Better Living Through Thinking

Humble Beginnings

Mon, 07 Jun 2004

I've made stopping spam a hobby now since 1999 since I first started playing with SpamAssassin and a variety of other programs to slow the flow of unwanted mail to my server.

My philosophy is that unwanted mail should never waste my server resources; this means that I don't want spam sitting on my server at all.

Procmail and SpamAssassin do a good job of detecting spam, but by the time these programs (and others like them) have received the mail, it's too late: the spammer has already deposited his waste on your server.

I've been playing with sendmail's DNSBL feature lately and I've been very happy with some of the results I've seen.

I used to average over 300 trapped spams per day on one of my accounts. That average is now down to around 60 or 70 (and dropping). Here is my "histospam", a histogram of spam for this mail account for the past several months:

20040404 => ************************************************************ (304)
20040405 => ******************************************************************* (339)
20040406 => ********************************************************************** (351)
20040407 => *************************************************************************** (376)
20040408 => ************************************************************************* (369)
20040409 => *************************************************************************** (376)
20040410 => ********************************************************************** (350)
20040411 => *********************************************************** (297)
20040412 => ********************************************************************** (351)
20040413 => ************************************************************** (314)
20040414 => ******************************************************************* (339)
20040415 => *************************************************************** (318)
20040416 => ************************************************************************ (364)
20040417 => ************************************************************ (303)
20040418 => ****************************************************************** (330)
20040419 => ******************************************************************* (339)
20040420 => **************************************************************** (323)
20040421 => ********************************************************** (292)
20040422 => **************************************************** (260)
20040423 => **************************************************** (260)
20040424 => ************************************************** (251)
20040425 => ************************************************* (248)
20040426 => ****************************************************** (274)
20040427 => **************************************************** (263)
20040428 => ********************************************************** (294)
20040429 => ********************************************* (227)
20040430 => ************************************************* (245)
20040501 => *********************************** (178)
20040502 => ***************************************** (209)
20040503 => *********************** (119)       <=== sendmail DNSBL feature enabled on 3 May 2004:
20040504 => *********** (59)
20040505 => ************ (62)
20040506 => *********** (56)
20040507 => ********* (45)
20040508 => ********** (53)
20040509 => ********* (45)
20040510 => ********* (46)
20040511 => *********** (56)
20040512 => ********* (49)
20040513 => ************ (61)
20040514 => **************** (80)
20040515 => ********** (50)
20040516 => ********** (54)
20040517 => *************** (77)
20040518 => **************** (80)
20040519 => ****************** (90)
20040520 => ************** (74)
20040521 => ********************** (111)
20040522 => *************** (78)
20040523 => ******************* (96)
20040524 => ****************** (93)
20040525 => **************** (83)
20040526 => *************** (75)

I'm currently (May 2004) using the following DNSBLs:

• bl.spamcop.net
• sbl-xbl.spamhaus.org
• relays.ordb.org
• list.dsbl.org

I can't tell which ones are most effective because the earlier listed DNSBLs will always have opportunity to block before later listed hosts. I've not bothered to go through the reject messages and determine which of these is most effective, but I began with only spamcop.net and it was fairly successful in reducing spam volume.

There are many other DNSBLs available; some are very aggressive, and some I disagree with philosophically (having once had an open mailing list that a spammer posted to got my own account blacklisted; I have some sympathy for the accidental relay that is quickly closed).

Some blacklists block entire netblocks based in the ISP. My ISP is viaVerio, a division of Verio. Because of viaVerio's association with Verio, some of its servers are inherently blacklisted, whether they've ever been a relay for spam or not. That doesn't seem fair to me, so I don't use DNSBLs that have such draconian philosophies.

The balance of the spam that makes it through to my account (as shown in the histospam above) is dropped into my spam folder by procmail. I have a fairly comprehensive set of procmail rules to detect spam that I do not make public (good techniques once made public quickly lose their effectiveness I have found).

Spam that I trap but that the RBLs do not trap are sent to spamcop.net for future blacklisting.

I still occasionally get one or two spam messages that slip past all of these heuristics into my inbox; when I feel ambitious, I modify my filters so they'll get trapped the next time. Sometimes I bounce these to spamcop.net, othertimes I just delete them (it's so seldom that I don't often worry too much about it).