@hotmail.com
    Thank you.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.