Anti-Spam: Better Late Than Never
There is one moment when a spammer must be truthful. No matter how many lies are in his materials, when he makes a connection to an intended recipient’s mail transport agent (MTA), he must reveal the IP address of his machine or one which translates his address. In other words, he has to tell where he is calling from, or he will never get the chance to transfer the data that makes up his spam email.
It’s taken me a long time to get interested in actively doing something about the burgeoning amount of spam that I’ve been receiving. I handle sysadmin duties for a Unix server that does email for a couple of dozen friends. Once I started looking into anti-spam techniques, the course that seemed best to me was to utilize some of the “blackhole” lists that are publicly available. These are lists of IP addresses of known spammers, or of misconfigured MTAs that could serve as “open relays” for spammers, or dialup IP addresses, or other suspicious sources. A query to a “blackhole” service with an IP address will get a response saying whether the IP address is one of the suspicious ones. At that point, the MTA can terminate the email exchange with an error message pointing to the service that marked it as suspicious. The data of the spam email does not have to be transferred and examined, saving lots of bandwidth.
Like I said, I’m late on this. I put in rules for my MTA to utilize several “blackhole” lists around 10 PM on April 29th. By 10 PM on April 30th, the MTA terminated session on almost 2,900 email sessions with suspicious sources. I noticed a precipitous drop in the number of spam emails that actually made it into my inbox.
It is important to note that “blackhole” lists will interfere with some legitimate email. If someone uses an ISP that is friendly to spammers, they may find it difficult to send email to hosts that utilize “blackhole” lists to exclude spam. The tradeoff here is whether one is willing to accept the amount of spam that will come in in order to receive every last legitimate email, or whether it is best to lose some legitimate email and a lot of the spam. I’m comfortable with the tradeoff of stemming the bulk of spam while losing a few possible legitimate emails. I was already overlooking legitimate email because of the sheer numbers of spam messages I was receiving. Now, I may also be missing a few emails, but I don’t have to look at the spam, either.
Some resources I found useful:
- RBL-Type Services. A discussion of services similar to the Realtime Blackhole List.
- Blacklists Compared. A comparison of various blackhole lists.
- The Spamhaus Project. One of the “blackhole” list providers, also has a lot of information on anti-spam techniques.
Well Wes, I’m glad you’re comfortable with it, but I’ve had 3 messages bounce in the last 24 hours. One was a reply to your e-mail to me yesterday about Panda’s Thumb products and two were posts to the various mailing lists that run on your server. I’m on such a tiny ISP, I can’t imagine it’s on a blackhole list, but perhaps it is. Is there anything you can do about it to let mine through? Being out of e-mail contact with those lists and with you could be a real problem.