Spam fighting and whitelisting. What’s the correct path?

17 01 2007

Well, it’s hit that point. With the astronomical increase in spam lately, it’s getting quite obvious the problem will not abate on it’s own. The open-ended ‘we trust each other’ process of mail delivery is now in it’s death throes, it’s time to look at other solutions.

According to my spam report, my personal inbox is getting 450-650 caught spams a day. Unfortunately, that is only my Stage One filter. I also use Thunderbird as my email client, which has excellent spam filters of it’s own, and that catches another 100-150 messages there. I have monitors showing me the total mail I receive daily, and it’s in the 1500 messages range, of which 500 or so are mailing list messages. That means one out of every 100 messages I receive is legit. And lately, the filters have occasionally gotten things wrong. Mail intended for me is marked as spam, and I never hear about it.

In 12 hours of operation on our only mail server, here is an account of the volume we move:

Grand Totals
4801   received
5413   delivered
173   forwarded
79   deferred  (434  deferrals)
230   bounced
484   rejected (8%)
0   reject warnings
0   held
0   discarded (0%)
45428k  bytes received
49843k  bytes delivered
1416   senders
1092   sending hosts/domains
334   recipients
148   recipient hosts/domains

In the past, it was okay to occasionally go through your spam box and see if there’s anything legitimate in there. That is simply not possible in todays climate. It may take an hour to go through a days worth of spam, and is mind numbingly tedious. There’s a good chance you’ll miss something just because it -looks- like spam.

So what are the options? This is where I’m asking for help. I’m speaking not only for myself, but also for the greater Homeport community. I maintain user accounts for 20-30 people, and they’re all under the same attack as I am, maybe to somewhat of a lesser degree, but it’s still hurting.

I’ll note for the record that we are currently running Amavisd, with Spamassassin, all through Postfix. Amavis is happily removing -all- virii from our mail, so that is not an issue. SA with some filter tweaking is doing an admirable job considering the masssive load it is contending with.

  • Option A – A commercial filtering service
    There are several vendors that offer commercial filtering. Many of them are simple ‘mail accounts’ that you can POP your mail off of, letting them handle the filtering. Others will forward a specific mail address in and out of their system. Are there services that will filter an entire domain? I’d be willing to pay for a service that maintains its filters, rulesets and RBLs in a respectable fashion.

  • Option B – Fiddling my own configuration
    I’ve been doing this for quite a while. It’s tedious, it’s time consuming, and it’s never ‘quite right’. It’ll work perhaps for a few, but how do you really know if it’s working correctly? I’m probably going to do one major wash-through to enable the various Postfix standard rules, but in reality, unless someone wants to take over being Spam Master for Homeport’s servers, this is not a task I’m keen on doing much longer.

  • Option C – Massively restrict received email
    I like the idea of using some form of sender authentication. I’d be willing to say “If you PGP sign your message, I will accept it”. This is something that’s available to most mail users, and is easy to enable. It makes tracking easier, and I can rank accepted mail by if I’ve accepted their PGP key onto my keyring. The drawback to this is that not everyone I communicate with will have PGP set up, and while it will help with authenticating known users (everyone I bludgeon into using PGP), I still run the risk of missing important mail from people I have not corresponded with.

  • Option D – Whitelisting
    This is probably the easiest to implement, but gets the most grief as a poor solution. I know the list of people who I correspond with regularly, I know they are not spammers. There is a slight risk a spammer may forge their email address in a From line, and therefore get through my filters, but in reality, I have seen NO spam of this type ever in my mailbox. Ever.

  • Option E – Give up on email altogether
    No, not give up in this whole concept. But give up trying to run my own server. Gmail and Yahoo both have excellent mail clients, and they are available to remote clients. Why fight this anymore? Everyone should just get their own accounts on gmail, and be done with it.

So that’s where I am. I invite folks to chime in with ideas or suggestions on where to go from here. I know this discussion is happening all over the net right now, but wading through that is tedious and rarely productive. I also invite the members of the Homeport community to chime in with their suggestions, observations, or thoughts on how the systems are running now, and where things should go.




10 responses

17 01 2007
17 01 2007

I use greylisting, and (at least for the time being) get almost no spam. I’m sure that at some point the spammers will switch techniques, but for now the majority seem to be using bots with built in SMTP capability, but which are generally “fire-and-forget.” As a result, they get the 451 and never retry.

