As I say all too often, I run my own mail server.  I love having absolute control over my email.  I love being able to configure it exactly the way I want it.  The best thing about running the server is how little spam I receive.  This is not for the lack of trying on the evil spammers part.  I get almost no spam because I am constantly re-evaluating my antispam defenses.  Spam gets through, but seldom more than one a day. 

In the past month, approximately 1700 legitimate emails have been accepted by my server.  Just over 300 have been refused.  Less than a dozen spams have slipped through.  If you are interested, you can look at my email rejection summary.

I use Exim as my Mail Transport Agent (mail server software for you non-geeks).  It handles the sending and receiving of email with other servers.  I’ve patched Exim with Exiscan ACL to give it additional capabilities.  Specifically, the ability to reject dangerous file attachements such as .exe and .pif which are all too often viruses, scan for viruses, and to run SpamAssassin while still connected to the sending server instead of after-the-fact as is typical.  More about this later.

With spam fighting, multiple levels of defenses are necessary.  Here they are in the order they are used:

1. Check HELO.  When the remote server connects, the first thing it’s supposed to say is “HELO domain.com”, where domain.com is it’s own domain name (or ip address).  Spammers will often connect and use my own domain name.  If they say they are me their email is refused.  Supposedly, there are a few email clients (end user email programs) that do this.  I haven’t personally run across this problem so I don’t worry about it.
2. Check for fake “big” name.  The spammers will often say the mail is from one of the big names on the internet.  This is easy enough to verify.  If the email says it is from AOL, MSN, Hotmail, or Yahoo I do a reverse lookup of the ip address.  If there isn’t a proper match the email is refused.  I don’t do this check for every single domain because it is time consuming and the filter rules would become too complicated.
3. Check personal blacklists.  Some people have the dubious distinction of making it onto our blacklist.  In this list are professional trolls and annoying companies that aren’t blocked in other ways.
4. Check public blacklists.  I currently use several blacklists.  They are:
   • sbl-xbl.spamhaus.org – The worst spammers around, plus hijacked “proxies”.  The latter are usually home computers infected with the latest worms and is being used by the spammers to relay mail.  This is an increasing problem as far too many people don’t take the simplest precautions to protect their computers from dangerous programs.
   • cn-kr.blackholes.us and taiwan.blackholes.us – All of China, Korea, and Taiwan.  I don’t speak those languages and there is a lot of spam coming out of those countries.
   • dnsbl.njabl.org – I use this for it’s dynamic ip address listings.  Most dsl and cablemodem service is on dynamic ip addresses.  Legitimate mail servers should ALWAYS be on a static ip address.
5. Check for dangerous attachments (executable code).  This is more of an antivirus defense, but it catches some spammers, too.  A dangerous attachment is almost almost always a virus.  A legitimate attachment should be archived into a zip or tar.gz file, which is what the reject message says.
6. Scan for viruses.  If the email contains a virus, it is refused.  Note that we are still connected to the sending server so there is no chance of an innocent third party receiving the bounce message.  The most recent viruses fake the senders email address so you can’t send a proper bounce message after accepting the email – that’s why we check before telling the sender we accept the email.  I use Clam AntiVirus, but there are many excellent server side virus scanners available, both commercial and open source.
7. Check message’s “spamminess”.  SpamAssassin assigns points to a email based on key words and phrases.  If the score is high enough, the subject is modified to reflect possible spam, e.g. “[SPAM 6.3] Low mortgage rate”.  If the score is exceptional high, the email is refused outright.

Some of my techniques are only possible on a low volume mail system.  Virus and spam scanning are somewhat time-consuming, so may not be feasible during the connection on a high volume mail system.  Also, scanning SpamAssassin during the connection means it is impossible to apply customized user rules, only domain wide rules.  Using SpamAssassin after accepting the email would still be a good idea, but don’t bounce the email since nearly all spammers falsify the sender email address.  Yes, falsifying email headers is against the law.  What’s your point?

What you can do about spam depends on what type of mail server you run.  If you are running a business you may not want to block entire countries, but that would depend on your type of business.  If you are running an ISP, you are even more limited, perhaps just the sbl-xbl list, the virus scan, and the SpamAssassin scan using user settings instead of global settings.

Stopping spam requires that you regularly examine your techniques and make adjustments to account for the latest trend.  As you create antispam defenses, the spammers look for ways to get around them.

If you need professional help setting up a mail server or are looking to hire a full time mail administrator in the San Francisco Bay area, I am available immediately.  You can contact me at rossz(AT)vamos-wentworth(DOT)org.  Sorry about “munging” the email address, but you can’t be too careful, these days.  Oh, that’s the first line of defense.  Avoid posting your unmunged email address in news groups and web pages – and never NEVER respond to a spam or use an “unsubscribe” link.  They only verify your email is good and guarantees even more spam.

I’ve begun a web page of spam blocking tricks which outlines in more technical detail some of the suggestions I’ve made.  It’s still in the early stages so is a bit rough around the edges.

Businesses in the greater San Francisco Bay Area requiring assistance to implement antispam filters, virus prevention, or general mail server configuration, short or long term, can contact me via rossz(at)vamos-wentworth(dot)org.

This entry was posted on Wednesday, January 21st, 2004 at 11:07 am and is filed under Geek Stuff. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.