17 01 2007
Dennis and Joanne

We also get a lot of Spam these days. We use our
Yahoo eMail addresses alot ( UN = drbogdan, joannebogdan, etc ) but for our Comcast eMail addresses ( UN = drbogdan, joannebogdan ) we use the MailWasher Program at and
with Whitelist and Filtering via DNS Spam Blacklist Servers such as SpamCop ( ); SpamHaus
( ) and sometimes
others ( SORBS, DSBL,
VISI, OSIRUSOFT, WIREHUB ). Seems to work well for us at the moment.

17 01 2007

I am not sure what problem you’re trying to solve:
Are you trying to reduce load on the server, or
just make it easier to read your own email? If
the latter, my challenge-response system has
completely solved my problem. I get several
hundred spam emails a day, of which approximately
zero make it over the hurdle. On the other hand,
it’s very easy for everyone I know to reach me.
I’ve taken you *off* my whitelist so you can see
how the system works if you want to. Send me
email and you’ll see what happens. All of this
is implemented through a few lines of procmail

18 01 2007

I think I’ll look into this as the next step. It seems easy to set up, and folks are showing a lot of really good responses to it, thanks.

18 01 2007

I really do dislike these systems a lot. For a private account with a limited number of people I’m talking to, it’s easy to set up whitelists and occasionally have folks ‘knock to get in’. But my mailbox is a single focal point of all my business and personal correspondence, mailing list and system notifications, and other interractions. I get all my online activity notices there (such as LJ and other forum notifications), etc etc. I would be spending more time making exceptions to the C-R system than actually using htem.
Secondly, the C-R system frequently triggers spam on the -opposite- end. What you start getting is something called ‘backscatter’. For every inbound message, you’re generating a message outbound. Frequently, the outbound message is unuseable, and just clogs up the mail queue as the server tries over and over to send to the target.
For small, simple mail situations, C-R may be appropriate. For me personally, and the 30 other people on the server right now, it’s not the right solution.

18 01 2007

I use a combination of Option D & Option B. For the whitelisting, I do it both with individual users (i.e. everybody in my address book) as well as domains (my alma mater, all .mil addresses, etc.).
I’ll point out first thing that all email that comes to my domain either goes to my wife, one of the other couple of users I’ve offered service to (mostly family), or it comes through my combination of Option D & Option B. My wife forwards all of hers to Yahoo and uses their spam filtering and seems happy with it. My mother, as far as I know, doesn’t have any antispam (but her address is the first three letters of her maiden name & the year she was born, and she only gives it to her friends) and in the four or five times I’ve looked at her spool to diagnose problems, I’ve neve seen any spam.
I’ll generally scan through my ‘catchall’ folder a couple times a day to see if there are any non-whitelisted real people in there before I flush the batch – I do a once-through on the list and look for names of real people I know in the sender list, then scan through the subject lines – for anything that looks like it might be real, I give the sender a relook.
Another thing I do, which I implemented pretty much from the beginning of having my own domain is give out unique addresses to pretty much every business I deal with. The ones I expect email from get put into a filter to put their replies in the box I expect to read them in (Frequent Flier, Financial).
For those that are just requiring an email address for the privilege of doing business with them, that I don’t expect replies from, I don’t add them to the whitelist (or if I expect a ‘your order has shipped, I add them & remove them afterwards if I start getting a bunch of uninteresting crap from them – an occasional “Here’s a sale you might be interested in” is fine, but don’t send me something every day on the off chance that I might want to buy *another* Aeron chair [that’s a made up example, because I can’t remember any of the real ones right now]). I actually keep a log book of the email addresses I give out, so that if I start getting a bunch of spam from one of them, I’ll know who to bitch at.

18 01 2007

Ooops – don’t use that last email address if you decide to reply to me – it will disappear into the ether.

18 01 2007

I think that A or E is probably the way to go at this point. A is a little on the pricey side — cheapest I’ve found so far is $1.75/user/mo or $630/year for the domain. Yuck. Much as I’d prefer that, I don’t think it makes sense compared to free. I’m still researching. More later.

18 01 2007

Replying to Scott
I think I’d like to try the greylisting first – folks seem quite enamoured of it atm, and since I have the meters in place now, I can see how much it drops off the spam pretty readily…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: